Responding to a data subject access request from your employee/former employee | Winston Solicitors Skip to main content
Data subject access request

Posted on 4 July 2022

Responding to a data subject access request from your employee/former employee

Posted in Advice

Responding to any data subject access request (DSAR) can be tricky, especially when the DSAR comes from a current or former employee. The sheer volume of personal data that organisations collect and process in respect of their employees can make identifying, reviewing, and disclosing information responsive to a DSAR a mammoth task.

What can a business do to help with data access requests

There are steps a business can take to make the DSAR process easier and more efficient.

1. The employee has requested copies of all of their personal data – where do we start?

If you process a large amount of information about the employee and it is not clear what information they are requesting, you can ask the employee to clarify their DSAR – for example, you can ask them to identify particular issues or incidents that they are concerned about and to specify a timeframe or provide additional context. 

This can ‘stop the clock’ running on the timeframe for responding to the DSAR. The clock starts again when the employee responds. If they don’t respond after a ‘reasonable’ period (e.g. one month), you can consider closing the request. Caution should be exercised; the regulator may not agree that clarification was needed. It might be better to simply run reasonable searches for relevant personal information based on what you think the employee is looking for.

2. Where do we look? 

Start with your HR systems – this should be straightforward. Then you need to think about where else relevant information might be. 

If, for example, you’re dealing with a recently dismissed employee, then they are likely interested in discussions among those people involved in the dismissal decision-making process. This could include the employee’s line manager and other colleagues (e.g. the HR team). Consider what channels these individuals use to communicate and whether it is reasonable, taking into account obligations to those employees too, to search their email folders and/or other channels.

3. There are thousands of documents containing this employee’s data – do we have to review every single one?

No. Where you have an unmanageable volume of documents containing the employee’s data, you can apply targeted search terms to find the information most relevant to the DSAR. 

Your IT team may be able to help with these searches or, alternatively, there are multiple providers of review platforms well suited to quickly and accurately running searches and then enabling easy review of the data. Using a third-party review platform means incurring costs, but the time-saving can be substantial. 

4. Some of these documents contain sensitive information about others – do we have to disclose them?

The UK GDPR outlines various exemptions to the right of access. Where one applies, any document provided to the requestor should be redacted so exempt information is not visible. In some cases, this means that documents should be withheld in their entirety. 

Commonly applicable exemptions in the context of employee DSARs include privilege (e.g. emails containing legal advice about a dismissal), management forecasting (e.g. where the employer is contemplating a restructuring), and third party privacy rights. 

5. We can’t get this all done in a month. What are our options?

The time frame for responding to a DSAR may be extended by up to two months if the DSAR is complex or one of multiple requests made by the employee. You must notify the employee and explain the reasons for the extension. The complexity of a DSAR will depend on a number of factors and employers should not default to an extension, unless it can be justified.

We can assist with DSAR requests, which are often made in conjunction with existing or threatened employment tribunal proceedings. Call 0113 320 5000 or fill in the contact form today. 
 

Contact Paul today