January 2022 Top 10 Tips to Dealing with an Employee Data Protection Subject Access Request (DSAR)

Employers dread DSARs from employees for a good reason – they are time consuming, frequently complex and, sometimes unearth data which is, ahem ….. less than helpful. We all know that employees are increasingly using DSARs as a “negotiation tool” in acrimonious exit situations and so it pays to know what to do when you receive one, rather than scrabbling around to ensure compliance once the email drops into your inbox.

This is not designed to be a comprehensive guide to the law, simply some tips to tackling DSARs:

1. Prevention is better than cure. I know, not technically a tip for when you receive a DSAR but really probably the most important message there is. It does pay to remind the workforce every now and again that ALL messages sent should be professional and may be disclosable. This is especially important in a world where we are communicating more and more via screen and communications over instant messaging become less formal. It is all too easy to slip up and add that one comment that comes back to bite. If you wouldn’t want the subject to read it (or worse still a judge in the event of litigation) then just don’t say it.
2. Are you clear that the employee is making a DSAR and / or the information being requested? If not then the employee should be contacted asap so that clarification can be sought. Technically the clock does not start ticking on response time until that clarification has been obtained – but you’d be unwise to rely on that unless things are really unclear. To be safe, start the clock and seek clarification simultaneously. The obligation is, after all, to deal with the request without undue delay. Should timings become sticky you can consider whether the deadline has been extended on a “stop the clock” basis.
3. Make sure you have sufficient time to deal with the request properly. The clock starts ticking on the day the request is received and the time limit to respond is one month. However, if the request is “complex” (for example it will unearth a significant volume of data from different sources, which will need reviewing and potentially redacting to remove commercially sensitive data or other personal data) then notify the employee that you will need longer than the one month deadline. The one month deadline can be extended by an additional two months if the request is complex. However you’ve still only got the initial month to tell the employee that you are making use of the extension (and be prepared to justify why) – so don’t wait until the last minute – and you’d better be able to justify the extension to the ICO if needs be. The fact that the search will turn up a large volume of data doesn’t necessarily make it excessive.
4. Read the request carefully. If the request is “manifestly excessive” or “manifestly unfounded” then an employer is entitled to charge a reasonable fee or refuse to act – but “manifestly” is one high hurdle to overcome. If you are planning on using either to refuse a request then seeking advice is probably a must. A better course of action to an outright refusal would be to liaise with the employee to understand their reasoning for requesting what they have with a view to limiting the scope of the request (i.e. to the 9 month period prior to termination where issues started arising rather than the entirety of their employment).
5. Use appropriate search terms. If the employee doesn’t specify the names they would like you to search, then it is prudent to confirm the terms you will be using. Employees will usually request first name, surname, initials, and / or any nickname.
6. Conduct a reasonable and appropriate search. Don’t just search corporate document management systems and emails but also consider other platforms and whether data may have been saved locally (whether correctly or not) and ask relevant staff to search appropriate locations. Consider deleted data, back ups, Microsoft Teams messages, WhatsApp etc.
7. Is the data Personal Data? Just because the individual’s name pops up against a search does not mean that the document in question contains personal data. Ask yourself firstly is the individual identified – i.e. by name, initials, email address or other identifying factor, and secondly is the data about the individual – or are their initials simply on the circulation list for a document which actually has nothing to do with them.
8. Redact the personal data of other data subjects. A time consuming and laborious task undoubtedly but an important one. You don’t want to breach the data rights of one data subject by replying too fulsomely to the request of another. Read the data, page by page, line by line and look for the identifiers of other data subjects. If the information in question belongs to another data subject, then either get their consent to disclose it, consider whether it is appropriate to disclose it without consent (risky business), or redact it.
9. Redact information that is not personal data. This is not a litigation disclosure exercise. Nor should it be a fishing expedition (although we all know it is) on the part of the employee. They are entitled to their personal data, and that is it. If it isn’t their personal data then redact it, particularly if it is confidential or financially sensitive. Also consider that you don’t have to disclose everything. Some data should not be disclosed, including that which is subject to legal professional privilege, employment references given in confidence, information processed for management forecasting if the disclosure would prejudice the context of the business or activity (complex) or information relating to negotiations if disclosure would prejudice those negotiations. Again, a fine line and be prepared to consider how you will justify redactions.
10. Consider how you will disclose the data. You need to respond in writing (email is fine if the request was made in that way) and provide a copy of the personal data. It is normally easiest to provide copies of the relevant documents with appropriate redactions but bear in mind this could be a significant volume of information. You also need to explain the purposes of the processing, confirm the categories of personal data, confirm if the data has been disclosed and to whom, and where the data came from. The employee should also be told how long the data will be retained, reminded that that can request erasure or rectification of incorrect data and of their right to complain to the ICO.