Challenging the fear factor associated with employee data subject access requests
12 November 2021
"Failing to prepare means preparing to fail". Never have these words been more true than when considering requests made by data subjects for access to their personal information. Under local data protection law, all data subjects have rights of access to their personal data.
At a recent seminar series hosted by Bedell Cristin and Focus HR in both Guernsey and Jersey, employers were reminded that all employees are data subjects and that with a progressively more data aware workforce, it is increasingly common for the "weapon" of a subject access request to be brandished by an employee against their employer (or more commonly their former employer) when their employment relationship turns sour, and that the best defence to that weapon is preparation.
Known officially as Data Subject Access Requests (DSARs), they enable employees to, amongst other things, obtain a copy of all personal information processed by their employer. They generally arise when an employee is contemplating or is already in dispute with their employer or former employer.
Under both the Data Protection (Jersey) Law, 2018 and the Data Protection (Bailiwick Guernsey) Law, 2017, employees have the right to obtain certain information from their employers, including details of what personal information is being processed, the purposes of that processing, to whom that information has been disclosed and for what purposes, where the data is kept and for how long it will be retained. They also have a right of access to a copy of their personal data. It is this final "right" that understandably creates the "fear factor" for employers. The fear stems not so much from what data is actually processed by an employer (or the "smoking gun" that the disgruntled employee hopes to find), but merely from the sheer volume of personal data that employers will naturally process about their employees and the time and resources that are required to sift through that data, identify what is personal data, determine whether it needs or should be disclosed and ascertain the format of that disclosure. Carly Parrott, Counsel at Bedell Cristin emphasised that the statutory right of access was to "data and not documentation" and that whilst, technically, the law permitted "fishing expeditions", employers need not grant an unrestricted fishing licence and should focus on the personal data itself, not the documentation in which that data is found.
Highlighting the fact that there has been an exponential increase in the number of DSARs since the introduction of GDPR (and the corresponding local data protection laws), Carly Parrott referred to statistics that over 70% of EU employers had received DSARs from their employees, and that the trend in the Channel Islands was invariably for a DSAR to either precede or immediately follow a letter before action or submitted claim form.
Data protection by design and default is key to the preparation process, although it was recognised that this may not always be practicable for local employers. Employers were talked through carrying out, at a minimum, the data mapping and data audit processes, and encouraged to think about where personal data is stored on their systems. Personal data is everywhere, it's in personnel files, e-mails, file notes, hard copy records, data kept as back up, in the archives or in cloud-based storage. Employers were warned that personal data could also be stored in social media platforms and instant messaging tools and unless suitable policies and procedures were in place to ensure a delineation with personal devices, an employer could find itself being deemed a controller in respect of such data and required to search and disclose relevant personal data contained on other employee's personal devices and messaging platforms.
Understanding where your data is stored and what data is processed is a key first step. Carly Parrott presented a checklist for employers to work through to assist in both preparing for a DSAR, and also to support an employer in responding to a DSAR.
Delegates were advised to make sure that contracts and policies were updated to account for DSARs, that precedent response documents were prepared, thought given to the creation of a response "war room" and that a dry run response to a DSAR be undertaken to identify any gaps in the retrieval and response process. Edward Drummond, Partner, highlighted the importance of ensuring that staff were trained on written communication (and what not to put into writing), that employers have appropriate retention policies in place, and more importantly that they rigorously applied them. The message was clear – if you don't need the data, delete it. This is a fundamental tenet of the data protection laws and one that ironically assists an employer when having to respond to a DSAR.
In terms of actually responding to a DSAR, discussion was had around the short time limit for responding (4 weeks in Jersey and 1 month in Guernsey) and the circumstances in which that time limit can be extended. The importance of "scoping" a request was canvassed as a means to ensure that the legitimate intentions of the data subject can be prioritised in the review. Delegates were provided with tools and checklists to adopt when responding to DSARs.
Richard Le Laird explored the exceptions and exemptions within the data protection laws, discussing the concept of proportionality, introducing the concept of "manifestly vexatious unfounded or excessive" and explored the various exemptions to disclosure under the laws. Critically, he highlighted the tricky balancing act that employers must undertake in relation to the rights of the data subject to copies of their data against the rights of third parties to the privacy of their data.
John Ioannou-Droushiotis of Focus HR discussed the HR implications of DSARs, emphasising DSARs have the tendency to intertwine with other HR processes and employers must ensure that the procedures are managed separately so as not to derail due process being followed. John noted that employees should also be trained to draft meeting notes in an objective manner, focusing on the facts, and to document any deviation of standard HR procedures supported by the justification behind doing so.
Carly Parrott added: ‘Data subject access requests often prove to be one of the most challenging areas of the data protection law for employers to manage. Sifting through vast amounts of information (including e-mails) to find personal data specific to an employee can be daunting and the reality is that responding to a DSAR is time consuming. But it doesn’t have to be a process to be feared.’
Helen Myers, Head of Jersey, Focus HR said, “We are excited to be providing training in this technical and complex legal area for the HR community and employers. Data Subject Access Requests are notoriously time consuming and costly to employers. There are many pitfalls associated with DSARs which employers need to be aware of including accessing and providing the right data – the provision of personal data and not the provision of the documentation, and the type and level of information that is captured by the request. We aim for this seminar to assist HR professionals and employers to navigate the process while learning about the risk exposures to be mindful of”.
For more details about DSARs and the practicalities of dealing with them, please contact Carly Parrott, Edward Drummond or your usual Bedell Cristin contact.