The right of an individual to obtain copies of their personal data from a company is a key element of the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018 (which adopts the GDPR and supplements the GDPR requirements). But when the individual seeking the information is a current employee, it can be difficult to find the right balance between disclosure and protecting your company’s legitimate interests.
Rights to access: the legal framework
In the United Kingdom, an individual’s right to access data concerning him or her has been a key part of data protection legislation since at least the Data Protection Act 1984. Over the last 35 years however, the information held by companies which constitutes personal data has expanded exponentially, thanks to both technological innovations as well as how “personal data” is defined and the wide interpretation of “personal data” given by the courts.
The right of an individual to request access to and copies of their personal data is enshrined in the data subject protections established by the GDPR. It is also a fundamental right under the Charter of Fundamental Rights of the European Union (2012/C 326/02), wherein Article 8(2) states that “everyone has the right of access to data” which is collected about them.
DSARs in an employment context
Clearly, this right extends to employees. In such circumstances, data subject access requests (“DSARs”) are frequently made in light of employment disputes, or even tribunal or court claims. Article 12 of the GDPR sets out what information the individual is permitted to, which includes (by way of summary) a copy of the personal data in question, together with the purpose for which the personal data is being used, and the recipients of the data.
A company’s obligations and rights when considering a DSAR
Responding to a DSAR can involve considerable effort and time, as well as an analysis of the employee’s objectives. If proper procedures are not in place, the employer runs the risk of violating its obligations under the GDPR.
As a controller of the individual’s personal data, the employer is obliged to handle the employee’s request in a fair and transparent way. The employer must likewise facilitate the employee’s exercise of their rights, and do so in a manner which is concise, intelligible and easily accessible, using clear and plain language (Article 12 GDPR). Furthermore, the request must be acknowledged and dealt with without undue delay, and in any event within 30 days of receipt. Only in certain circumstances is an additional two-month extension to handle the request permitted.
Exceptions in the context of Employee Disputes
In most cases, an employer will be required to action a request by responding. However, it is important to note – especially in the context of employment disputes – that some circumstances permit an employer to limit the information provided to the data subject, or refuse the request entirely.
By way of example, if an individual’s request is very wide, the employer may argue that it is “manifestly unfounded or excessive.” In such instances, the employer could seek to charge a fee or refuse to act on the request. Likewise, there is no obligation to comply with a subject access request if legal professional privilege applies, nor is there a general obligation to release personal data which is used for the purposes of management planning, where doing so would prejudice the conduct of the business.
Despite the exemption which may apply, employers must be very careful when handling DSARs from dissatisfied or potentially litigious employees. If a data subject believes that the employer has failed to comply with the requirements of the access request, they are entitled to challenging the response by complaining to the Information Commissioner, and/or applying to a court for a compliance order.
Ignoring the DSAR won’t make it go away.
Whether a data subject access request is granted or not, the response must be acknowledged properly. The response to employees must adhere to prescriptive legislation and tight deadlines. Given the potential technical complexity, reputational risks and other HR-related nuances, an organisation must ensure that it has adequate procedures in place, and that its staff working on the subject access request have sufficient training.