Employee Data Subject Access Requests: Part 1 – where are we now and what questions remain? (UK)
Just when we thought we were getting to grips with some of the stickier issues around Data Subject Access Requests (DSARs), then along comes the EU General Data Protection Regulation (GDPR) and numerous new ambiguities over how its DSAR provisions might work in practice. We are waiting for the ICO’s guidance and update on its Code of Practice which will hopefully provide a bit of clarity but until then, in this five part blog series, we will offer our own views on the relevant practical concerns for employers facing DSARs.
As recently as 2017, a number of landmark legal rulings were issued that offered a degree of clarity on some of the thornier issues around DSARs in the employment context.
In Ittihadieh v Cheyne Gardens RTM Company Ltd, the Court of Appeal confirmed that a collateral purpose does not defeat a DSAR. Since that judgment, any argument that a data controller could refuse to comply with a DSAR on the basis that it had been made, for example, as a fishing expedition, a nuisance tactic in negotiations or to obtain early litigation disclosure, would be futile.
Likewise, Dawson-Damer v Taylor Wessing LLP and Ittihadieh addressed uncertainty over the issue of proportionality, i.e. could a data controller refuse to carry out a search or limit a search on the basis that to do otherwise would require disproportionate effort? Those cases confirmed that while the principle of proportionality could not justify a blanket refusal to comply with a DSAR, it could limit the scope of the efforts that a data controller must take in response.
So the fog around the rules of engagement around DSARs was beginning to lift by the end of 2017, with clarity emerging on those issues courtesy of the Courts and also a newly updated Code of Practice issued by the ICO in June of that year.
And then, on 25 May 2018, the red mists descended again when the EU GDPR became enforceable and, with it, a new DSAR regime.
On the one hand, the DSAR provisions of the GDPR (and the Data Protection Act 2018) are broadly similar to the rights provided under the old Data Protection Act 1998. There are, however, some notable differences, including:
- The list of transparency information that the data subject can request is expanded under the GDPR and includes: (i) the retention period for the personal data processed; (ii) information on any automated decision-making or profiling, plus if relevant, the logic involved and the consequences of such processing for the individual; and (iii) the existence of the rights to rectify or delete his personal data or to restrict or object to the processing of it.
- Under the DPA98, employers had 40 days to provide the information requested. Under the GDPR, the deadline for a response has been shortened to: “without undue delay and in any event within one month of receipt of the request”. However, this deadline is potentially extendable by up to a further two months (so three months in total), if necessary, taking into account the complexity and number of the requests.
- Under the DPA98, employers were able to charge a fee of up to £10 to provide information under a DSAR. Under the GDPR, this has been scrapped and the information must be provided free of charge. However, when a request is “manifestly unfounded or excessive”, employers can charge a reasonable fee or refuse to act on the request altogether.
- The right to access under the GDPR expressly requires that the rights and freedoms of others should be considered so that they are not “adversely affected”. The examples given in the GDPR recitals mention trade secrets or IP. However, these rights should not be used as the basis for a refusal to provide all information to the employee, merely that information which would prejudice the trade secrets, etc.
All very easy to say at a distance. Closer to, however, many questions exist around the interpretation of the new rules and how they will work in practice. For example,
- What will constitute a “complex” DSAR, entitling the data controller to rely on the two month extension? See Part 2 of our blog series .
- What steps can a data controller take to limit the scope of its search when the IT search throws up tens or hundreds of thousands of documents for review? This question is key, bearing in mind both the shortened time-span for the response and the disappearance of the “proportionality” wording included in the DPA 98 from the GDPR and the Data Protection Act 2018.
- To what extent is the one month response period put on hold in circumstances where you are awaiting necessary further information from the individual regarding their request?
- What would be deemed a “manifestly unfounded or excessive” request, justifying a data controller’s refusal to comply or the imposition of a reasonable fee. Is there any limit on what counts as a “reasonable fee” (bearing in mind that the old £10 fee didn’t even buy the coffees of the staff charged with reviewing the documents)? Where is the line between when you can charge that fee and when you can refuse to respond to the DSAR at all?
- Given that the GDPR expressly requires that the rights and freedoms of others should not be ‘adversely affected’, how should we deal with ‘mixed data’ cases, i.e. when a third party’s personal data is intertwined with that of the requester? Will the prohibition on adverse impact be absolute, or merely something to be weighed in the balance with the needs and rights of the DSAR-maker? Who decides?
Nearly five months after the GDPR became enforceable, we still await official European and domestic guidance on the new DSAR regime (including an updated Code of Practice) that may shed some light on these and other murky points.
What should you do now?
In the meantime, it is wise to seek specialist help should you be contending with an employee DSAR or preparing yourself for one.