20th November 2019
Subject Access Requests From Employees Rising – Are You Ready?
It would be hoped that subject access requests (“SAR”) are considered a useful tool to assist genuinely concerned employees in understanding the data held about them by their employers. Unfortunately, there is a growing consensus among employers that employee requests are being used to apply administrative pressure, expense and additional complexities, particularly when there is an existing employment dispute.
The General Data Protection Regulation (“GDPR”) is not concerned with the motivation of the employee to make the request unless it is ‘manifestly unfounded or excessive’. Employees are becoming more aware of the legislation moving forward which is likely to increase the rate of requests, particularly as it can be instigated with simple communication to the employer from the employee.
‘Reasonable and Proportionate Search’
An initial search can throw up thousands of pieces of data held about an employee, producing an overwhelming workload to satisfy the SAR. Employers were afforded some respite in the final throws of the Data Protection Act 1998 when it was clarified in Dawson-Damer v Taylor Wessing LLP (among other cases) that data should be supplied as long as the search would not involve ‘disproportionate effort’. This implied an obligation to perform a ‘reasonable and proportionate search’ and NOT an obligation to ‘leave no stone unturned’.
The SAR sections of the GDPR or the DPA 2018 however, make no reference to the ‘disproportionate effort’ that should be applied, which on the face of it implies no limitation on the scope of the SAR and the potential size of the workload. Employers controlling large amounts of data about employees may utilise Recital 63 of the GDPR, requiring the employee to further specify additional information as well as guidance as to what matter the SAR relates; this allows the employer to regain some control of the workload when completing the SAR.
Further guidance from the Information Commissioner’s Office (“ICO”) provides that the search should commence following receipt of additional information; if the employee fails to clarify the request then a ‘reasonable search’ should be carried out to satisfy the SAR (it should be noted that a search must not be narrowed or limited due to any cost implications this may have for the employer). Although it is likely that future courts would take a general view of proportionality, this is yet to be tested and therefore employers should err on the side of ‘over-searching’ when conducting SARs for employees.
How to Prepare
Employers can prepare for a SAR by having a policy and procedure in place to act, which also notes the contact list of people likely to be involved in completing the task. Engage openly with the employee to narrow the scope of the request and then act quickly to ensure the request is satisfied within the deadline (usually one month). Employers should know where to look technologically for the data needed (including backups) and be sensitive to the protection of third-party data. The whole process should be documented thoroughly in the event that the employee feels compelled to challenge the satisfactory completion of the SAR either by complaining to the ICO or applying to the courts for a compliance order.
If you need further assistance with this or any aspect of employment law, then please contact us on 0845 459 1724, or email info@lighthouseriskservices.co.uk.