In our latest episode we look at the profound impact that GDPR has had on HR teams.
One of the biggest challenges has been an increase in the number of requests from employees for a copy of the personal data the company holds about them.
This often happens as part of threatened litigation, and can be an overwhelming task.
In this episode, we take an in-depth look at:
Siobhan Fitzgerald (employment partner) and Emma Erskine-Fox (data privacy and protection associate) share their thoughts and experiences on how to make the right judgement call and how to avoid a fine, compensation or another penalty.
In our news round-up we cover:
Siobhan: Hello and welcome to another episode of Employment Law Focus. I'm Siobhan Fitzgerald, a partner in TLT’s national employment team, and I'm delighted to be joined today by Emma Erskine-Fox who's an associate in our data protection and privacy team.
Emma's joining me today because we're going to be talking about one of the biggest business topics of our time, the General Data Protection Regulation or GDPR, you all know that term well. It came into effect in May 2018 and continues to this day to have a really big day-to-day impact on HR teams.
Now Emma, it's just over 18 months since the GDPR came into force, but it feels like it's been quite a long time.
Emma: Yes, it definitely does.
Siobhan: And to the point that people have started to talk about something which is called “GDPR fatigue”. Now some of our listeners may identify with that I suspect. Can you explain exactly what that means?
Emma: Yes, for sure. So there's this feeling that the GDPR has been talked about for so long now and so much that people are really keen to move onto the next issue. We're hearing from lots of clients who are finding it hard to keep employees engaged in GDPR issues when there's been so much hype about it for such a long time. It's a complex area that's really hard work for people to understand, but it's so important that businesses maintain high levels of internal awareness so that they can stay GDPR compliant.
Siobhan: Yes, absolutely and that's an ongoing battle for HR teams as you and I see from the queries that our two teams work on together. In this episode we're going to talk about the areas that HR teams find most challenging including data subject access requests, and how issues like culture and IT practices can interact with the GDPR to make it even harder for HR to deal with.
Emma: Yes. And we're going to be answering some of the burning questions that we get from our clients, like: why is the volume of DSARs increasing? And can you do anything about it? Can you refuse a request if you believe it was made just because the employee has a vendetta against the business? Do you really have to search for everything you hold about an employee? And do WhatsApp messages have to be provided in response to a DSAR?
Siobhan: Yes, some really interesting issues in there. And before wrapping up we'll also discuss some common questions that come up in the HR context, like: can you still take photos of people at work events? – which is something that we get asked a lot. And how long do you need to keep HR records for before you have to destroy them?
Before we continue, I'd just like to highlight a couple of employment law news stories that have caught my eye recently. And first off is employee wellbeing. Allowing employees to work from home is often cited as a positive wellbeing initiative, which in many cases it is. However, a recent report from Nuffield Health has found that whilst home working has proven benefits for both wellbeing and productivity, you can have too much of a good thing. So Emma, a question for you.
Siobhan: Just out of interest, what do you think the maximum amount of time that this report suggests an employee should be allowed to work from home for?
Emma: That's a difficult one to call. I can see that it might get a bit lonely if you're working from home full time, but on the other hand, it must be really great to save commuting time and not to have to put the suit on every day, so I'm going to guess four days a week?
Siobhan: It's even less than that.
Siobhan: The Nuffield Report suggests that working from home for more than half the week can be bad for employees.
Emma: Wow, okay.
Siobhan: So a maximum of two and a half days a week working from home is recommended. That's interesting.
Emma: Wow yes.
Siobhan: More than that and there can be a deterioration in relationships between co-workers. So according to the report, this is partly because of simmering resentment of homeworkers supposedly having an easy life. I'm sure some people might disagree with that!
Emma: Yes we could debate that!
Siobhan: And partly because relationships at work might be affected by losing out on what we call the “water cooler” chat. Of course there's not going to be a one size fits all approach to remote working and no doubt there are lots of employees out there who work from home full time for more than half the week with no problems at all. But it's interesting to see what the research says and that home working is beneficial for both employers and employees, but only up to a point.
Siobhan: And just to add the legal perspective in this topic, I should flag that any limitations on home working should be included in any written home working policy and exceptions of course should be considered if there's a possibility of a discrimination claim. So for example, if home working is needed because of disability or because of caring responsibilities. And regardless of how many days per week an employee is working from home, employers should ensure that the normal safeguards are put in place such as ensuring that the employee has the right equipment and that a health and safety assessment has been done.
So the next story is actually a GDPR related case regarding a supermarket and it's one that you Emma will know a lot about I know. This is a Supreme Court hearing on whether Morrisons was vicariously liable for an employee who released confidential employee data.
Emma: Yes. And this is the hearing that we've all been waiting for in the data protection world, but of course we're still waiting to hear the outcome of the case as the judgment isn't expected until the new year. The judges have basically been asked to rule on whether Morrisons is responsible for a data breach committed deliberately by a disgruntled employee. Morrisons itself hasn't actually been blamed for failing to have appropriate security measures in place or anything like that, so it's a really interesting case.
Siobhan: But, didn't he actually go to prison for this?
Emma: He did, yes. And data theft is a crime and actually he got an eight year prison sentence for it. So it's not in dispute that this was a deliberate and malicious action by the employee that Morrisons couldn't have prevented, which is what makes it so interesting for employers.
Emma: The courts so far have held that Morrisons is vicariously liable for the employee's actions. And that's really significant because if the Supreme Court agrees with that view, the implication for employers is that even if a disgruntled employee deliberately abuses their position because they are out to get the employer as it were, then the employer could still be liable.
Siobhan: Yeah, I mean, and that's quite a surprise. I'm sure a lot of employers won't feel that that's a particularly fair outcome then.
Emma: No, absolutely. I think from an employer's point of view, it certainly feels very unfair. As I said, it's been really eagerly awaited this judgment for quite some time now, so it's going to be really interesting to see what the Supreme Court thinks.
Siobhan: Now, another data protection related case. A man called Ed Bridges has alleged that South Wales Police breached his human rights by using automated facial recognition technology. I have to admit that my knowledge of it mainly comes from watching The Capture on BBC.
Emma: I've never watched it. Maybe I should!
Siobhan: Yes. But so, it must presumably be a really hot topic in data protection at the moment.
Emma: Yes, it really is. The information commissioner recently issued her first formal opinion under The Data Protection Act 2018 on the use of live facial recognition or what we call LFR technology by law enforcement in public places. And she made it pretty clear that she remains unconvinced and uncomfortable with the use of LFR in all but the most serious of cases, which I'm sure is a view shared by many members of the public.
Emma: Her advice included stressing the importance of implementing and keeping under review a considered and well-informed data protection impact assessment. And whilst this was an opinion focusing particularly on the public sphere, she does intend to issue a further opinion on the use of LFR by private sector organisations. So stay tuned to see how this differs and what recommendation she makes here.
Siobhan: And for our listeners, you can find a number of articles on data protection implications of facial recognition technology and CCTV if you search for those terms on our website.
So one of the biggest ways the GDPR has affected HR is the huge increase in the volume of data subject access requests or DSARs as we fondly call them. This has the potential to make life for the typical HR manager extremely difficult and we've had requests from many of our clients, asking how can we make our lives easier in this respect? So Emma, what is a DSAR and how might you get one?
Emma: So under the GDPR individuals have a right to ask companies to send them a copy of the personal data that the company holds about them. This is called the right of subject access, and a request is a DSAR as you said. The right has actually been around for a really long time, but the GDPR introduced some significant changes to the right. Most importantly, the deadline to respond to a DSAR used to be 40 days, but has now been reduced to one calendar month.
Siobhan: Does that include any allowance for flexibility for holidays? We're recording this episode just before Christmas, so I'm not sure many employers will want to spend their festive period looking at DSARs. Is there any way around this?
Emma: No, it's definitely not the best Christmas present is it? But unfortunately the deadline is calculated on a calendar basis so it can't be extended just because bank holidays fall within that time period. For things like Christmas, it's possible that the ICO, which is the data protection regulator, might have a little more sympathy with a short delay. And if there is going to be any delay, we would always advise employers to let the data subject know as soon as possible and tell them when they can expect to receive the response.
Siobhan: Yeah, absolutely. And we have definitely seen the shorter deadline causing some real problems for clients. And as I said, the volume of DSARs has really increased recently. Why do you think that is? Because this right has existed for over 20 years. Are people just catching on now?
Emma: So I think there's a combination of things that have led to this increase in volume that we're seeing. You're absolutely right that people seem to be much more aware of their data protection rights nowadays. The GDPR obviously received a lot of press attention and with all the data breaches and the headlines that we see, data protection is generally high on people's radars.
Emma: I think the other thing that's contributed to the increased volume is the fact that organisations can't charge the individual a fee to respond to a DSAR anymore.
Siobhan: I mean the context that we usually see DSARs made in is where there is some sort of threatened or actual litigation from the employee. And many of our listeners are going to be painfully aware that there's been a steep rise in employment tribunal claims because fees have been abolished, and we've seen the numbers of claims rocketing. And I wonder whether that's another reason for the increase in DSARs. Simply put, more claims, more DSARs.
Emma: Yes definitely.
Siobhan: I think it's fair to say that DSARs are sometimes used as a litigation tactic. Is that something you'd agree with?
Emma: Absolutely, yes. And we see this all the time when employees are engaged in or considering litigation against employers and they'll use a DSAR to try and get hold of information before disclosure, or because they think they will find some sort of smoking gun in inverted commas in the response that will help their case. Sometimes DSARs are even just submitted frankly, just to cause more hassle and more cost for the employer as well.
Siobhan: Yeah, absolutely. People always think they're going to find the smoking gun.
Emma: Yes. And they very rarely do.
Siobhan: Absolutely. And my understanding is that the purpose doesn't actually matter. So even if the DSAR is submitted as what we call a fishing exercise, you still as an employer have to comply.
Emma: Yeah, that's right. So we'll dig into this in a bit more detail shortly. But broadly, DSARs are what we call purpose agnostic. So even if you think that someone is just purely trying to make your life difficult, generally the DSAR will still have to be responded to.
Siobhan: And employers can be fined up to 20 million euros or 4% of turnover if they don't fully respond to a DSAR. But those are eye watering amounts. Has the ICO ever actually issued a fine Emma?
Emma: No. So the ICO hasn't yet fined an organisation for failure to respond to a DSAR. I think “yet” is the key word. And that doesn't mean that employers should become sort of blasé about DSARs. The ICO does receive a really big volume of complaints about how DSARs are dealt with, and if it considers that there's a systemic issue, it would be perfectly within its rights to issue that sort of top tier fine. And you don't want to be the first business to face that fine.
Siobhan: No, that is very true. And is there any other action or other risks that employers should be aware of?
Emma: Yeah, definitely. So the ICO as well as having the power to fine it has a range of other powers. For example, it can ask employers to sign undertakings that they will take certain steps to improve their processes and that maybe doesn't look great from a reputational point of view.
Emma: And as part of those undertakings, employers are often asked to submit to a further review by the ICO. The ICO is much more likely to fine a business if an undertaking is signed and the business still fails to improve.
Siobhan: And can an individual go to the court as well as making a complaint to the ICO?
Emma: Yep. There's a right to claim compensation for breach of the GDPR and that includes failure to comply with DSARs. Employees don't actually need to be able to show that they've suffered financial loss to claim compensation anymore. So non-material damage or distress or annoyance etc. may well be enough to give rise to this right.
Siobhan: So there are three areas of DSARs that we're going to look at in a little bit more detail. Firstly, your right to refuse or extend a request. Secondly, the obligation to perform a search for the individual's data and then actually responding to the DSAR.
Emma: So probably the most common question that we get asked by employers when faced with the DSAR is: can we not just refuse to respond to it completely? The answer in most circumstances is unfortunately no. What is always worth remembering is that the GDPR exists principally to protect individuals, not organisations. And as we mentioned before, it doesn't matter why a DSAR is made. The ICO treats subject access as a pretty absolute right. There are some exemptions which we'll touch on in a bit, and the GDPR does say that a request can be refused if it's manifestly unfounded or excessive.
Siobhan: Yes, and that's an interesting one. So quite a few clients have said to me “this request is clearly manifestly unfounded or excessive”. But what does that actually mean legally?
Emma: So that's the million dollar question at the moment. We don't have a lot of guidance on it and it hasn't been tested yet. So it's not 100% clear cut, but it's likely to be quite a high bar. The ICO gives some examples of what might be manifestly unfounded. For example, if it's obvious the request is being used to harass the organisation, if the request makes unsubstantiated accusations or is made in a context where the employee is clearly using it as leverage to get some sort of benefit from the employer.
Emma: So in some litigation situations where employees are being particularly vexatious and using DSARs just to harass the employer because of personal grudges, you may be able to take advantage of this. But it will always need to be considered really carefully to ensure you're comfortable that you do have a very robust reason for refusing.
Siobhan: Yeah, absolutely. What about excessive? What does that mean?
Emma: So excessive could apply if, for example, a request is simply a repeat of a previous request and is made a short time after the previous request, but you won't be able to argue a request as excessive just because it relates to a large volume of information. We have seen some companies try to argue that if they receive requests from lots of different individuals at the same time, so for example, in the context of class action, the requests are excessive. Which seems like it might be reasonable however, that argument doesn't really work if the requests are from different people. Really it should only be if there are several requests from the same person.
And just generally when you're looking at whether a request is manifestly unfounded or excessive, it's always the request that you should focus on and not the particular individual. So even if the individual is known to be particularly vexatious, that shouldn't determine whether the request is complied with or not.
Siobhan: Yes, absolutely. Because often complicated DSARs come from an individual who might have a history of raising a lot of grievances and complaints.
Emma: Absolutely, yeah. But you always need to focus on the particular request at hand.
Siobhan: But if there's a large volume of information, can you then ask for extra time to make sure you've got enough time to get through everything?
Emma: So there is a right to extend the one month deadline by up to a further two months – so you'd have three months in total – if the additional time is necessary due to the complexity of the request or because you've received a number of requests from the same individual. However again, we don't have a lot of guidance on this at the moment and the volume of data alone is unlikely to be enough of a reason to extend that deadline.
Siobhan: Yeah. So volume alone, not enough.
Siobhan: Are there any examples of situations when the extension can be exercised that would help us to understand when it could be used?
Emma: Yeah, sure. So we've advised clients that the extension can apply, for example where the request is made in the context of complex litigation or grievance processes and responding appropriately is going to require consideration of a number of different exemptions. Or it could apply if personal data has to be pulled from lots of different systems, possibly legacy systems and it could be in different formats, which could then make reviewing the data more difficult.
Siobhan: So what if you were in a situation where the employer has decided that the extension should apply, do they then need to go to the employee to gain their consent to that?
Emma: No. So this is a bit of a misconception actually. You do have to tell the individual that you're extending the deadline and give them reasons why, but you don't need to ask if they agree. Really the extension shouldn't be used as a kind of first resort or as a rule, and that assessment should be made on a case by case basis. It's also best practice to make that assessment as early as possible rather than contacting the individual when the one month deadline is already up to tell them that you're going to be a further two months in responding.
Siobhan: Yeah, absolutely. And bearing in mind that the circumstances in which the deadline can be extended are likely to be quite limited, is there anything that employers can do to make it easier for themselves to comply with the deadline that probably does exist?
Emma: Yeah, so one of the things we see really commonly that leads to delays in responding to DSARs is simply that the DSAR doesn't make its way to the right person in time. So it comes into somebody who doesn't know what to do with it, it gets sat on for two weeks and before you know it, most of your deadline is up and it's only just really been picked up. The clock starts running whenever anyone in the business receives the DSAR, not when it goes to the right person, and they can be made in any format including verbally or even by social media.
Siobhan: So, I guess it is then really important to make sure everyone in the organisation knows what a DSAR is, how to recognise it, even if it comes in on social media. And then how to escalate it quite quickly so that the deadline can be complied with?
Emma: Yes, for sure. Another issue we've seen a bit more recently is that, where DSARs are made in the context of ongoing settlement discussions, draft settlement agreements that might be kind of going back and forth will usually provide that the data subject withdraws the DSAR.
Emma: That's fairly standard I think. So we've dealt with a matter recently where the client was convinced that the case was going to settle before that one month deadline and therefore didn't make a start on the DSAR because they thought it would be withdrawn as part of that settlement. Of course, it then didn't settle in time and the client was left having to scramble around to pull that response together with as little delay as possible.
Siobhan: Yes, absolutely. And I suppose someone could use that as a negotiation tactic against you to get you to pay them a bit more.
Emma: Yes definitely, yeah.
Siobhan: And so the advice is not to rely on the DSAR being withdrawn even if that seems like the most likely outcome.
Emma: Yes, definitely. I can really understand the frustration of sort of spending lots of time, money and energy on a DSAR that might then be withdrawn, but it's much better to do that than to be on the receiving end of the claim because you haven't done anything about the DSAR until it's too late.
Siobhan: Yeah, absolutely. When it comes to actually gathering the data, HR teams obviously have a choice about how they do this and it can be something that can be wildly time consuming. And we really do see a lot of clients struggling with extremely wide requests for copies of personal data that can basically ask for everything under the sun. And particularly when a request is made by a very long-serving employee, this can result in really vast volumes of personal data. And if this isn't enough on its own to get an extension, is there anything else that employers can do to reduce the volume of documents that they might need to search for just to make it a bit more accessible?
Emma: Yeah sure. So I think the key here is to look at what employers are actually required to do in terms of the extent of their search. The ICO encourages constructive communication with the data subject to enable employers to focus their searches. So if an employee asks for everything, as you said, it is acceptable to go back and ask the employee if there are particular documents that they are interested in or particular systems that the employee wants you to search.
Siobhan: Yes. And when you and I have worked together before on these types of issues, you've usually advised against using words like “narrowing” the search.
Emma: Yes, I think it's always best to avoid any indication that you're trying to force the employee to limit their request. It's much more about working with the employee and saying, "Look, we want to be as helpful as possible. Please help us to help you to find what you're looking for."
Emma: So if someone makes a DSAR in the context of a redundancy process for example, it's reasonable to ask if they are just interested in information relating to that process.
Siobhan: But one of the problems we come up against is that the employee doesn't have to provide any further parameters and they are entitled to ask for everything if they want to, which they very often do unfortunately.
Emma: Yes they do.
Siobhan: And if that's the case, then the obligation on employers is to conduct a reasonable and proportionate search. Emma, can you give us a bit more insight into what this might actually entail?
Emma: Sure. Firstly, it's important to think about the systems that you're searching. We usually advise thinking about which systems are most likely to hold personal data about that particular employee, including things like which other employees’ mailboxes will contain information about the data subject. So you would always search the employee's HR file and any other HR related systems like payroll or holiday booking systems. And you'd also look at mailboxes of other employees with whom the data subject commonly engages. So their line manager, their direct reports, other close team members, any HR staff who've dealt with disciplinaries, grievances or other HR issues with that data subject before.
Siobhan: This is something that I was talking to a client about recently, and we were saying that sometimes searching the employee’s own mailbox or searching against the employee's email address might actually be too wide a search – because it will literally bring up every email the employee has ever sent, which could easily run into the hundreds of thousands. And chances are that most of these will be to customers or colleagues about work related matters and won't actually contain personal data.
Emma: Yes, definitely. So the second thing you need to think about in your reasonable and proportionate search is the date range of your searches. And often we actually advise searching back to the time when the employee first applied for a job because that's when the company will have initially collected the information about the employee. And finally you need to consider what keywords you're going to search against. The reasonable and proportionate keywords to use will very much depend on the circumstances. Sometimes searching for someone's name alone might not be proportionate if that person has a particularly common name. So taking a personal example, my unmarried name was Emma Fox, which was a very common name. I was one of three Emma Foxes just on my law course at university.
Emma: So you can see that searching for a common name, particularly in a large organisation, is going to return a lot of information that's completely irrelevant and so that search probably won't be proportionate. On the other hand, my married name, Emma Erskine-Fox is a much less common name. In fact, I'm reliably informed by a search of Facebook that I'm pretty much the only one.
Siobhan: Oh, you are unique.
Emma: I am unique! So if you've got a data subject with a more unusual name, it will be reasonable and proportionate to search for that name.
Siobhan: And what about other search terms then as well as name?
Emma: So you'd be looking for anything that uniquely identifies the particular individual. So things like employee ID, payroll number, national insurance number, things like that. If the employee has a unique job role, say something like finance director, it's probably worth searching against that term too for the period during which the employee has been in that role.
Siobhan: And sometimes we've seen employees who make a DSAR taking a very proactive approach and trying to impose particular search terms that can be a really long list, including things like searching by first name only, by initials. So if an employee asks you to use particular keywords, do you have to use those?
Emma: Not necessarily. The fact that an employee might give you a list of search terms doesn't necessarily affect your obligation to carry out a reasonable and proportionate search. It is a good idea to at least take the request into account though. So for example, we've recently seen a request where the employee's name was very commonly misspelled, so the employee had asked for search terms that included misspellings of her name. We decided that it was reasonable to use those search terms because there was likely to be information about her that used the misspelling of her name and those searches weren't likely to reveal irrelevant information. However, the same employee also asked the client to search for her initials and we decided that that wasn't reasonable and proportionate because her initials could appear in many different words or lots of other contexts that didn't relate to her at all.
Siobhan: So whilst we're talking about searches, as working becomes more agile and more digital as we talked about earlier, we're seeing more and more questions about whether things like instant messages, texts, WhatsApp need to be searched and provided in response to a DSAR. I mean what's your view on that?
Emma: So instant messages on messaging systems that are provided by the company, things like Skype for Business which we use here, things like Microsoft Teams should definitely be searched. Texts and WhatsApps are a bit less clear cut, it's a bit more of a grey area there. But there is a strong argument that if they're contained on work phones then yes they do need to be searched. How you do this practically is obviously a challenge because your only real way to do this is to ask employees to give you their phones so that you can search them.
Siobhan: Yes. And whilst that's fine in theory, do employees actually want to hand over their phones to the employer and might that not actually be a breach of their privacy rights?
Emma: Yeah. And that's something really important to consider as well. And this is where your policy framework can be really important. You'd ideally have policies in place that make it very clear to employees that any data contained on company devices sort of belongs to or is controlled by the company, and devices can be searched at any time.
Siobhan: Anyway, even if they are asked to present their phone to be checked, couldn't they just quickly delete a few of the messages they weren't too happy about?
Emma: That's definitely a risk and companies actually need to be really careful about this because it's now a criminal offence to delete data in order to avoid having to disclose it in response to a DSAR.
Emma: If data's deleted in accordance with retention periods that simply happened to expire during that period, that's a defence. But certainly if an employee deliberately deletes data in those circumstances, that is a concern.
Siobhan: So would you recommend then that employers just prohibit texting or WhatsApp then on company devices? Is that the easiest way to do it?
Emma: I mean it might seem the easiest way, I'm not sure it's strictly necessary. I know I sometimes find texting on my work phone quite useful. I think what's most important is to build a culture of not using work devices to send texts and WhatsApps that contain personal data about other people.
Siobhan: Yeah, I mean, and that's probably quite good advice generally. To be careful what you say about other people in a work context, especially on a work device.
Emma: Definitely. And actually some of the biggest issues we see arising out of DSARs happen where someone has been having a bit of a moan about the data subject on email without realising that the data subject has the right to see that information. And often there isn't an exemption that can be relied on to justify withholding that information. So employers have to disclose it, which can obviously then be quite embarrassing and can lead to further complaints from the data subject.
Siobhan: Yes, absolutely. So you know it's about making employees aware of this and the culture across the business.
Emma: Yeah, definitely. Employers should always be trying to make sure that all employees know about subject access so that they are a bit more careful about what they put in writing about other employees.
Siobhan: So that brings us on quite nicely to the third area that we're going to talk about relating to DSARs, which is the response itself and what you can and can't withhold. So Emma, can you give us a bit of an overview of what employers should be looking for in terms of personal data within documents that are revealed by their searches?
Emma: Of course. Yeah, so subject access gives people a right to access personal data about them. So anything that isn't personal data, they don't have a right to see. Personal data generally in this context has to be more than just someone's name on a document as well. So if there were minutes of a meeting that the employee attended and their name is listed as an attendee, but there's no other information about the employee in those minutes, the mere fact that their name is on the document isn't enough to make it personal data.
Siobhan: Once you've pulled out all those documents, what's the next thing to look at?
Emma: So I think the next logical step is to take out duplicate documents and earlier email threads where you've got the most recent thread in the document set. Now this is where you can really use some of the recent advances in technology to your advantage. We have a team here at TLT that provides a fully outsourced DSAR service to several of our clients and we use various tech platforms that can do quite sophisticated searches and analytics of the documents to automatically remove those sorts of duplicated documents, and that saves masses of time. So it's really worth looking at investing in those kinds of tools.
Siobhan: You mentioned earlier that there are some exemptions that apply that mean you can withhold some documents and redact information. Some of our listeners might be familiar with getting out the black pen, these are documents that you don't need to disclose and one of those exemptions is legal privilege.
Emma: That's right. So privileged documents and privileged information are exempt from disclosure. You do need to be a little bit careful because it's really easy to assume that privilege applies just because a document is marked privileged or because a lawyer has been copied into correspondence. But the document does need to be either correspondence for the purposes of taking legal advice or a document prepared for the sole or dominant purpose of litigation in order to be excluded on the grounds of privilege. So you do need to do that assessment even if on the face of it the document looks very likely to be privileged.
Siobhan: And in addition to that then, and we get asked about this quite a lot, employers need to be a bit careful about disclosing personal data relating to other individuals? So not the data subject but their colleagues, for example.
Emma: Yeah, definitely. And you can redact third party personal data and actually you're expected to do so really to protect those individuals’ rights as well, unless disclosing the personal data is reasonable in the circumstances. So for example, if the third party personal data is contained in correspondence that the data subject has already seen or if it's information the data subject already knows, then it might be reasonable to disclose that.
Siobhan: Yeah, absolutely. So with my black pen, what else can I redact then?
Emma: So there are a couple of other exemptions that crop up quite a lot in an employment context. One of those is information that's processed for management forecasting and planning purposes where it would prejudice those purposes if the information was disclosed. I think that the most obvious example of that in an HR context is in a redundancy situation where there are ongoing redundancy discussions that haven't yet been finalised or communicated.
The other exemption that springs to mind is information that consists of the employer's intentions in negotiations and releasing the information would prejudice those negotiations. So for example, if settlement discussions are ongoing and there's an internal email that indicates that the employer would accept a certain settlement offer as a last resort, but wants to make a lower offer first. Clearly if that was released then that could affect the employer's position.
Siobhan: And what about the data, and there'll be a lot of this, that isn't personal data. So just, say two employees having a chat about the weather?
Emma: Yeah. So some clients take a very robust approach and redact everything that isn't strictly personal data, even if it's very generic and low risk data, like conversations about the weather as you said. However, it can often be quicker and more cost effective to disclose information that isn't personal data as long as it's not particularly confidential or commercially sensitive because then you just don't need to spend the time redacting it. So equally we have a lot of clients who take that view as well.
Siobhan: So Emma, you mentioned the use of technology earlier to help with excluding duplicate documents. So all those long email chains, but can technology also help with the redactions?
Emma: Yes, it definitely can. You've talked about getting a black marker pen out and I think lots of businesses do still make redactions that way. They get out their black marker pen and they remove everything that way. That's actually risky in itself because often you can actually see through the marker pen. The platforms we use can make much more reliable redactions and it's a lot quicker than doing it manually.
Siobhan: So one of the challenges that we see clients coming up against is if they're looking through an email chain between two other employees and let's say one of those employees says something that's not particularly favourable to say the least, about the data subject. I mean that's embarrassing, but presumably you can't just withhold information because you know it's a bit cringe-worthy.
Emma: No, unfortunately not. And this goes back to what we were saying earlier about employees having a moan about the data subject in an email. The best thing to do as a business is to build sufficient awareness that people just don't say things like that about other people in an email. But if you do encounter that sort of information, it's important to bear in mind that opinions about the data subject, say what somebody else thinks of them, are also the data subject’s personal data. Unless an exemption applies, which it often doesn't, you will need to disclose that data. Obviously you can redact the names of the people who have said those things to protect their rights, but not the comments themselves.
Siobhan: And sometimes it might be obvious who has said it.
Emma: Sometimes it is, yes.
Siobhan: And do clients sometimes take a bit of a risk on that front and withhold it anyway?
Emma: Yeah. We see that a lot. So companies often prefer to take the risk of being challenged on withholding the information over the risk that actually the data subject would see that other employees have been saying not nice things about them and potentially being able to use that in litigation. That's obviously a commercial decision. We generally advise treating that approach with a bit of caution, but we do see it.
Siobhan: So you've got to be careful.
Siobhan: And, but I suppose in reality the data subject can only challenge withholding information if they know that it actually exists.
Emma: Yeah. You'd think that was the case, and I think that's true to an extent. We do unfortunately often see data subjects challenging DSAR responses either just to cause more hassle or because they expected to receive more documents or more information in response. That challenge could then lead to an ICO investigation which could uncover that non-compliance. And the ICO could then order disclosure of the information anyway.
Siobhan: Then finally, when you send the response out to the data subject, are there any practicalities that you need to consider?
Emma: So in terms of the format of the response, it's good practice to check with the data subject whether they want the response electronically or in hard copy. And whatever you do the key is always that the response is sent securely. The other thing I think it's important always to remember is that the deadline is the date the response has to arrive with the data subject and not the date it has to be posted.
Siobhan: And just before we move on to our listeners’ questions, have you got any final tips for how employers can make life easier for themselves when it comes to dealing with DSARs?
Emma: So I think the more data you can make self-serve as it were, the better and it might make your searches a bit easier. The final thing I think it's worth mentioning on DSARs is that the ICO is currently consulting on draft guidance. There's some short form guidance on the website already, but the DSAR code of practice that the ICO issued under the old Data Protection Act hasn't been updated yet for the GDPR. The consultation is open until 12 February 2020, so it's a really good opportunity for any listeners who might want to make their voices known to have a say in what that guidance might look like. The consultation is available on the ICO website. Currently it's one of the top links on their homepage, so it's really easy to get onto if you're quick.
Siobhan: So finally we've got time for two listeners' questions. So Emma, the first question and as I said at the start we do get asked this a lot is, in light of the GDPR can you still take photos of colleagues at work events? What are your thoughts on that?
Emma: So the short answer is yes. We've had clients thinking that they need to get everyone to sign a consent form if they want to take photos at their work Christmas party, for example. If the photos are just for internal use, so for example, to put them on a shared drive for other employees to access, then as long as employees know that photos are being taken this will generally be fine.
It's also good practice to make sure that there's a way that employees can opt out of having their photos taken if possible. So a couple of ways we've seen employers do this previously are firstly to ensure that photos are only taken in a particular area of the venue, which is clearly delineated from the rest of the venue. Or alternatively, to give employees the option to actually ask the photographer not to take photos of them.
Siobhan: And now you've said if that's the case, if the photos are for internal use, but a lot of our listeners will be taking photographs for websites and external use like marketing materials. Is that okay?
Emma: So I think you probably need to be a little bit more careful in that situation. At the very least, you should be giving employees really clear information about where the photos will appear and robust ways of objecting to this if they might not want photos of themselves at the Christmas party on the publicly available website and things like that. It might be easiest in practice to get written consent in those circumstances.
Siobhan: And then our final question is how long you need to keep HR records for? We get asked this one a lot too. And how you then need to destroy them in order to protect people's privacy?
Emma: Yeah, retention is a really common theme for us at the moment. The GDPR doesn't impose particular retention periods on companies, but it does say that personal data should only be kept for as long as needed for the purposes of the processing.
For HR records, quite a common approach is to keep them for sort of six to seven years after termination of employment. So although most employment related claims, as you will know much better than me, have to be brought within a matter of months after employment ends, there are some claims like breach of contract claims that have a six year limitation period. So that's where that sort of six to seven year approach comes from.
We have seen some clients delete the majority of data after 12 months if they're comfortable that no new claims will arise and just keep enough data then to give references or to deal with any contractual issues in the future. So the approach definitely varies.
And then in terms of how to destroy them, records should always be destroyed securely. So hard copies should be shredded. Electronic documents are often quite hard to delete completely, but they should be wiped from systems as far as possible and put beyond use.
Siobhan: Okay. Thank you Emma. And thank you very much to all our listeners for joining. We aim to cover the biggest topics that are affecting HR teams today, so please do get in touch if there's something you'd like us to look at on the next podcast. You can email us at email@example.com or tweet us using the hashtag #TLTemploymentpodcast and tagging @TLT_Employment. If you're enjoying the podcast, you can rate and review it, which means that more people can take a listen. And don't forget to subscribe on your podcast app so that you don't miss any of our future episodes.
Jonathan Rennie: The information in this podcast is for general guidance only and represents our understanding of the relevant law and practice at the time of recording. We recommend you seek specific advice for specific cases. Please visit our website for our full terms and conditions.
Following the ICO’s first fine under the GDPR in December since it came into effect, we revisit how the decision confirmed that the presence of a sub-contractor does not absolve a data controller of its responsibilities...