Data Subject Access Requests

Risks for employers

Under UK GDPR, Employees can request copies of documents which include their personal information, together with an explanation as to the purpose for which that data was held or processed. Once an Employee makes a DSAR, the Employer is legally required to comply with the request, and has a 30-day period to do so.

As an Employer, responding to a DSAR can put a huge strain on your workforce as vast amounts of data must be shifted through to meet the request, which can be an onerous and frustrating task. It might be tempting to simply provide everything that might be caught by a DSAR to the employee, shifting the burden of reviewing the material to the data subject who requested it.

However, this approach has serious pitfalls – the last thing you want to do is provide a disgruntled employee with ammunition unnecessarily. The steps to be taken by an Employer in order to observe the request and avoid retribution by a tribunal or court are: to confirm and authorise the identity of the person requesting the information, review the relating data, and deliver the information in a digestible format to the requestor. In a large, or long-running company, this task can cause internal staffing issues, tension on resources and overall aggravation for the Employer.

How a DSAR can result in a claim

Despite admin issues, there are bigger concerns an Employer should have after a DSAR has been ordered. Employees who are pursuing grievances, attending disciplinary hearings or are aggrieved all have the right under law to make a DSAR, and the Employer must comply.

Often these DSARS are used as a “fishing expedition” ahead of  potential discrimination claims. This information and data can become the basis of a claim against the Employer themselves, the one providing the data and putting in all the work.

Common Mistakes Employers Make

• Delayed Responses - failure to respond within the statutory deadline (usually one month) can result in fines.
• Incomplete or Inaccurate Information - providing insufficient or incorrect data can also lead to penalties.
• Excessive Fees - charging excessive or unjustified fees for processing DSARs is prohibited.
• Failure to Consider Exemptions - not applying relevant exemptions correctly can result in unnecessary disclosure.

Practical DSAR tips and tactics for employers

• Have a Clear DSAR Policy - develop a comprehensive policy outlining the procedures for handling DSARs, including response times, fees, and exemptions.
• Train Staff - ensure that relevant staff members are trained on data protection laws and how to handle DSARs effectively. This should include the importance of not deleting data, how to search and redaction of any personal data belonging to individuals other than the data subject. Use appropriate techniques to effectively remove sensitive information.
• Document the Process - maintain a record of all DSARs received, the actions taken, and the reasons for any denials of requests. Record the actions taken to respond to the DSAR, including the search terms used, exemptions applied, and redactions made. Keep copies of the DSAR, the response, and any supporting documentation and be prepared to explain your decisions.
• ·Identify exemptions and apply them correctly - familiarise yourself with the exemptions under the GDPR and DPA. If unsure about the applicability of an exemption, consult with a legal professional. Ensure that any exemptions claimed are justified and documented.
• Communicate Effectively - respond to DSARs promptly and clearly, providing the requested information in a comprehensible format.

DSARs and Grievance/Disciplinary Processes

If an employee raises a grievance or disciplinary matter and simultaneously submits a DSAR, employers must handle both processes carefully.

• Separate Processes - keep the grievance or disciplinary process separate from the DSAR to avoid bias.
• Timely Response - ensure that the DSAR is responded to within the ICO’s prescribed deadlines, regardless of the grievance or disciplinary proceedings.
• Avoid Retaliation - refrain from retaliating against an employee for exercising their right to submit a DSAR.

DSARs and Discrimination Claims

If an employee is investigating a potential discrimination claim and submits a DSAR, employers should proceed with caution.

• Relevance - assess whether the requested data is relevant to the discrimination claim.
• Privilege - consider whether any of the requested information is subject to legal privilege.
• Redaction - if necessary, redact sensitive or irrelevant information from the response.

Refusing employee DSARs

Employers can refuse to comply with a DSAR in limited circumstances, such as:

• Manifestly Unfounded Requests - if the request is clearly excessive or repetitive. A manifestly unfounded request is one that is clearly excessive or repetitive. Examples include repeated requests for the same information within a short period and/or requests for information that are irrelevant or disproportionate and/or requests that are clearly vexatious or harassing. If an employer believes that a DSAR is manifestly unfounded, they can refuse to comply, but they must provide a clear explanation for their decision and inform the data subject of their right to complain to the ICO.
• Exemptions - if the requested information is subject to a recognized exemption under data protection law.

Seeking Clarification from the Employee

If a DSAR is unclear or ambiguous, employers can request further clarification from the data subject to ensure that they can provide a complete and accurate response. However, employers must provide a clear explanation for any refusal and inform the data subject of their right to complain to the Information Commissioner's Office (ICO).

Legal help for employers

If your company has a DSAR ordered and you are unsure of how to handle it, do not hesitate to contact our firm, we will be more than happy to assist and have specialist lawyers on hand to create bespoke settlement agreements for any case. Please do call us- 020 7438 1060.