robbryanassociates

Archive for the ‘discipline and grievance’ Category

Dealing with DSARs

In business principles, discipline and grievance, Employment law, Uncategorized on March 30, 2021 at 10:45 am

Data Subject Access Requests (DSARs)

Employers sometimes have to deal with DSARs from employees trying to bolster grievances or from former employees. It can be very onerous to comply with DSARs, which are one of the core data subject rights under GDPR. The following guidance from the Information Commissioner’s Office provides some clarity on the subject.

Employers often hold large amounts of data on employees and if the employee has been vague or deliberately wide in the DSAR, it may be wise to ask for clarification as to the information sought. The ICO has now confirmed that the clock can be stopped while organisations wait for a requester to clarify their request.

Any DSAR must be dealt with effectively, within one month of receipt. This can be extended by two months if the DSAR is complex. Such complexity arises if it involves information from many different email accounts or requires a significant amount of redaction of others’ personal data.

As an employee making a DSAR does not have rights above other employees, redaction will need to occur if an employer must provide emails that contain personal data relating to others. Therefore, it’s possible that large sections of emails may be blacked out.

Following case law under the Data Protection Act, the ICO’s guidance makes it clear that data controllers should make reasonable efforts to retrieve data but should not conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. It is not necessary to ‘leave no stone unturned’ – reasonable efforts should be good enough.

Employers need to be able to demonstrate they have looked in any email back-up systems and data saved on individual managers’ PCs. As a result, it is likely that managers may need to be asked to check and confirm they have not saved such information outside of their email account.

Organisations may also wish to closely consider retention periods for employee data. Keeping all data and emails relating to an employee during their 20-year career is likely to make an employer wish it had brought in a retention policy to delete data after six years, if a detailed DSAR is raised.

Data controllers need not comply with manifestly unfounded and excessive requests and the ICO has now provided additional guidance and broadened its definition of these terms. To determine whether a request is manifestly excessive employers should consider whether it is clearly or obviously unreasonable, considering all the circumstances. They should be prepared to justify their position to the ICO in the event of a complaint.

The ICO confirms what can be included in the “reasonable fee” that can be charged for dealing with excessive, unfounded or repeat requests. The fee should be reasonably calculated and can include the costs of making the information available, including photocopying or using an online platform, equipment and staff time. Data controllers may wish to give some thought to their hourly rates and whether they can provide information about these in their privacy notice.

Complaints about how an employer responds to DSARs are sent to the Information Commissioner, although employees often attempt to complain about it to employment tribunals as well. In extreme cases the Information Commissioner can serve enforcement notices and impose financial penalties.

Despite what employees often think, the Information Commissioner cannot award them compensation, although they could bring a court case seeking compensation for harm and distress arising out of failure.