The right of access to personal data - what employers need to do
by Shoosmiths LLP
Between April 2022 and March 2023, 15,848 complaints were submitted to the ICO in respect of DSARs. This article follows our previous discussion on how employers can remain compliant with the ICO’s guidance on DSARs and how employers should respond to DSARs.
What can be given in response to a DSAR?
Data subjects have the right to obtain confirmation on whether their personal data is being processed and if it is, information about the processing (including the purpose of processing) and categories of personal data that are being processed. An employer must also provide a copy of the personal data that is being processed.
Article 15(3) of the GDPR provides that in response to a DSAR:
"The controller shall provide a copy of the personal data undergoing processing"
Across Europe, different countries take different approaches when it comes to the right of access and in particular, there has been ongoing European debate as to what amounts to a copy for these purposes with a number of cases having recently been considered by the ECJ. Whilst ECJ judgments are no longer binding in the UK, it is important to note the approach adopted as these rulings are likely to steer the ICO’s approach to dealing with DSARs.
In FF v Österreichische Datenschutzbehörde and CRIF GmbH C-487/21, the ECJ found that a controller’s obligation in providing a copy of any personal data which is processed, means the individual must be provided with a “faithful and intelligible reproduction of all those data”. In this case, the individual had simply been provided with a list of his processed personal data but not with any copies. Consequently, the ECJ has confirmed that any copies of extracts, entire documents and extracts from databases should be provided if the provision of that copy is essential to enable the individual to effectively exercise their rights under the GDPR.
In the case of RW v Österreichische Post AG C-154/21, the ECJ has clarified that when an individual seeks access to information about the processing of their personal data under the GDPR, they have the right to know not only the categories of recipients but also the specific recipients to whom their personal data have been disclosed. Only where the actual recipients are impossible to identify, or the controller can demonstrate that the DSAR is manifestly unfounded or excessive will an employer be able to simply indicate the categories of recipient.
Is temporary access to personal data enough?
Often, employers may wish to give individuals temporary access to their personal data collated as part of a DSAR response. It is often the subject of much debate as to whether temporary access is in fact compliant with data protection legislation. The Attorney General’s opinion published following the CRIF case indicated that Article 15(3) must be interpreted as meaning that a ‘copy’ comprises a faithful reproduction in intelligible form, “in material and permanent form”. Whilst this opinion is not binding, this is likely to be followed by the ECJ and domestic courts, including the UK. Therefore, granting temporary access to personal data in light a DSAR is likely to be contrary to data protection laws.
The exact form of the copy will be determined by the specific circumstances of each case and, in particular, the type of personal data falling within the request and the needs of the employee. For example, with an existing employee, it may be appropriate to provide them with continuous access to the personal data they requested. However, with an ex-employee, it could be more appropriate to allow access for a set period after their termination of employment (for example 6 months), to comply with the data principles of storage limitation and data minimisation.
Key takeaways
So what does this mean for employers? Generally, employers in the UK have adopted a more expansive approach when responding to DSARs by providing copies of documents which contain an individual’s personal data. Therefore, these recent ECJ decisions would simply mean continuing with the status quo for UK employers when responding to DSARs. However, employers will need to consider the following in responding to a DSAR:
- Although the requirement is to provide a copy of personal data, not a specific document, it will often be easiest to produce a copy of the document with appropriate redactions.
- It may be easier to produce a copy of the document with redactions, but personal data can also be extracted and copied to a different document. For example, if personal data is contained in a database, it may be more appropriate to provide an extract of the individual’s personal data rather than the whole database.
- Where there is a large quantity of largely repetitive data, a possible approach may be to summarise the data fairly and in reasonable detail, but employers should not use this to hide information it would prefer not to disclose. This is particularly the case if an employer considers a document which may not be favourable to them in subsequent legal proceedings.
In addition, employees are more frequently submitting DSARs in the lead-up to or amidst employment tribunal cases. Typically, this is because they seek to reinforce their case against the employer or to obtain preliminary disclosure of documents relevant to the litigation or even to maximise their settlement payment. A failure to comply properly with a DSAR could lead to significant time and costs being incurred in trying to manage potential litigation commenced by current and/or former employees. Employers should take appropriate legal advice particularly if there are concerns that a DSAR is being used for the sole purpose of obtaining documents relevant to legal proceedings only.
This area of law may be subject to change under the Data Protection and Digital Information Bill (Bill) The aim of the Bill is to alleviate an organisation’s capacity constraints when responding to DSARs, with the Government proposing to amend the threshold at which controllers can refuse to respond to a request. It is proposed that responding to a DSAR can be refused where it is ‘vexatious or excessive’, rather than the current threshold of ‘manifestly unfounded or excessive.’ However, for the time being, employers should continue to maintain appropriate processes and systems to identify and escalate DSARs, ensure appropriate searches are carried out, collate the information, and provide a response within the time limits.