An unanticipated consequence of the increase in redundancies resulting from the pandemic is that many organisations find themselves in receipt of more data subject requests, in particular subject access requests (SARs).
Since GDPR came into effect in May 2018, individuals have become much more aware of their data protection rights and their ‘Right of Access’ which is the right to request a copy of the personal data an organisation holds about them. Personal data is any information that can be used to identify a living individual and the scope of this definition is wide including basic contact information, images, IP addresses and opinions. When sensitive employment related issues are in hand, it has become increasingly common for employees to submit a SAR to their employer to obtain a copy of personal data held within their personnel file, emails, instant messages, video recordings, CCTV images, text messages and more. It can be can a costly and time consuming administrative exercise to process these requests, especially if the employee has been with the organisation for a long time and significant personal data is held.
We recommend that organisations have a clear process in place to discharge the obligation to manage these requests in accordance with the requirements of data protection law.
Tips for managing SARs
- Have a clear logging process to track and monitor any SARs received. These requests must normally be responded to within 1-month of receipt.
- Make sure staff are trained and aware of how to recognise a SAR. SARs can be requested verbally or in writing using formal or informal language.
- Communicate clearly with the requestor. Creating standardised response templates keeps things simple and ensures SARs are handled consistently.
- It’s important that there are designated, trusted individuals across the organisation to assist with gathering personal data to help to manage tight timescales.
If your organisation receives a SAR, it’s important to recognise that the requestor is only entitled to receive a copy of the information you hold about them and not information about other people or your business. When dealing with SARs in the context of redundancy, it’s often the case that the requestor is motivated to receive copies of sensitive information relating to them, their employment, colleagues and confidential business information. The right of access is not absolute and in some circumstances exemptions may apply which means you are not required to provide some or all of the personal data requested. Exemptions should always be considered on a case by case basis and you must clearly document your basis for relying upon an exemption. Examples where exemptions may apply include:
- Protecting the rights of third parties – If the disclosure of personal data may be capable of identifying another employee and impact on their privacy rights then this information may be exempt from disclosure under a SAR. For example, a complaint received from an employee about the requestor.
- Management forecasting – If your organisation is planning to restructure and this will involve redundancies, it’s not required to disclose the intention to make an individual redundant if that individual submits a SAR. This exemption applies where disclosure would be likely to prejudice the operations of the business.
- Negotiations – If your organisation is entering into negotiations with an individual, for example settlement negotiations, it would not be required to disclose papers relating to the matter under a SAR as to do so would be likely to prejudice those negotiations.
- Confidential References - Confidential employment references are exempt and neither the submitting or receiving party is required to disclose this information under a SAR.
Collating Personal Data
Once you have identified the personal data that you are required and applied any exemptions, the following steps should be followed before releasing the information to the requestor:
- Carry out a thorough sift of the data to identify and redact personal data relating to other third parties and any other confidential information which is not personal data.
- Consider investing in redaction tools to help reduce the level of manual effort required to complete a SAR and inaccuracies that can lead to complaints.
- Define a secure process for sharing copies of data with individuals in their preferred format, which may be in hard copy, electronic format, audio or braille.
Thorntons Data Protection Team is available to support organisations with the management of SARs efficiently and with the completion of redaction exercises. To find out more about how our Data Protection Services can assist, click here to view our service brochure, or alternatively please contact Morgan O’Neill, Director of Data Protection Services at firstname.lastname@example.org.