An increasing number of employees and ex-employees are submitting subject access requests (SAR) to their employers. On some occasions, they genuinely need to understand what is held on file about them. On other occasions it appears to be no more than a fishing expedition by employees, their lawyers or a desire to simply add to workload/cost as a result of a breakdown in relationships.
But whatever the cause, the ICO (Information Commissioner’s Office) does not allow you to ignore an SAR. Most businesses should expect to receive a SAR (also known as a DSAR – data subject access request) at some point.
We support clients with SARs and do so much more cost-effectively (we believe) than most lawyers and the niche SAR/data protection businesses that have been set up since GDPR came into law in 2018. Contact us if you’d like support. But, if you want to have a go yourself, here are our FAQs to get you on your way…
Should I check that I’m speaking to the right person?
Absolutely you should, determining that you are actually speaking to the person who submitted the request for their data should be your first step. A couple of simple security questions could potentially save you the embarrassment of handing over data to a stranger.
Something a University PhD student knows only too well, after successfully contacting nearly 150 companies posing as his girlfriend. He found a huge flaw in the GDPR regulations and one that could have been put out with a simple confirmation phone call.
Can I refuse to respond to an SAR?
You can refuse, but only provided you can demonstrate to the individual that the request is manifestly unfounded or excessive. Be very careful if you want to go down this route though.
In particular ‘manifestly unfounded’ could be justified if the individual has stated they just want to be disruptive, will withdraw it if you offer them some benefit in return (financial or other), or the request includes unsubstantiated allegations against you or an employee. There are some other reasons too, but these should give you a sense for when, if ever, you can refuse an SAR.
If you think you want to do this, we suggest you do so with caution and get advice at an early stage.
In any event you can’t just ignore a request. You would have to do a written response as to why you are not going to provide the information requested.
What if I can’t do the response in the permitted one month …
… as our workloads are just too heavy and we think its going to take 20-40 hours to do?
You can apply for a two month extension. You will need to have a genuine reason for the time extension such as complexity of the request or lack of internal resources/know how.
If I have only just set up in business, am a sole trader or have yet to employee anyone, does the Data Protection (GDPR) legislation still apply to me?
Yes!
The minute you have any information stored electronically about other people (individuals, not businesses) then the law will apply to you. This includes the names and phones numbers of your customers, suppliers, advisors, trustees, volunteers etc.
The law however does not apply to any information you have about people if it is just for your personal or family use e.g. the window cleaner address or phone number you keep for your own household use does not count.
If someone asks for access to any document that contains their personal data, what exactly is personal data?
Any information about a living individual. Not necessarily just private personal information such as a date of birth, ethnicity etc. as this can include information already in the public domain such as an email address or even home address in some circumstances.
The law applies to your patients, customers, employees, suppliers, directors, volunteers etc.
Anything that can be identified as relating to the individual is included. For example, if you use someone’s initials, rather than their full name, in a file/folder but it is clear whose documents are contained within that file, then that is personal data that you may have to disclose.
In most circumstances paper documents are excluded.
I’ve heard the term ‘processing’ but don’t really understand what I might do at work that would be considered ‘processing’.
That’s an easy one! Virtually everything you do at work in relation to documents/records is processing – shredding, reading, scanning, analysing, binning, deleting, storing, copying, editing, sharing etc. these are all considered processing.
Most importantly you are only allowed to process data in certain ways. You need to be clear about what you collect and how you intend to process it and then stick to that (See DPIA FAQ below).
For example, if you collect CVs as part of a recruitment activity, those candidates might expect you to process them in multiple ways (reading, sharing, storing online, analysing and ultimately shredding or deleting). However they would not expect you to process them in other ways. This might include sending their details to a third party who might offer them career coaching, CV writing, insurance or sharing them with other departments in the same business who might, in the future, need to recruit etc.
If an employee tells me I shouldn’t be holding xyz data about them as it’s old data and I should have destroyed it, are they correct?
You should be clear on what data you hold, how you will be processing that data and how long you intend to hold data for. You should aim to only hold data for as long as you need it. (Ideally you will have a clear view on this as a result of the DPIA you did – see FAQ below).
However…exactly how long is ‘as long as you need it’ when you want to protect your business, ensure continuity for your customers, have the necessary documents to rely on if you get investigated by HMRC or need it for insurance purposes etc? How long is a piece of string comes to mind…sorry!
But, as a general guide that you need to adapt for your own business:
- Been recruiting? Bin the details relating to rejected candidates after six months.
- Ex-employee – delete stuff older than six years unless you think they might bring a H&S claim against you – some H&S claims have gone back decades.
- Discontinued Supplier – keep details for no more than three years – in case of claim or query.
- Current employee sickness record – keep for only as long as you might need it and, in any event, no longer than six years after they have left – unless you think they might bring a H&S claim against you.
- Current employee performance review documents – keep for as long as they are employed.
- Current employee change of address notification – delete within one year.
I’ve heard about redacting/anonymising data, but what does that mean and can we do it?
Individuals can request access to their own data but don’t have any rights to the personal data of others. You will therefore want to work through any data you have discovered for the individual who has submitted the SAR and redact/anonymise (i.e. black out/delete) any information relating to other individuals such as name, job title, comments relating to those individuals, salaries, absence records, marital status etc.
Redacting is a fairly lengthy task unless you have a redaction tool. Jaluch is able to support with this, so please do call us.
I’ve heard about eDiscovery software – what is it and do I need it?
It\’s not uncommon for eDiscovery/DSAR software to cost upwards of £30K a year so not that many businesses will want to invest! The most expensive we have come across was £60K a year.
The software is uploaded onto your systems and is designed to conduct a search of your systems for all documents relating to an individual on receipt of an SAR. It can search, Word docs, Excel, collaboration tools such as Teams and Flack, it can search emails and PDFs etc. It searches for all the documents you hold electronically about an individual (you put in the search terms to be used) which then leaves you with the more manual task of identifying which of those documents need to be disclosed and what, if anything, needs to be redacted before disclosure.
It is therefore an invaluable tool for responding to SARs. For companies not wanting to invest in software, at Jaluch we are able to do searches for you using our own software.
Modern searches of databases in this way for personal data are a world away from when companies used to receive a request and on payment of £10, simply copy the contents of the employee’s personal file held by HR. Where 10 or even 150 documents used to be provided, now it is in the hundreds or even thousands. Just one search recently of one email address brought up over 30,000 documents that contained the individual’s name. What used to be a job that took a few hours, now takes up to 40 hours or more.
What is a DPIA?
This is a Data Processing Impact Assessment. It is a requirement under GDPR legislation.
You are required to analyse, identify and then seek to minimise the data protection risks either within your organisations or relating to a particular project or plan.
If you don’t have one, you can download an audit template that you can adapt for your own needs – there are also multiple data protection GDPR documents and SAR documents available to download.
If/when you conduct this audit you will begin to see any areas of exposure for your business, gain clarity on what processing is taking place and the relevance of that and be able to clearly answer the questions about processing and general management of data when you receive an SAR. It will take time, but it is required!
Can I not just say that what they are asking is disproportionate…
…either because of the time they were employed by us, or because we are such a small organisation, or because we have no money to pay for support?
If you call the ICO helpline, our experience has been that they will encourage you to ask for more time to respond to your SAR but they don’t really encourage you to refuse the request because it feels disproportionate for the size of your business or your available funds. No business is excused from this legislation but clearly what the ICO expects of you will vary enormously depending on the volume of data you are managing, the sensitivity of that data and the seriousness with which you have put in place the tools or procedures to protect that data.
There are lots more questions but hopefully these will have answered many of the pressing queries about data protection. Fines are huge and this has caused huge stress and anxiety for business owners and directors. Please do get in touch if you think we can help put in place the things that will help you manage your data with minimum risk.
Our team can offer you the following (in our usual friendly, practical style):
• GDPR eLearning or GDPR workshops for employees, volunteers and managers.
• A full SAR response service or just redaction support and guidance on discovery.
• Monthly retainer for data protection support including conducting/updating the DPIA, regular review of contractual clauses and employment policies and procedures, answering of day to day enquiries about data protection.
• Ad-Hoc project work.
Disclaimer: The information contained within this article is for general guidance only and represents our understanding of employment and associated law and employee relations issues as at the date of publication. Jaluch Limited, or any of its directors or employees, cannot be held responsible for any action or inaction taken in reliance upon the contents. Specific advice should be sought on all individual matters.