Busting common myths around Data Subject Access Requests
Data subject access requests are often used by employees tactically when in dispute with their employer, for example to cause a nuisance or to obtain information earlier than the disclosure deadline set by the Tribunal. We have answered below some of the myths we see around these requests.
Myth one: We have to provide all information even if it is commercially sensitive.
You are only required to provide information which amounts to personal data. It is very likely that other information, such as financial information or business plans which are contained within the same document, are not “personal data” and can therefore likely be redacted.
Myth two: The only thing I need to think about is the employee requesting the data.
As an employer, you need to consider the data subject rights of not only the person making the request, but also of other people too. For example, you have to be careful not to provide data to one employee which potentially breaches the privacy of one of your other employees.
Where there is a conflict between two employees, you are not required to disclosure information unless:
- The other person has consented; or
- It is reasonable to disclose the information without the consent of that other person.
How would you know if it is reasonable to disclose without consent? This is a judgement call which will need to be considered on a case-by-case basis depending on the circumstances, including taking into account why consent has been refused if you have tried to obtain it.
The facts will be key and you can imagine that the ICO is likely to be understanding of a refusal in the context of protecting the potential victim of a sexual harassment allegation, given the sensitive nature of this context, whereas perhaps less understanding where the comments have been made by a line manager in the normal course of their duties, such as in relation to performance or attendance.
Myth three: I have to respond to a data subject access request within one month - no matter what.
It is possible to extend the one-month period to three months in total, if the request is particularly complex.
Whether a request is complex will depend on the circumstances. Of course, the breadth and time period over which the request spans is relevant, also the size and resources of the employer.
However, this extension should not be used lightly, and the ICO Guidance suggests that simply the size of the request alone will not justify an extension without other factors being relevant. The factors identified in the ICO Guidance are:
- Technical difficulties in retrieving the information – for example if data is electronically archived.
- Applying an exemption that involves large volumes of particularly sensitive information.
- Clarifying potential issues around disclosing information about a child to a legal guardian.
- Any specialist work involved in obtaining the information or communicating it in an intelligible form.
- Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
- Needing to obtain specialist legal advice. If you routinely obtain legal advice, it is unlikely to be complex.
One thing to remember is that you must inform the employee of any extension required before you get to the end of the initial one-month period. You must also provide a reasonable explanation for the need to extend.
Myth four: We don’t have to provide information relevant to the Employment Tribunal as we are not at the disclosure stage yet.
Myth five: We are in without prejudice negotiations with this employee and so we don’t have to respond to the DSAR.
Although these are both myths, there are some exemptions where you are not required to provide data but these are relatively limited:
- Where there is legal advice privilege – this is documents/correspondence/information between a client and their lawyer for the purposes of obtaining legal advice.
- Where there is litigation privilege – this is documents/correspondence/information prepared for the dominant purposes of litigation which is in progress, pending or reasonably contemplated.
- In the context of a reference given (or to be given) in confidence for employment, training or educational purposes. This covers the data both in the hands of the giver and the receiver of the reference.
- Where to disclose the information would prejudice the conduct of the business. The example given in the ICO Guidance is as follows:
“The senior management of an organisation are planning a reshuffle. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the organisation reveals the plans to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal their plans to make the employee redundant, if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest before the management’s plans are announced).”
- Personal data relating to negotiations between the employer and employee but only to the extent that compliance with the subject access request would be likely to prejudice the negotiations.
For example, if you have said in an internal company document “we should tell our lawyers they can go up to £20,000 but should only start by offering £5,000”, this would clearly prejudice your negotiations if it got into the hands of the employee with whom you were negotiating. However, you are required to disclose all other information which would not cause direct prejudice.