Member Article

Employees have a right under data protection law to access their personal data processed by their employer. But what is essential and best practice for an employer to consider when responding to such request?

There has been a noticeable trend of an upward increase in employee DSARs over the last few years, mainly stemming from employee disputes in the workplace such as grievances and tribunal proceedings. While DSARs have been around for a while, some employers are still not well equipped or do not have an established process in place to respond to one. 

What is a DSAR?

All employees have the right to access and receive a copy of their personal data and other supplementary information from their employer. This type of request is commonly referred to as a DSAR or SAR. An employee can make a DSAR verbally or in writing, such as by email or even through an instant messaging service like Microsoft Teams. The recent ICO guidance update provides some examples of what constitutes a DSAR.

Important considerations when responding to a DSAR

On receiving a DSAR, an employer should consider the following:

Has the DSAR actually come from the employee purporting to make it?

If the employee is still employed and uses their work email address or a personal email address that you have on record, then it is likely to be reasonable to proceed with responding to the request. If you have any doubts over whether the DSAR is genuine, you should seek appropriate verification from the requester

Consider how long you have to respond to the DSAR.

Employers have one calendar month from receipt of the request to comply and respond to the DSAR. The one calendar month must be calculated from the day you receive the request up until the corresponding date in the next calendar month. If the next calendar month is shorter and therefore there is no corresponding date, the date for responding falls on the last day of that month. If the date falls on a weekend or a public holiday, an employer would have until the next working day to respond. Therefore, calculating the correct response date is crucial. If you seek clarification and/or identification in relation to the DSAR, this will ‘stop the clock’ until such clarification and/or identification is received  

Is the scope of the request clear?

If the individual has not clearly defined the scope of their request, or you process a large amount of information about the individual, you can ask for clarification, providing it is genuinely required. As mentioned above, this pauses the time limit within which to reply and you should wait a reasonable amount of time for a response from the individual.

Is it appropriate to charge a fee?

Generally, you cannot charge a fee for the costs of complying with a DSAR. However, if the request is considered manifestly unfounded or excessive or an individual makes a further request for data then a ‘reasonable fee’ can be charged to cover administrative costs such as printing and posting.

Collating the relevant information.

There is a high expectation that employers will provide the requested information and you will need to carry out a reasonable and proportionate search to do so. Once the relevant systems have been searched, data should be analysed and consideration given to any third party data. It may be that consent is needed from these third parties, or redactions made to protect any third party data, before the data can be shared.

Is it possible to refuse the request?

Refusal is only possible when an exemption applies or if the request is manifestly unfounded or excessive. The ICO provides detailed guidance in relation to this. If you refuse to comply with the request, you must explain the reasons why to the individual along with their right to make a complaint to the ICO and the ability to enforce this right through the courts.

Do any of the exemptions apply?

The ICO guidance lists several exemptions under which employers may withhold information. Exemptions include legal professional privilege, management information, data relating to crime and taxation and information relating to negotiations. You should carefully check the ICO guidance on exemptions before responding to a DSAR as not all exemptions will apply in the same way. You will want to ensure sensitive information is not disclosed unnecessarily.

How to send the response?

Copies of the relevant personal data must be provided to the requester together with certain other information, such as on the purposes of processing, categories of data involved, recipients of the data and retention periods, which in many cases will be set out in the employer’s privacy notice, a copy of which can then be provided alongside the personal data. You can respond in a commonly used format. E-mail is fine, unless the individual has reasonably requested an alternative format. 

DSARs can be complex and can involve high volumes of data depending on the scope. If in doubt, you should always seek legal advice to avoid falling foul of the ICO guidelines. Penalties can include a fine or reprimand.

 

Link to article