robbryanassociates

Dealing with DSARs

In business principles, discipline and grievance, Employment law, Uncategorized on March 30, 2021 at 10:45 am

Data Subject Access Requests (DSARs)

Employers sometimes have to deal with DSARs from employees trying to bolster grievances or from former employees. It can be very onerous to comply with DSARs, which are one of the core data subject rights under GDPR. The following guidance from the Information Commissioner’s Office provides some clarity on the subject.

Employers often hold large amounts of data on employees and if the employee has been vague or deliberately wide in the DSAR, it may be wise to ask for clarification as to the information sought. The ICO has now confirmed that the clock can be stopped while organisations wait for a requester to clarify their request.

Any DSAR must be dealt with effectively, within one month of receipt. This can be extended by two months if the DSAR is complex. Such complexity arises if it involves information from many different email accounts or requires a significant amount of redaction of others’ personal data.

As an employee making a DSAR does not have rights above other employees, redaction will need to occur if an employer must provide emails that contain personal data relating to others. Therefore, it’s possible that large sections of emails may be blacked out.

Following case law under the Data Protection Act, the ICO’s guidance makes it clear that data controllers should make reasonable efforts to retrieve data but should not conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. It is not necessary to ‘leave no stone unturned’ – reasonable efforts should be good enough.

Employers need to be able to demonstrate they have looked in any email back-up systems and data saved on individual managers’ PCs. As a result, it is likely that managers may need to be asked to check and confirm they have not saved such information outside of their email account.

Organisations may also wish to closely consider retention periods for employee data. Keeping all data and emails relating to an employee during their 20-year career is likely to make an employer wish it had brought in a retention policy to delete data after six years, if a detailed DSAR is raised.

Data controllers need not comply with manifestly unfounded and excessive requests and the ICO has now provided additional guidance and broadened its definition of these terms. To determine whether a request is manifestly excessive employers should consider whether it is clearly or obviously unreasonable, considering all the circumstances. They should be prepared to justify their position to the ICO in the event of a complaint.

The ICO confirms what can be included in the “reasonable fee” that can be charged for dealing with excessive, unfounded or repeat requests. The fee should be reasonably calculated and can include the costs of making the information available, including photocopying or using an online platform, equipment and staff time. Data controllers may wish to give some thought to their hourly rates and whether they can provide information about these in their privacy notice.

Complaints about how an employer responds to DSARs are sent to the Information Commissioner, although employees often attempt to complain about it to employment tribunals as well. In extreme cases the Information Commissioner can serve enforcement notices and impose financial penalties.

Despite what employees often think, the Information Commissioner cannot award them compensation, although they could bring a court case seeking compensation for harm and distress arising out of failure.  

Sleep-in Payments Ruling

In contracts, Employment law, pay, Uncategorized on March 23, 2021 at 9:32 am

The Supreme Court has ruled that care workers are not entitled to national minimum wage for ‘sleep-in’ shifts. This follows appeals in the cases Royal Mencap Society v Tomlinson-Blake and Shannon v Rampersad and another (T/A Clifton House Residential Home).

The court referred to a recommendation first made in 1998 by the Low Pay Commission, and accepted by the government as part of the National Minimum Wage Regulations 1999, that sleep-in workers should receive an allowance and not the NMW unless they are awake for the purposes of working. The same recommendation was also included in the National Minimum Wage Regulations 2015.

It was however made clear that this ruling only applies to shifts where an employee is expected to sleep during their shift, which the claimants in this case were.

Making Flexible Working Work

In contracts, covid-19, family, Uncategorized on March 16, 2021 at 11:03 am

Flexible working arrangements are now helping to keep many businesses operational amidst restrictive coronavirus regulations. Many companies that once thought flexible working arrangements could not work for them, are now functioning with remote working and flexible working hours. The picture is very mixed. At one end of the spectrum Microsoft has decided that some jobs will no longer return to the office. This is diametrically opposed by Goldman Sachs saying that home worker is “a temporary aberration” that does not fit their dynamic interactive culture.
 
In our experience there is a place for homeworking. For the majority that is not full time but a portion of the working week. The “closed-minded” approach of an employer may now find some kickback!
 
This can include reduced stress to better engagement. It is recognised that employees able to achieve a work-life balance are more likely to be happier and more productive at work. It could be that it’s simply different working hours or some days working remotely. There are recruitment and retention benefits too. Opportunities for flexible working is likely to be a question from candidates in the future and some employees may start to seek out an employer who has a flexible working policy in place.
 
However, we suggest that now is the time for employers to assess potential benefits as part of the inevitable excess of re-examined job roles and functions upon return to the workplace post-Covid and in the foreseeable future.
 
There will be some compliance issues: working hours are subject to the Working Time Regulations. A change in location must be preceded by a health and safety risk assessment in respect of that workplace and equipment being used.
 
A foundation of trust is also needed for flexible working practices to be effective. For example, remote staff or out-of-hours working can mean less day-to-day visibility. Staff surveillance software is available, but this may undo all the good that flexible working can achieve and does not always make for a good relationship between the parties.
 
Also, consideration needs to be given to the impact of changing working procedures for some that can impact significantly on others, from employee workflow to client relations.
 
Just because a working pattern has been in place since lockdown, it is not necessarily the best thing for your business. It might be, but it might not. The sooner steps are taken to have those discussions the “returning” or “non-returning” workers the better! 
 
Changes that you agree to should improve and not hinder your business in the long run. If you wish to discuss how flexible working might work in your business, email us to book a flexible working strategy call.