Dealing with Data Subject Access RequestsPosted in : Hot topics in Employment and Technology Law with Matheson on 30 July 2019 Issues covered:
The scope of a Data Subject Access Requests (DSAR) is wide ranging and has become a staple action point in the itinerary of an employee embarking on a contentious internal or external litigation process with their employer. In this month’s Hot Topics article, Cormac Murphy, Senior Associate with Crowley Solicitors outlines an Employer’s obligations in dealing with DSAR’s and discusses some of the more controversial aspects such as the receipt of a DSAR during a contentious investigation, disciplinary or appeals process.
The scope of a DSAR is wide ranging and has become a staple action point in the itinerary of an employee embarking on a contentious internal or external litigation process with their employer. If an employer collects, holds and uses personal data belonging to a current or past employee and the employer falls under the scope of the GDPR and the Irish Data Protection Acts 1988-2018 (DPA), then a reply attaching all personal data in scope must issue from the employer to the employee within 1 month (extendable in certain circumstances by a further 2 months).
The purpose of this article is to provide:
- A step by step guide to handling DSARs from employees; and
- To address some practical challenges in dealing with DSARs that we hear about from employers in the specific context of an investigations, disciplinary or appeals process.
What is a DSAR?
Article 15 of the GDPR allows an employee to seek confirmation from their employer that personal data relating to them is processed by the employer. However, the real crux of this article from an employer’s perspective is it must provide a copy of the personal data undergoing processing to the employee making the DSAR.
Why is it important to get the process right?
It is in compiling a copy of all the employee’s personal data that all the heavy lifting on the part of an employer arises. This exercise can amount to immense pressure in terms of time, cost and resources to ensure the response to the DSAR meets the requirements of the GDPR. In addition, if the employee is not satisfied with the DSAR response, it is open to them to file a complaint with the DPC that the employer did not properly respond to the DSAR.
Complaints relating to DSARs made up 33% of reported complaints to the Data Protection Commission (DPC) during the period 25 May 2018 - 31 December 2018, according to the DPC’s Annual Report 2018.
Time limit for responding to a DSAR
As the time limit for responding to a DSAR is one month from receipt of the request, it is important the process of searching for the employee’s personal data is commenced immediately. If an employer looks to extend the period for response by a further 2 months due to the complexity of the request (per section 91 of the DPA 2018), the employee must be contacted within 1 month to inform them of the extension and why is it necessary. There is no guidance from the DPC or the UK Information Commissioner’s Office as to what constitutes a “complex” request. A leading case on DSARs from the UK Durant v Financial Services Authority unfortunately does not help us in determining whether a DSAR is complex.
Without such guidance, it is up to an employer to determine what is excessive or complex and it remains an open question as to how the DPC would rule on an employer’s determination. We are advising employers where possible to store personal data in a dedicated and secure part of their IT systems in order that they can efficiently respond to a DSAR.
In addition, an employer’s data protection policy dealing with DSARs should address where a DSAR crosses a threshold from being routine to being excessive or complex. If the policy is applied consistently and fairly by an employer, it will most likely be taken into account by the DPC in determining whether a complaint is in fact excessive.
Steps to take on receipt of a DSAR
An employer is entitled to seek further information from the employee to verify their identity and the scope of their request.
It is good practice to write to the employee at the earliest opportunity to:
- Confirm receipt of the DSAR
- Request further clarification on the request
- Seek confirmation of identity, if necessary
- Propose the scope of the reply and seek the employee’s agreement
- Indicate when the request is likely to be responded to
An employee does not have to explain why they have submitted a DSAR. However, provided an employer is not trying to frustrate the process, there may be cases where it may be appropriate to seek an explanation and background to the request.
Often, an employee might be looking for a particular document or category of document that falls outside the scope of a DSAR, such as commercial documentation.
In some cases, it may also be appropriate to try to agree the scope of the search with the employee. This may become particularly important where the DSAR covers unstructured data.
A non-exhaustive list of unstructured data includes:
- Word processing documents
- Audio files
Searches through unstructured data can be complex and time consuming for an employer and this is where defining the scope of the search with the employee can play an important part of the process.
A copy of the data must be provided free of charge but an employer may charge a reasonable fee based on administrative costs for any further copies requested.
If the DSAR is manifestly unfounded or excessive, in particular because it is excessive, an employer may charge a reasonable fee or refuse to act on the request. In the first instance, however, the employer must take steps to agree to narrow the scope of the request with the employee so that it is no longer manifestly unfounded or excessive.
If an employer refuses to act on the DSAR, it must inform the employee of:
- The reasons for refusing to respond
- Their right to make a complaint to the DPC
If the DSAR is made electronically, the data must be provided to the employee in electronic format, unless they have asked for it in a different format. An employer should always keep a copy of what is sent to the employee.
The following should be maintained and reviewed regularly:
- A record of the processes in place to comply with DSARs
- A log of DSARs received, the steps taken to comply with them and the decisions taken.
Potential curveball: the receipt of a DSAR during a contentious investigation, disciplinary or appeals process
The obvious concern for an employer is whether responding to a DSAR will prejudice any active investigation, disciplinary or appeals process. There is a useful UK employment tribunal case that, although not directly applicable in this jurisdiction, provides some guidance as to whether non-compliance with a DSAR made in the context of a dismissal had any effect on the overall fairness of the dismissal.
In the case of McWilliams v Citibank NA (UK Employment Tribunal, Case Number: 3200384/15) the claimant was dismissed following allegations that she had breached client confidentiality in her use of trading chat rooms. Following her suspension, she made a DSAR which was refused on the basis of proportionality for being too extensive. The scope of the DSAR was then limited to certain search terms relevant to the disciplinary proceedings but was again refused on the basis that it was unreasonable.
The dismissal was held to be unfair and the employer's failure to comply with the DSAR was held to have contributed to its procedural unfairness. The employee was suspended and had no access to the documents that she needed in order to prepare her response to the disciplinary allegations. She was given no alternative but to rely on the employer's investigation, which was found to have been unreasonable.
For an employer, to reject a DSAR without any consideration of the legal basis for doing so (particularly because the motive for making a DSAR does not negate the need to comply) is a risky approach and likely to lead to complaints to the DPC. Although the case from the UK is an employment tribunal decision and does not adjudicate on the non-compliance with the DSAR in itself, it undoubtedly contains principles that are useful for employers receiving DSARs from employees during disciplinary proceedings or from those contemplating litigation.
We expect to see more reported decisions from the WRC and courts dealing with the role DSARs play when examining whether the principles of natural justice and fair process were applied or not.
Did you know we offer an eLearning Data Protection in the Irish Workplace course which is tailored specifically to provide your employees with comprehensive training and you with an evidence trail for the DPC, should a data breach occur.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.