Let me set the scene: I arrive into the office one day to find, not unusually, an email from a client seeking advice on a data subject access request they have received from a former employee. I settle down to review the pages of documentation sent by the client (my remit was to check whether the data is disclosable and whether it needs to be redacted).
So far, so good. Until I stumble across indecent images of the former employee watching inappropriate adult rated content. Not only was he using company time to watch the videos, he chose to watch them on company devices and film himself watching them…
Most DSARs are no way near as salacious, but, traumatising images aside, there are a few key take-away points from that DSAR and the numerous others that we help with on a regular basis.
Key take-away points
- Employee awareness – make sure your employees understand that anything they document may be captured by a data subject access request. A policy of “don’t write down something that you wouldn’t want to be read” may be helpful to adopt. This applies to documents, emails, text messages, WhatsApp messages, instant messaging services and so on;
- What constitutes personal data – the person who deals with DSARs at your organisation should have a solid understanding of what constitutes personal data. It doesn’t simply cover contact details and information on a personnel file, but also opinions about and given by the individual and other information from which you learn something about the individual;
- Redaction is key – make sure that information that relates to third party individuals is redacted unless you have consent to disclose it. You may also wish to redact anything that doesn’t constitute personal data (for example, wider business information);
- Each instance of personal data only needs to be provided once – a misunderstanding we frequently stumble across is the idea that every email that references the data subject needs to be provided in the DSAR response. That isn’t the case. Each instance of personal data (for example, the data subject’s name or email address) only needs to be provided once. In many cases, the content of most work-related emails will fall outside of the scope of a DSAR unless they happen to contain additional personal data within them, such as an opinion about the data subject or a reference to sickness absence, their spouse or family;
- Consider whether legal privilege applies – in broad terms, information does not need to be disclosed: (i) if it consists of confidential communications between you and your legal adviser or a third party if litigation with the data subject is contemplated or in progress; or (ii) if it consists of confidential communications between you and your legal adviser for the purposes of seeking or obtaining legal advice;
- Consider other exemptions – there are a number of exemptions that may apply but the two our clients most frequently reply upon when dealing with DSARs received from employees cover: (i) management information which is exempt if disclosing the information would be likely to prejudice the conduct of the business; and (ii) records of your intentions in negotiations with the data subject which are exempt if disclosure of the information is likely to prejudice the negotiations;
- Timescales – all DSARs must be responded to (unless they are manifestly unfounded or excessive) within one calendar month of receipt of the request. The one month timescale may be increased by a further two months if you can argue that the request is complex. Note that a large volume of data will not on its own constitute a complex request;
- And finally – if you haven’t already, consider blocking access to any websites you may not want your employees to access on company time…
Breaches
Although not strictly linked to DSARs, we feel it’s always worth flagging the importance of dealing quickly with any breach or potential breach. Think phishing attacks, accidental disclosure of or theft of data, for example. The first few hours in dealing with such a scenario can be critical in terms of damage limitation and any potential reaction of the Information Commissioner’s Office (ICO). If you are concerned a breach has occurred and you require advice, please don’t hesitate to contact Flo or one of our other specialist data protection lawyers so that we can help you minimise the consequences of the breach, determine whether ICO or individual notification is required and help you work out the necessary steps to reduce the changes of it happening again.
Ask Flo Anything
If you would like more information or advice about DSARs or any other data protection related concern, please feel free to contact Flo at [email protected].
Flo will also be holding an online “Ask Me anything” webinar in January focussing on data protection issues for HR teams including a closer look at DSARs, guidance around dealing with breaches and a discussion on documents and processes that are legal requirements and other “nice to haves” to help improve compliance and business practices. Invitations and registration information will be sent within the next few weeks.