New guidance sheds light on an employer's approach to DSARs
In May 2023, the Information Commissioner's Office ("ICO"), the UK Data Protection Authority, issued updated guidance in the form of a Q&A for employers on workers' Data Subject Access Requests ("DSARs"). The ICO uses the term 'worker', which is not defined in the guidance. However, the ICO's Employment Practices Code states it includes employees, contractors, temporary and agency staff (current and former) as well as applicants and former applicants (successful and unsuccessful).
Data protection legislation gives individuals the right to request a copy of their personal data from organisations processing their information. The right is intended to enable data subjects to review how and why their personal data is being used. Though this right is given fundamental importance in data protection legislation, it can present organisations with significant challenges. DSARs can be time-consuming and expensive, and businesses must take care to ensure their handling of DSARs is compliant with data protection legislation.
The ICO reported in its press release that it received 15,848 complaints relating to DSARs between April 2022 and March 2023. More recently, DSARs have also been the subject of enforcement action. In September 2022, the ICO issued reprimands against seven organisations that failed to respond to DSARs. For example, in May 2023, Norfolk County Council was reprimanded by the ICO, which found that the council had responded on time to only 51% of DSARs submitted to it between April 2021 and April 2022. This shows the importance placed on upholding data subject rights, and the ICO's growing scrutiny over DSARs.
The right of access frequently presents itself in an employment context. Workers can exercise their right of access against their employers or former employers and request any personal data held by the employer, such as attendance details, sickness records or personal development and other HR records. We are increasingly seeing the tactical use of DSARs in the course of employment disputes – presenting employers with the administrative challenge of balancing two limbs of a related issue.
The new guidance
The ICO's new guidance provides useful clarity on several key issues, including the following:
- A data subject's right to obtain a copy of their personal data cannot be overridden by a settlement or non-disclosure agreement. If any settlement agreement attempts to waive an employee's right of access, it is likely that this element of the agreement will be unenforceable.
- The content of emails that an employee is merely copied into may in some circumstances be disclosable in a DSAR, if the content relates to the employee. The ICO provides the example of where an employee is copied into an email (along with other workers) that contains a league table of the best performing team members. In this context, the content relates to the employee and therefore counts as their personal data, so the data should be disclosed. However, the names of other workers should be redacted.
- Data subjects are only entitled to personal data relating to them, but this may well be contained in emails that also discuss business matters. An exercise must be carried out to determine whether some or all of the data within those emails must be disclosed in order to comply with the DSAR. If an email contains the subject's personal data alongside third-party data or information covered by legal privilege, a process of redaction should be carried out so that only the relevant data is disclosed.
- Searches must also be carried out across social media channels if an employer uses such channels for business purposes, as in this context the employer will be a controller of the information processed on those pages. The ICO explicitly states that this includes Facebook, WhatsApp, Twitter and any chat channels such as Microsoft Teams (if used for business purposes).
- Emails sent by an employee using their personal email address whilst using their employer's devices, such as work laptops and phones, is most likely to constitute data for purely personal or household use only. In this context the employer would not be the controller, in turn alleviating the requirement to share such data as part of a DSAR.
- As mentioned above, DSARs are often used tactically by workers (or former workers) in the course of a grievance process. Though data subjects may use a DSAR to gather evidence for an ongoing grievance or tribunal process, this does not provide employers with grounds to refuse to comply with the DSAR.
- In some contexts, organisations can withhold some or all of the information requested in a DSAR. Organisations are also able to refuse to comply with a DSAR altogether if it is 'manifestly unfounded' or 'manifestly excessive'. A DSAR may be 'manifestly unfounded' if the data subject clearly has no intention to exercise their right of access or if the request is malicious in intent. Malicious intent can be inferred from the subject making unsubstantiated accusations against the organisation or targeting specific workers against whom the subject has a personal grudge. The ICO provides some examples of when a DSAR may be manifestly unfounded, such as if a former worker upon redundancy submits a DSAR but offers to withdraw the request if the former employer agrees to an improved financial package.
What steps should employers take now?
Employers should consider taking the following steps in light of the new ICO guidance.
- Review their data protection policies that cover DSARs (including privacy notices and staff handbooks) to assess whether they are in alignment with the new guidance. If there are any discrepancies, the policies should be updated accordingly.
- Ensure there is a robust IT and communications policy in place which covers acceptable use of the IT systems and work devices, clearly setting out what workers can and cannot do on work devices, such as not using personal email addresses to liaise with colleagues on business matters.
- Organise DSAR compliance training to the relevant personnel who will be dealing with DSARs to ensure that they are fully aware of, and have the knowledge to effectively implement, the new guidance.
- Consider whether they have sufficient resources to handle DSARs, including whether an expansion of the DSAR team is required or whether they need to obtain third party assistance and expertise. This can be done by assessing the volume of DSARs their organisation receives.
- Take stock of their organisation's technology capabilities for handling DSARs and update these if required, for example reviewing the effectiveness of redaction tools and, if necessary, procuring external assistance.
For more information, you can access the ICO's full, updated guidance here.
For any questions on any of the issues covered in this alert please contact Katie Hewson - partner and head of data protection, Paul Reeves - partner and head of employment or your usual Stephenson Harwood contact.