DSAR dos and don’ts for Employers following new ICO guidance

Most employers dread the time-consuming exercise of having to deal with Data Subject Access Requests (DSARs).

Often used as a tactical play by former or current members of staff, a DSAR is an individual request for copies of all personal data in respect of the request maker (the data subject) held by an organisation. This is a right enshrined in data protection laws, giving all individuals a statutory right to access and receive a copy of their personal data, and other supplementary information. Any information held about employees, provided they’re identifiable and the information relates to them as an individual, can constitute personal data for DSAR purposes. This can include information contained in HR records and internal communications, such as emails or MS Teams messages, where the employee is specifically referenced. The personal data, which may be in the form of documents, provided as part of an employer’s DSAR response can, as is often the case, be used to form the basis of internal grievances or Tribunal claims for aggrieved employees, who may have submitted a DSAR with a view to obtaining evidence to support their complaints.

A failure to respond to a DSAR in line with statutory guidance and requirements can result in the employee lodging a complaint with the Information Commissioner’s Office (ICO). The ICO may then investigate the complaint and take enforcement action against the employer. An employee can also apply to the civil courts for a court order requiring the employer to comply with the request and to pay them compensation.

Employers should ensure, therefore, that they have a good understanding of the ICO’s new guidance (helpfully, in Q&A form) regarding responding to DSARs from employees and ensure that there are steps in place for best practice when responding. This is perhaps more important now than ever given the ICOs recent commitment to taking enforcement action against non-compliant employers.

We set out some dos and don’ts for employers tackling DSARs, below. For advice on best practice and how these changes can be implemented across the workforce, do not hesitate to contact our specialist employment team.

We summarise 5 changes complete with advice on dos and don’ts below:

  1. DSARs can be made informally – not just in writing

An employee can raise a DSAR verbally or via social media, even – there is no prescribed form in which a DSAR must be made. A simple question to a manager (“please send me my HR file” or “what information do you hold on me?” and/or “can I see those meeting minutes”) may be enough to constitute a DSAR. Do therefore investigate any such queries from employees and clarify whether they intend for the same to be considered as a DSAR. Don’t ignore requests for data via MS Teams or other chat software which is thought to be less formal, as the same could well be considered a DSAR in the eyes of the law.  

  1. Employers can clarify employee requests if they are not clear

Employees’ requests for personal data should be specific enough to allow you to undertake a search for the personal data and properly respond. Employers are well within their rights to ask an employee to clarify the scope of their request where a large volume of information is held in respect of the employee (i.e., they have been an employee for years, and the company holds a lot of information in respect of the employee) or where the same is required to properly respond to the DSAR. Where DSARs are not specific, employers can ask employees whether they want to narrow their request to specific information or for their request to be limited to the last 3 years say. This could reduce the amount of information needed to be sent to the employee and, in turn, the amount of administrative time spent trying to comply with the DSAR. If an employee maintains that they do want everything and does not narrow their request, the ICO guidance advises that employers should still carry out reasonable searches of information to comply with their request. Do ensure that you have clarified the scope of the DSAR with the employee if and when needed. Don’t try to avoid complying with the DSAR where the employee refuses to narrow their request – it is still a valid request!

  1. Employers can withhold information in certain circumstances

In law, there are exemptions to a person’s right to access their personal information. Employees do not have an unfettered right to their personal data and employers are entitled to withhold some or all of the requested information if said information falls as being exempt within the eyes of the law.

The ICO summarises the categories of data which are exempt in the eyes of the law, and suggest that employers must apply exemptions on a case by case basis and justify and document their reasoning for relying on an exemption.

One example of an exemption is third party data (or “mixed personal data”). This exemption is designed to protect the rights of others and means that where an employee’s personal data is “mixed in” with third parties’ personal data, the employer has discretion to determine whether it is reasonable to withhold or disclose such data without the third party’s consent. If the third party does consent to the disclosure, it is fine for the employer to disclose. In practice, most employers would simply redact third party data and only disclose personal data relating to the requester.

The ICO also refer to witness statements used or procured as part of internal disciplinary processes or grievances, as an example of one document employers may wish to apply the “mixed personal data” exemption to. The ICO advise employers to consider the reasonable expectations of the third party witness/interviewee when being interviewed. Did they give consent to their identity being disclosed to the employee requesting? Were they asked to consent? If witness statements were given by the witness or third party with the expectation of confidentiality, and/or if redactions would not be enough to conceal the witness’s identity, the ICO advise that it may be justifiable to withhold those witness statements.

The ICO also advises that a person’s seniority and role are important to whether a witness statement should be disclosed; it is more likely to be reasonable to disclose information about an employee acting in a professional capacity than a private citizen.

The ICO also use the example of a whistleblowing report, under the “mixed personal data” exemption as another document which an employer can reasonably justify withholding from a DSAR response. This is, as the ICO advise, only where a protected disclosure is made which is genuinely within the public interest (i.e., the disclosure satisfies the technical legal test for whistleblowing).

Confidential references provided to the employee’s prospective employer are also exempt where the reference is provided for the purposes of education, training, or employment of that employee, someone working as a volunteer, appointing someone to office, or the provision of any service by someone. The reference must be given in confidence for this exemption to apply.

The ICO guidance lists several other types of exemptions and scenarios for employers to be aware of when considering whether the exemptions apply. The key thing is for employers to ensure that exemptions are considered on a case by case basis rather than one rule fits all and that any decision making in respect of whether an exemption applies is well considered and documented. Any decision making process should be backed up with a clear paper trail, in case the ICO were ever to question anything.

Do carefully consider whether any of the exemptions apply to documents which appear as part of any reasonable searches, pursuant to a request (and ensure any decision making process is documented). Don’t conclude that an exemption applies without proper consideration and without explaining the same to the requester.

  1. Employers can refuse to comply with a DSAR

… contrary to popular belief, but only where the DSAR is considered (i) manifestly unfounded, or (ii) manifestly excessive.

The ICO guidance states that a request may be considered manifestly unfounded if the worker has no intention to exercise their right or access or the request is so malicious in intent and is being used to harass the company, being made with no real person other than to cause disruption.

The guidance further states that malicious intent can be indicated by the DSAR targeting a specific employee with whom the requester has a personal grudge, systematically sending requests as part of a campaign, and/or making unsubstantiated allegations against the company or employees which are clearly prompted by malice.

We would advise employers to err on the side of caution here if/when concluding that there is malicious intent behind a request. Employees who try to argue that they will withdraw a DSAR on receiving a higher exit package, for instance and provided that offer was made openly, can be said to have manifestly unfounded DSARs.

The ICO advises, in respect of manifestly excessive requests, that employers should consider whether the DSAR is clearly or obviously unreasonable. That should be based on whether the request is proportionate in line with the burden on the employer in complying with the request. There are a number of factors which the ICO suggest employers should take into account when dealing with a request, including the context of the requester and the relationship between the requester and the employer. A request is not necessarily manifestly excessive just because a lot of information has been requested.

Do ensure that an employee is advised of the reason why you consider their request either manifestly unfounded or manifestly excessive in writing, and in as much detail as possible. Don’t conclude that you have no duty to comply with the DSAR on the basis of (i) or (ii) above without proper thought, consideration, and a paper trail.

  1. Employers should have clear policies in place regarding IT

… which should make clear the organisation’s role in controlling employees’ own personal email or social media accounts, if accessed via workplace devices. Employees could otherwise be able to argue that personal data in or on those personal accounts are documents which should be provided as part of the employer’s DSAR response.

Any such policy should also deal with CCTV footage if CCTV is utilised in the workplace. It could, for instance, set out the retention period for any CCTV – which would then be applicable to any DSARs for that CCTV footage. The ICO’s guidance warns employers that CCTV footage can and often does contain personal data related to other members of staff and may be disclosable as part of the DSAR. Third party images in CCTV can be difficult to redact or cover.

Do have a clearly drafted acceptable IT use policy. Don’t avoid clarifying the employee’s request for CCTV footage if needed. Employers can, depending on the circumstances, ask the employee to narrow their request for CCTV to specific dates or times.

The above is intended to be a summary of the new guidance, only and is true as at the time of writing. The latest guidance should always be consulted.

For specific advice in respect of the above, do not hesitate to contact our specialist employment team: employment@curzongreen.co.uk.