How should employers handle data subject access requests?

What is a data subject access request?

A data subject access request (DSAR) is a formal request made by an individual (referred to as the “data subject”) to an organisation, asking for access to personal data that the organisation holds about them. A DSAR allows individuals to understand how their personal data is being used and processed. The relevant UK data protection legislation includes the retained EU law version of the General Data Protection (EU) 2016/679 (the UK GDPR), and the Data Protection Act 2018 (DPA 2018) (together referred to as the ‘Data Protection Legislation’).

Whilst the right for data subjects to make a DSAR is not new (and has actually been in place since the introduction of the Data Protection Act 1984), the nature and quality of data held about data subjects in the context of employment law has grown enormously, as has the awareness of a data subjects rights.

Responding to DSARS can be time-consuming and expensive for data controllers, especially in an employment context. Increasingly commonly, DSARs are made by employees who genuinely wish to find out what data is being processed by their employer; others are made during the course of litigation or disputes and may be intended to cause the employer to expend time and expense in responding or they may be made to try and force their hand into agreeing to a settlement.

What steps should an employer (as the data controller) take when receiving a DSAR?

If an employer fails to respond to a DSAR promptly or at all, it can be subject to a fine or a reprimand from the Information Commissioner’s Office (ICO). Therefore, the employer will need to understand its obligations, know how to recognise a DSAR, and act quickly so as to meet the timescales to respond.

UK GDPR defines personal data as “any information relating to an identified or identifiable natural person” and essentially means that personal data is any data that allows the individual to be identified, and relates to that person. This second part is important to bear in mind when responding to a DSAR as DSARs are often used by employees who do not realise this, and are seeking access to more information than they are actually entitled to under the Data Protection Legislation.

Upon receipt of a DSAR, an employer should take the following steps:

1. Check the identity of the data subject; a third party can make a DSAR on behalf of another person, so they may not be the same person.
2. Check whether the employer processes data concerning the data subject.
3. Check the scope of the DSAR and consider whether it is too wide. If the employee has requested “any data” or “all data”, this could constitute many thousands of items of data and may be too wide in scope or too onerous for the employer. In such cases, the employer may be able to ask the employee to clarify the scope of the DSAR, or charge a fee, or refuse to respond to the request, arguing that it is “manifestly unfounded or excessive”.
4. Work out deadlines for compliance and diarise accordingly. The DSAR should be complied with without undue delay and within one month of either receipt of the request, or receipt of any information requested to confirm the requester’s identity, or receipt of any fee charged. The time limit may be extended by a further two months if the request is complex or if the data subject makes a number of requests under the Data Protection Legislation.
5. Perform a reasonable search for the requested information. Data relevant to the DSAR may be stored in numerous places (in different departments, in different locations and on different systems) and may come from varying sources (emails, electronic files and documents, databases, door entry/key card access systems, word processing systems, computer equipment, paper files, photographs, monitoring and CCTV records, internet logs, telephone records, backup files, and third-party processors’ systems).
6. Review the files and the documents collected and identify whether the information gathered is personal data relevant to the DSAR. Redactions may be required to protect the identities of other individuals identified or identifiable in the employee’s data, or hide personal data that does not concern the employee, or hide organisational data. Consider if consent from other individuals is needed (this will depend on the circumstances) or if any other exemptions (for example, legal privilege) apply.
7. Provide a copy of the personal data in an accessible, concise, intelligible and secure format. If the request is made electronically, the response should usually be too.
8. In addition to a copy of the data, the employee is also entitled to other information about how their data is being used and processed. This is wider than information relating to the documents, and is similar to the information provided in a privacy information notice.
9. The employee will also need to be provided information regarding complaints and disputes and the employee’s right to complain to the ICO, the right to request rectification or erasure of personal data, and the right to object to processing of data or to restrict that processing.

Other steps for employers

Employers are advised to:

1. Have procedures in place to handle DSARs and ensure that the relevant staff are appropriately trained, including in relation to how to identify when a DSAR is made.
2. Have a procedure for tracking receipt of DSARs and the steps taken by the employer in the response process, to ensure that they comply with data protection laws and that deadlines are not missed.
3. Familiarise themselves with the ICO’s guidance on DSARs, to help them navigate the DSAR process and be compliant with data protection laws.

DSARs as valuable tools for employers and employees

For employees, making a DSAR can be a useful tool to understand what personal data their employer holds on them, to verify (and if necessary, correct) the accuracy of that data, to check that their data is being used in compliance with data protection and privacy laws, to have access to their records for the purposes of disciplinary action or potential claims for dismissal or discrimination, or to request deletion of their personal data. A specialist lawyer can help employees to navigate the DSAR process to maximise their effectiveness.

For employers, a specialist lawyer can play a crucial role in helping an organisation to comply with data protection laws when responding to a DSAR in terms of understanding the legal framework, assessing validity of requests, identifying relevant data, identifying and extending deadlines for compliance, handling sensitive data, mitigating risks, implementing staff training, drafting workplace policies, and managing any data protection claims or disputes.

If you have questions or concerns about data subject access requests, please contact Emma Loveday-Hill.