While an individual has had the right to access data held about them for many years, the development of digital technology has led to a massive expansion in the nature and quantity of data processed making responding to such requests more complex,time-consuming and costly. This guide provides an outline of what to consider when dealing with DSARs from employees in particular – but remember that all living individuals have this right. What should I do if I receive a DSAR? Employers have a duty to facilitate the exercise of a DSAR, to handle the request fairly and transparently and to provide the information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. It is important to note that requests can be made orally or in writing (including by email or any other electronic means such as social media) and without a particular prescribed form. It might be a good idea to set out a preferred method of contact to reduce the risk of overlooking requests although you cannot make the use of such a method mandatory.
Requests must be handled with undue delay and, in any case, within one month of the receipt of the request. ICO guidance states that this period starts the day you receive the request until the corresponding calendar date in the next month, unless that day is a bank holiday or weekend, in which case it ends on the next working day. If there is no corresponding date (i.e. the next month is shorter) then the deadline is the last day of the following month.
You may request up to a two- month extension if the request is particularly complex but you must respond to the employee within one month of the request to acknowledge receipt of the request, explain that you are extending the response period and provide your reasons for not being able to provide the data within the initial month.
If you are not the data controller then you do not have to comply with a DSAR. For example occupational health records may be held by the OH provider which is a controller in its own right. However, you do still need to respond to the employee/requester to explain this to them. You must provide them with written reasons as to why you cannot provide the data within one month of the request and inform them of their option to complain to the Information Commissioner’s Office (“ICO”).
It is possible to refuse a request if you believe the request is “manifestly unfounded or excessive”. If you refuse the request then you must write to the employee/requester as soon as possible but in any event within one month providing your reasons and informing them of their option to complain to the ICO.
Be cautious with this approach – the ICO will scrutinise such decisions closely and if they do not agree with your refusal you could be in breach of the GDPR.
If you are not the data controller then you do not have to comply with a DSAR. For example occupational health records may be held by the OH provider which is a controller in its own right. However, you do still need to respond to the employee/requester to explain this to them. You must provide them with written reasons as to why you cannot provide the data within one month of the request and inform them of their option to complain to the Information Commissioner’s Office (“ICO”).
It is possible to refuse a request if you believe the request is “manifestly unfounded or excessive”. If you refuse the request then you must write to the employee/requester as soon as possible but in any event within one month providing your reasons and informing them of their option to complain to the ICO.
Be cautious with this approach – the ICO will scrutinise such decisions closely and if they do not agree with your refusal you could be in breach of the GDPR.
Emails are the usual starting point. Be sure to search a number of inboxes using various searches to make sure you’ve covered the possible options.
Once you’ve identified a pool of emails that contain the personal data, search again if you’re looking for more specific data. Consider other sources of data such as back-up drives or archives. Note also that personal data held by data processors for you is also in scope.
Consider what information needs redacting or needs to be disclosed. Is it personal data which relates to other individuals but does not relate to the employee? Is it personal data which is information about the employee but also contains personal data about another individual? For example, if it is an email from one individual to another commenting on the poor performance of the employee then that email will be deemed to contain personal data about the employee but also about the person making the comments.
If there is more than one individual’s personal data involved then ideally you should seek consent from the other individual to disclose that information. You are not obliged to seek consent of the other individual if it is reasonable to disclose the information without the consent of the other individual. If consent is granted, you must disclose the information.
If you do not have consent of the other individual, and you do not believe it is reasonable to act without consent, then consider if you can redact the information. Remember:
There is no obligation to disclose personal data under a DSAR where the request relates to:
This is a non-exhaustive list and others include (for example) criminal investigations and judicial proceedings. ICO guidance is available on all exemptions here. Any data that falls under one or more of these exemptions can be redacted or removed. You should keep a clear record of why each redaction was made, and be prepared to justify it if challenged.
Article 15 of the GDPR provides that responses to DSARs must:
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.