An Employer’s View: Subject Access Requests and How to Respond to Them.

Since the introduction of tighter UK GDPR compliance in 2018, we have all become increasingly “data aware” - by choice or otherwise! This increased awareness has had a huge impact on business as it tries to grapple with how best to comply with its obligations.

One effect of this has been a significant increase in subject access requests (SARs). These are requests that allow individuals to ask businesses and other organisations for a copy of all the personal information that is held about them.

This has enabled employees - and their lawyers - to request large quantities of information from employers in circumstances where they face a very tight deadline within which to search, redact and disclose this information to comply with their duty to respond.

Responding to such requests can be hugely time-consuming and often tricky to manage. And in the employment context, at least, such requests are often more about wanting to disrupt or delay a process or used as a tactic to negotiate a better settlement than might otherwise be the case.

Many employers feel ill-equipped to deal with SARs and often seek external expertise with their response, the costs of which can be significant.

The Government has promised a new Data Protection and Digital Information Bill to provide exemptions and restrictions in relation to SARs, but it seems likely that this won’t have a significant impact on an employer’s duty to respond … at least not any time soon!

So, how can you, as an employer, ensure you handle any SARs in the right way while keeping costs down?

We have outlined SIX helpful tips below to guide you through:

1) Don't delay and keep employees informed

You are ordinarily required to deal with a SAR without 'undue delay' and within one month of receipt of it.

This time limit can be extended by an additional two months, but the Information Commissioner's Office (ICO) indicates that this is only if the request is complex, or you have received several requests from an employee.

If you are intending to extend the time limit, you must let the employee know within the first month.

Generally, employees are less likely to complain if you handle their requests well. So, if you can't meet the deadline, let them know and explain why the extension is necessary.

2) Be clear about what an employee is looking for and, if necessary, ask for clarification.

Where you process a large amount of information about your employees and need to ask them to clarify the information (or processing activities) to which their request relates before responding, you can seek clarification.

Employees often request a copy of all the personal information you hold about them when actually they only really want information relating to a specific incident. You can, therefore, explore with them whether their request can be limited to:

a specific timeframe;

specific keywords, or

specific colleagues or managers whose communications are relevant.

This will enable you to avoid an excessive workload or disclosing information unnecessarily when responding. You cannot, however, force them to narrow the scope of their request.

Asking for clarification also has the benefit of 'stopping the clock' until you receive a response to the clarification sought.

3) Decide whether you need to disclose information.

You can only refuse to provide the information if an exemption applies, or if the request is manifestly unfounded or excessive.

There are numerous exemptions which may apply to an employer's duty to provide a copy of the information sought. The key ones include:

• where personal data is processed for crime and taxation-related purposes.

• where data is subject to legal professional privilege.

• where data is processed for management planning purposes and complying with a request would be likely to prejudice the conduct of the business.

• where personal data is a record of your intentions in negotiations with an employee and complying with a request would be likely to prejudice the negotiations.

• references given or received in confidence.

• where personal data includes a third party's identity or personal information.

You will want to ensure that you properly consider whether any of these exemptions apply.

In practice, the last exemption is likely to cause the most headache as, without third-party consent, you will need to carefully consider whether it is reasonable to disclose this data without consent. And this will need to be assessed on a case-by-case basis.

You must also consider each request individually when deciding whether a request is manifestly unfounded or excessive; you should not have a blanket policy. And you will need to have strong justifications for why you consider it to be so, which can be clearly demonstrated to the employee.

4) Decide how to supply information.

It is an employer's responsibility 'to provide' the Information to the employee (or their lawyer). If the employee submitted the SAR electronically (e.g. by email or via social media), you must provide a copy in a commonly used electronic format. If they submitted it by other means, you can ordinarily provide a copy in any commonly used format (electronic or otherwise).

Although the easiest way to provide the relevant information is often to supply copies of original documents, you are by no means obliged to do so.

By way of alternative, the ICO Guidance indicates that you can provide the information in the form of transcripts of relevant documents (or of sections of documents that contain the personal data), or by providing a print-out of the relevant information from your computer systems. The advantage of this approach is that it may make the context harder to interpret and thereby reduce the potential for litigation.

5) Make your staff aware and update policies

Responding to SARs is easier when everything is stored on work devices. Private devices and private messaging tools, such as WhatsApp, can often be the trigger for litigation and should be avoided.

Make sure, therefore, that your policies and procedures are updated and make it clear that only specific channels are authorised for work-related communications, and that your HR Teams and Managers understand the risks.

And educate your staff so they understand that anyone can become entangled in a SAR, so professional conduct online is crucial.

6) Ensure good data hygiene

One of the key principles of GDPR is that data should only ever be held for as long as it is needed. You should, therefore, periodically review the data you hold, and erase or anonymise it when you no longer need it.

This is good data hygiene, which can work to your advantage as the longer the information is retained, the more material you have to potentially wade through.

Centrally stored and searchable databases will also allow you to more easily identify what needs to be kept and what should be deleted or anonymised.

Don't be tempted, however, to delete data that is relevant to a SAR that has been received as you could be found guilty of a criminal offence.

If you would like any further advice or wish to discuss legal support for a subject access request, contact Sara Mayhew at sara@sara-mayhew.co.uk

*https://gdprhub.eu/ICO_(UK)#:~:text=Caseloadedit%20edit%20source,%2C%20resolving%20only%2074%25%20instead.