If you work in HR and haven’t yet had to deal with a subject access request (SAR) you are a rare breed. The implementation of the General Data Protection Regulation (GDPR) on 25 May 2018 has seen a surge in the use of SARs by employees.
SARs can be raised by employees in different circumstances. Some employees can be genuinely concerned to discover what data is being held and processed, and want to check it is accurate.
Data protection:
What a new UK GDPR law might look like
Employees don't trust organisations enough to share personal data
What HR needs to know: GDPR and AI
However, many employers feel employees are tending to use SARs to put pressure, administrative burdens and expense on employers. Equally, where an employment dispute already exists, the submission of a SAR may just be the opening of another battlefront. It might also be the launch of a fishing expedition to try and find a piece of evidence that the employee ‘knows’ exists.
However, unless a SAR raised by an employee is 'manifestly unfounded or excessive', the GDPR gives no weight to an employee’s motivation in making the request.
As much as HR should be hoping for genuine requests from concerned employees without a broader agenda, they should prepare for the worst. And by the worst, we simply note that we’ve seen an increase in the number of SARs submitted electronically after the pubs have closed…
The first question HR needs to address is: can the organisation spot a SAR when it's raised and get it to whoever needs to respond in a timely fashion? Guidance suggests that a SAR could, in principle, be raised via an employer’s Facebook or Twitter account.
Assuming the SAR does not languish in someone’s in-tray and is passed in a timely fashion to whoever is to deal with it, an employer needs to rapidly consider whether it knows the identity of the person raising the SAR. Employers often hold large amounts of data on employees (e.g. emails), and if the employee has been vague or deliberately wide in the SAR, it may be prudent to ask for clarification as to the information sought.
Any SAR must be dealt with effectively, within one month of receipt. This can be extended by two months if the SAR is complex. Such complexity arises if it involves information from many different email accounts or requires significant amount of redaction of others’ personal data.
As an employee issuing a SAR does not have rights above other employees, redaction will need to occur if an employer must provide emails that contain personal data relating to others. Therefore, it’s possible that large sections of emails may be blacked out. HR professionals may need to consider whether they have the IT skills to rapidly redact multiple pages of emails referencing the individual who has raised the SAR.
Employers need to be able to demonstrate they have looked in any email back-up systems and data saved on individual managers’ PCs. As a result, it is likely that managers may need to be asked to check and confirm they have not saved such information outside of their email account.
Employees and their representatives are often misinformed as to the limits that exist on the personal data to which an employee can seek access via a SAR, and there is a principle of proportionality. Therefore employers must take reasonable and proportionate steps, and ensure they ‘leave no stone unturned'.
For example, employers do not usually need to engage specialist IT consultants to recover deleted emails.
HR colleagues may also wish to closely consider retention periods for employee data. Keeping all data and emails relating to an employee during their 20-year career is likely to make an employer wish it had brought in a retention policy to delete data after six years, if a detailed SAR is raised. Copies of the information can then be provided by electronic copies or hard copy.
Complaints about how an employer responds to SARs are sent to the Information Commissioner, although we note that employees often attempt to complain about it to employment tribunals as well.
After investigation, the Information Commissioner will consider whether the employer has breached the requirements in terms of responding to the SAR. In extreme cases the Information Commissioner can serve enforcement notices and impose financial penalties.
Despite what employees often think, the Information Commissioner cannot award them compensation, although they could bring a court case seeking compensation for harm and distress arising out of failure. HR professionals may find this last point assists them in focusing finance directors and other colleagues on developing appropriate ways to respond to SARs before they are received.
Jim Wright is an employment law partner at Shulmans
