Don’t worry, but you must act promptly and be aware of your organisation’s obligations as a data controller.
A data subject access request (DSAR) rarely comes out of the blue and is often utilised by an employee within a dispute or, where they are gearing up to raise an issue, as part of information gathering. Regardless of their motivation and/or the precise reasons for wanting to access their personal information, all individuals have the right under data protection legislation to require a controller to confirm whether or not personal data about them is being processed and, where this is the case, to be provided with a copy of the data and other specified processing information.
There are strict time limits for complying with a DSAR; the right of access is ultimately enforceable by the Isle of Man Information Commissioner who has statutory powers to issue enforcement notices and impose penalties on data controllers who fail to comply. Individuals can also make a claim for compensation in respect of a breach of the Applied GDPR (the legislation which implements the European General Data Protection Regulation, with modifications, in Isle of Man law).
When responding to a DSAR, the main point is urgency because even where records are well ordered and/or the volume of data is relatively small, it may be necessary to consider the results of searches and remove, or redact, information which relates to others i.e. so as to give effect to their data privacy rights as well as those of the individual making the DSAR.
We have suggested a step-by-step response plan below:
- Have you received a DSAR?
In many cases it will be obvious that an individual wishes to make a formal request for access to their personal information under the Applied GDPR, as they will state this. However, it should be noted that a request does not have to be in writing and does not need to refer to the legislation to be valid, nor is there any prescribed form of words that has to be used. Both HR professionals and managers need to be able to recognise a DSAR so that the appropriate action can be taken in the event that a request is made by an employee (or a job applicant, former employee etc).
- Acknowledge the request
This is not a mandatory step but advisable so that the individual knows the DSAR has been received and the deadline for responding to the request is clear. The standard period within which a response has to be provided is one calendar month. This period can be extended by a further two months, but only where necessary – e.g. the request is very complex – and provided the need for an extension is notified before the initial one-month compliance deadline. A controller should check the request is valid (i.e. from someone who is entitled to the information) which may entail verifying the requester’s ID or, if the DSAR is made by someone other than the data subject, obtaining a letter of authority.
- Check the parameters
A request may be for “all” an individual’s personal data or focused on particular information or a specific date range. It is generally worth checking with the employee who has made the DSAR, but they are not obliged to narrow down their request if they do not wish to do so (albeit this may have an impact on complexity in terms of searching multiple sources and applications for personal data and consequently the timeline for delivering the response).
- Carry out searches
A controller must carry out reasonable and proportionate searches for personal data of the individual who has made the DSAR. Generally, a high standard of effort is expected of a data controller but they are not required to search exhaustively and “leave no stone unturned”. What amounts to reasonable and proportionate searches may vary depending on the circumstances, but it will be for the controller to justify the approach taken. Having efficient systems and well-documented policies on records management will make the task of locating personal data easier, but sufficient time should be allowed to complete and consider the results of searches so that, for example, the confidential medical records of employee B are not accidentally released to employee A (with a similar name) who made the DSAR.
- Consider third-party information/exemptions
Some personal data held or processed by an employer may relate to more than one individual. The Applied GDPR provides that a controller does not have to comply with a DSAR if doing so means disclosing information that identifies another individual unless that other individual has consented to the disclosure, or it is reasonable to comply with the request without that individual’s consent. This means, in practical terms, that where third-party data is involved, a balancing test applies. A controller is expected in any event to give effect so far as possible to the individual right of access which may mean extracting the personal data of the requester and/or redacting information relating to others in responding to a DSAR.
There are other permitted reasons that personal data of the requesting individual may not have to be provided pursuant to a DSAR. These include, for example, where the employer has taken legal advice (legal privilege), where the disclosure of certain information might prejudice particular management operations (e.g. entail disclosing plans of a contemplated redundancy/restructuring ahead of time) or where the release of information might prejudice “live” negotiations with the employee. There is also an exemption for employment and related references given in confidence. Employers should document their reasons for relying on an exemption, where applicable.
Ultimately, exemptions are construed narrowly and their application can be technical; legal advice may be advisable.
- Prepare and send the response
Once the personal data is collected and the controller has checked that the individual is entitled to all of the information proposed to be copied to them, a response letter should be prepared. This will need to include the specified details about processing of personal data mentioned in the legislation. In summary, individuals have the right to know why a controller holds their information, the source of the information, how long the controller plans on keeping it, who it is shared with and how they can ask for it to be changed or exercise other rights in relation to it. The controller should check how the individual wishes to receive a copy of their personal data – if the original request was by email then the reply can generally be sent by email too.
A controller should keep dated records of the information sent pursuant to a DSAR in case of a later challenge or dispute about whether the controller has complied with the right of access.
Complying with a DSAR can be complex and technical (with added pressure to get things right where there is an employment related dispute). Cains can advise on DSARs and the various issues that may arise including:
- what constitutes personal (i.e. disclosable) data
- when may an exemption apply and what it covers
- the position with email databases, archive records and social media accounts
- balancing interests in the case of third-party personal data
- manifestly unfounded or excessive requests
- complaints and challenges to DSAR compliance by an individual
