FAQs by employers when dealing with DSARs – Part 1
1. How do I verify that the request is genuine?
There is no set format for making a data subject access request (DSAR), so a request might be made verbally, in writing, by email or by other electronic means. To comply with data security obligations, it is important that you make sure any request for data actually comes from the person purporting to make it. If the employee making the request is still employed and either uses their work email address or a personal email address which you already hold on record, particularly where the employee has indicated an intention to make a request, then it is reasonable to proceed with responding to the request.
However, if you don’t recognise the email address and/or the employee has left or the request has come out of the blue, you should exercise more caution. In addition, if you receive a request on behalf of an individual from their legal adviser and it is the first contact received from that legal adviser, it will likely be necessary to take further action. It is appropriate in those circumstances to request some identifying information. Any such request must, however, be reasonable and proportionate. For example, it may not always be appropriate to ask for identification documents if a username and password would be enough to verify the individual.
A useful point for employers to note is that the time for responding to a DSAR does not start until the information requested to verify identity has been received. Employers should make the request promptly however and should not deliberately delay requesting the identity information.
2. How long do I have to respond?
Subject to pausing time through requesting identification or clarification, employers have one calendar month from receipt of the request to comply and respond. The time limit should be calculated the day you receive the request, fee or clarification (whether it is a working day or not) until the corresponding date in the next calendar month.
If the next calendar month is shorter and therefore there is no corresponding date, the date for responding falls on the last day of that month. If the date falls on a weekend or a public holiday, an employer would have until the next working day to respond.
Therefore, calculating the correct response date is crucial as the exact number of days to comply to a request will vary depending on the month and specific date a request is received.
The deadline to respond can also be extended in specific circumstances.
3. Where do I have to look for the data?
Employers need to carry out a ‘reasonable and proportionate’ search when responding to an employee’s DSAR.
In most cases this means that you would simply search your own computer systems for that personal data. Such searches will unearth the usual documents and records in personnel files and email exchanges.
However, more and more often, employers are having to consider whether searches need to extend to employee exchanges on social media platforms like WhatsApp, Twitter, LinkedIn and Facebook as well as to exchanges and records kept on personal accounts or devices used by employees for work purposes, and also those devices used by others connected to the employer such as trustees, non-executive directors or governors. Check out our previous article on this issue.
The ICO Guidance states that it does not expect employers to instruct employees to search their private emails, personal devices or private instant messaging applications such as WhatsApp when responding to a DSAR – unless the employer has a good reason to believe the employee is holding relevant personal data on that device or account.
However, if employees use their own personal devices or accounts to send work-related emails, they are likely acting on the employer’s behalf and, if so, any personal data stored on that device or account could be within the scope of the DSAR as the employer will remain the controller of any personal data processed on those devices or accounts. The same applies where organisations engage trustees or non-executive directors as typically those undertaking these roles will use their own personal email accounts and devices to perform their functions.
This is irrespective of whether you may actually be able to easily access these personal devices or accounts - it doesn’t automatically exclude the data processed on such devices or accounts from the DSAR searches just because it may be difficult for you to access them. You may need to require individuals to search their personal devices if you are to meet your obligations in responding to the DSAR.
4. What data do I have to provide?
Personal data is information that relates to an identified or identifiable living individual (also referred to as a data subject). An individual is identified or identifiable if they are distinguishable from other individuals. What identifies an individual could be as simple as a name or number or could include other identifiers such as an IP address or a cookie identifier.
When considering the scope of a DSAR, it is important that you consider not just data from which the employee can be directly identified (for example, their contract of employment, performance review documents or payslips) but also data which, when used with other pieces of information, can identify the individual (for example, data containing employee numbers).
To relate to an individual, it must do more than simply identify them, the data must concern the individual in some way. The data can reference an identifiable individual and still not be personal data about that individual, if that information does not relate to them, for example, an email sent to the employee’s work email address, confirming arrangements for an office charity fundraiser.
Personal data may include:
- Expressions or opinions about the individual and any suggestion of the intentions of another person in relation to the individual
- Personal details about the individual
- Information that focuses on and affects the individual
However, any information that is:
- Truly anonymous
- Relates to a deceased person
- About companies
- About public authorities
is not considered to be personal data.
That said, there may be situations where information is requested which is not strictly personal data but which helps to set the personal data in context, for instance, information about which other individuals were involved in redundancy proposals. It may be fair and transparent to provide such information even though it is not the personal data of the requesting employee.
5. What if the data contains information about another person?
It is not uncommon for personal data relating to one employee to also contain personal data belonging to another employee or a third party. For example, there may be emails from a manager expressing concerns about the behaviour or performance of the employee who has made the request. In this case, the email would contain personal data of both the manager and the employee. You are not required to disclose such information unless the third-party consents or it is reasonable to disclose the data to the employee without such consent, for instance where the manager has already shared the concerns with the employee in the context of a performance management process.
Under the Data Protection Act 2018 (“DPA”), as much of the personal data which has been requested should be provided to an employee without disclosing any third-party data. When responding to a DSAR and there is third party data involved, you will need to carry out a careful balancing exercise as to the employee’s request and any third-party competing rights. You should also consider whether the third-party data can be redacted so that the remaining information can be disclosed.
6. Is there anything I don’t have to disclose?
As mentioned above, you are not required to disclose information which is not personal data of the requester.
There are also a number of exemptions from the duty to disclose, most notably: legal advice or litigation privilege; a reference given, or to be given, in confidence for employment, training or educational purposes; personal data which is processed for the purpose of management forecasting or planning for business activities where disclosure would prejudice the business activity, for instance disclosing information on a staff redundancy programme before it has been announced to the affected workforce. Redundancy exercises relating to the individual which have been concluded are not likely to fall within this exemption. Employers also do not have to disclose records relating to negotiations between the employer and employee, if to do so would prejudice those negotiations.
Look out for Part 2 where we tackle more questions around what and how personal data should be provided when responding to an employee DSAR.
Link to article