ICO issues new guidance on employee DSARs stating : “It’s important not to get caught out.” New SARs guidance for employers issued | ICO
May 2023 The ICO, the UK Data Protection Authority (“DPA”), issued new guidance for businesses and employers on Employee Data Subject Access Requests (“DSARs”).
Under the EU GDPR all data subjects, including employees, contractors and consultants have the right of access to their data, effectively meaning that they can request a copy of all of their personal data held by the organisation. Responding to a DSAR is frequently a complex and time-consuming exercise. It is not as simple as downloading a personnel file – if only! It often requires a forensic review of emails, documents and IT systems generally to ensure that the documents located are appropriate to disclose to the individual, and to redact them to remove personal data of other individuals, commercially sensitive information, and often information and data which does not relate to the employee and so is not personal data to which they are entitled under a DSAR. Whilst the ICO is clear that employers should approach DSARs in a purposive and not obstructive way, we often see disclosed pages (and indeed disclose pages for clients) which contain significantly more redaction than they do information.
The time-consuming nature of the exercise is why it is so often deployed by individuals in the event of a dispute.
The ICO reported in its press release that it received 15,848 complaints relating to DSARs between April 2022 and March 2023 – a staggering number, so has now released new, enhanced guidance on how employers should respond to DSARs.
The new guidance covers key issues, including the following:
- A data subject’s right to obtain a copy of their personal data cannot be overridden by a settlement or non-disclosure agreement. If any settlement agreement attempts to waive an employee’s right of access, it is likely that this element of the agreement will be unenforceable under data protection legislation. Many employers include provisions in Settlement Agreements that existing DSARs are withdrawn as part of the settlement process. This new guidance makes it clear that any attempt to prevent a further request *(even on the same terms) is likely to be void.
- Emails that an employee is copied into may in some circumstances be disclosable in a DSAR. Data subjects are only entitled to personal data relating to them, but this may well be contained in emails that also discuss business matters. An exercise must be carried out to determine whether some, or all such emails must be disclosed in order to comply with the DSAR.
- Searches must also be carried out across social media channels if an employer uses such channels for business purposes, as in these contexts the employer will be a controller of the information processed on those pages. Employers need to consider careful guidance to staff on the use of messaging systems such as Teams, WhatsApp etc. If WhatsApp is used (whether actively or condoned) for business purposes, then those messages are likely to be disclosable – think of certain MP’s current dilemmas.
- Though data subjects may use a DSAR to gather evidence for an ongoing grievance or tribunal process, this does not provide employers with grounds to refuse to comply with the DSAR. Whilst it was never the purpose of the legislation that individuals should use DSARs as fishing expeditions (McWilliams v Citibank NA East London Hearing Centre, 19.4.16 (Case No.3200384/15) or early disclosure exercises, many do. If the DSAR is otherwise valid and lawful the rationale for requesting the information has no bearing on how an employer should respond. That said, the information provided under the DSAR is limited to that to which the individual is entitled under the EU GDPR.
- A DSAR may be manifestly unfounded if the data subject clearly has no intention to exercise their right of access or if the request is malicious in intent. It is unlikely “malicious intent” will ever be easy to determine – and one suspects that refusal to comply with a DSAR on this ground is almost certainly going to result in a report being made to the ICO. The guidance does indicate that malicious intent can be inferred from the subject making unsubstantiated accusations against the organisation or targeting specific employees against whom the subject has a personal grudge. However, on the basis that allegations are quite often not capable of substantiation, at least at the point that the DSAR is submitted, it may be that demonstrating “malicious intent” is more effort than simply complying with the DSAR – which is presumably the very point!
For more information, you can access the ICO’s full guidance here – https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employers/sars-qa-for-employers/
McWilliams v Citibank NA East London Hearing Centre, 19.4.16 (Case No.3200384/15) – further supported by Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74, 16 February 2017
Article by:
Harvinder Thiara, Associate & Data Privacy Solicitor E: [email protected] T: 020 7317 6771