A DSAR is when somebody within a company requests what data is stored on them. This can be anything from sensitive personal data, such as medical records, to something as small as their name on a SharePoint file. A response must be issued within 30 days, and all data must be supplied.
Your staff and their data:
Preparing for employees' subject access requests
The ethics of gathering employee data
Employee data can create more questions than answers
In the case of employee or ex-employee related DSARs, it is almost entirely the responsibility of HR professionals to manage the response.
Equipped with an intimate catalogue of employee knowledge and unique insight into where information is held and processed, they are best positioned for the job. But, with the handling of data such a sensitive and closely regulated necessity, it’s important for HR professionals to manage them effectively without compromising on efficiency.
Effective management
When a DSAR is made to a company, it must provide all the information it holds on the data subject.
At The Data Privacy Group, we regularly see issues where companies have failed to disclose electronic items such as emails and file shares. If the data subject is not satisfied with what is provided, they are within their rights to complain to the Information Commissioner’s Office (ICO) meaning the company is at risk of receiving an enforcement notice or fine.
Companies can also face regulatory action if they over share information, for example disclose the data of another individual not associated with the DSAR.
For instance, in a chain of emails there will be multiple people’s information documented and as such, it is crucial HR professionals redact any details not directly associated with the data subject.
Alongside data of other individuals, it is also necessary for HR professionals to redact any commercially sensitive content or that which is held under legal privilege, such as confidential information that, by law, companies do not have to disclose.
Another right data subjects can exercise is an erasure request, also known as ‘the right to be forgotten’. Put simply, it is a request for data to be deleted.
Erasure requests are slightly different from access requests and it is vital that HR professionals understand the nuances separating the two. Erasure requests are a qualified right, meaning it only applies under certain circumstances. Companies must only erase the personal data held on the basis of consent of the data subject or legitimate interest of the company.
HR professionals should note that relying on the consent of an employee to store and process data is high risk because they can argue, after the fact, that they gave consent under duress, essentially because they were in fear of losing their job if they refused.
In this instance, because the consent was not freely given, it is not valid in the eyes of the law. We highly recommend the personal data of employees is held under the basis of 'Performance of a Contract' so an erasure request can be denied.
Before signing off on a DSAR it is well worth checking in with either a senior member of the HR team, a legal representative or a data privacy expert – that way, the company can be safe in the knowledge their actions have been compliant and will not face any further action. But how can companies avoid action being taken against them in the first place?
Preventative measures
Almost invariably, the volume of DSARs a company receives is indicative of how staff are treated. Of course, sometimes, instances are out of a company’s hands – the pandemic, for example, caused unforeseen circumstances which threatened the job security of people all over the country and was unpreventable.
But what businesses can do is create a culture of open, honest transparency amongst staff and promote trust as a core company value. They are best positioned to do this with an operationalised privacy programme – that is, a privacy programme which is part of a company’s DNA. Once set up and running, companies have the peace of mind that they are fully compliant and staff know their personal data is protected and respected.
Understandably, many companies are put off by the upfront cost installing an effective privacy programme poses, and the price of being compliant.
However, they must consider the risk they run by not having such a system in place. The potential cost of non-compliance on their business is huge, with the threat of DSARs costing upwards of a £1000 per request as well as other possible enforcement notices and fines from the ICO. Companies should recognise the worth of that initial investment, as it will likely end up saving them money in the long-run.
For a lot of companies, the upset caused by the furlough scheme coming to a close will be unavoidable.
It’s likely to run up the number of DSARs landing on the HR department’s desk, and as such professionals must take steps to prepare themselves for this rise. An operationalised privacy programme will do just that, and although costing the business an initial upfront fee, it will save money in the future and ensure they operate in a compliant way.
Peter Borner is co-founder of The Data Privacy Group
