The number of employees asking for a copy of the personal data the company holds about them is increasing.
A right under the General Data Protection Regulation (GDPR), this can be time consuming and if the company doesn’t respond fully, it can face a fine, undertaking or a compensation claim.
In the latest episode of our employment law podcast, Employment Law Focus, we discuss how the GDPR is impacting on HR teams and share some top tips on how to respond.
1. The GDPR says a request can be refused if it is “manifestly unfounded or excessive”. Generally speaking, you should focus on the request, not the individual, so even if the employee is known to be particularly vexatious, that shouldn’t determine whether the request is complied with or not.
2. Extensions should not be used as a first resort or as a rule, and the assessment should be made on a case-by-case basis. It is best practice to do this as early as possible, rather than contacting the individual when the one-month deadline is nearly up.
3. A common reason for delays is that the DSAR doesn’t reach the right people in time. The clock starts running whenever anyone in the business receives a DSAR, and they can be made in any format, including verbally or even by social media.
4. Never assume that a DSAR will be withdrawn e.g. as part of ongoing settlement discussions. It’s better to invest the time and money in preparing a response than to be on the receiving end of a claim.
5. If an employee asks for everything, it’s acceptable to go back and ask them if there are particular documents they are interested in or systems they want you to search. Avoid using words like “narrowing” the search or any indication that you’re trying to force them to limit their request.
6. Think carefully about what systems to search. This should include the right files and people, but won’t necessarily include the employee’s mailbox or email address, as they might not be reasonable or proportionate.
7. While you should take any suggested search terms by the employee into account, you don’t have to use them if they are too broad.
8. IT policies can be really important, for example by making it clear to all employees that any data contained on company devices belongs to or is controlled by the company and devices can be searched at any time.
9. Culture is also important. Employers should make employees aware of subject access so that they think carefully about what they put in writing.
10. Finally, technology can help to reduce the number of DSARs and speed up the process. At TLT, we use various platforms that can do sophisticated searches and analytics to automatically remove duplicates. Technology can also be used to make redactions, which can be far more secure than using a marker pen.
The Information Commissioner’s Office is currently consulting on draft guidance on DSARs. The consultation is open until 12 February 2020 and is a good opportunity to make your voice heard and have a say in what this includes.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2019. Specific advice should be sought for specific cases. For more information see our terms and conditions.
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...