It is expected that organisations will experience a steady increase in the number of employee Data Subject Access Requests (DSARs) received over the coming years. Employee DSARs can be extremely large and complex and often fall to HR departments to deal with.
Figures from a survey of over 460 UK based Data Protection Officers (DPOs) that form the panel of the UK Data Protection Index1 show that there has been an increase in the number of DSARs received by organisations over the last twelve months. In June 2020, Index panelists reported an average of 10.85 DSARs received per month. After a steep 66% increase in December of 2020, where this figure rose to 18.04, it has since levelled out but remains above figures recorded for June 2020 at 13.37 in July 2021. A previous study2 commissioned by The DPO Centre in November 2020 revealed that six million adults had considered submitting a DSAR after feeling that their personal data had been mishandled by a company. Those aged between 18 and 34 are the mostly likely to submit a DSAR (20%), compared to 35-54 year olds (14%) and 55 year olds+ (4%). With the tailing off of the furlough scheme and many employees finding that they no longer have a job to return to, the expectation is that the number of employee DSARs received is likely to increase, creating many headaches for HR departments.
The impact of COVID-19
The DPO Centre expects DSAR requests to increase over the coming months as one of the fallouts from the pandemic. The forced lockdowns of businesses across all sectors have resulted in many businesses being unable to employ the number of staff they did back in 2019, causing mass use of the furlough scheme. However, as furlough becomes a thing of the past, mass redundancies may well follow. It was estimated that 11.5 million people were put on furlough and that redundancies could hit harder and faster than during the 2008 crash.
The necessity for redundancies creates challenges for both the employer and employee. Some employees may challenge the reasons for their selection for redundancy, which may result in an employee tribunal. We are seeing a rise in the number of employees submitting DSARs as an early step in the run up to their hearing. DSARs are often used as a method of pre-hearing discovery as they provide individuals with an inexpensive way to gather evidence that may be relevant to their action. This is often referred to as ‘evidence fishing’. DSARs can also be used vexatiously as a frustration tactic, given the amount of time and resource that can be required to respond to them.
Using DSARs as a method of information discovery has increased in prevalence due to an increase in our awareness of data protection rights. There is now mainstream awareness of what the “GDPR” is and how data affects our daily lives, helped along by scandals like Cambridge Analytica and the ongoing press coverage of data protection violations committed by the likes of Facebook, Apple and Google. This improved awareness means that people will no longer tolerate the misuse of their personal data, and are willing to enforce their rights, including their right of access. Our research shows that this is particularly true of millennials who are increasingly more tech savvy and have a greater understanding of data protection rights, resulting in the fact that they are more likely to submit a DSAR.
Challenges presented by DSARs
Although DSARs are useful tools for people to find out how an organisation is processing their data, they can present a number of challenges for those required to respond to them. This is particularly the case with employee DSARs as employers hold a lot of data about their employees that can go back many years, making them particularly troublesome for HR departments. Below, we discuss the three main challenges that employee DSARs can present, and how to deal with them.
Large volumes of personal data
Collating together the necessary data to respond to a DSAR can often be challenging due to the number of documents, the varying formats and the data assets involved. Employers will hold a lot of information about their employees, located across multiple databases and in different forms (email, paper files, electronic files etc.), often going back many years. Gathering all the information relevant to a DSAR response can therefore be complex and extremely time consuming.
Whilst it is not permitted to require a requester to narrow the scope of their request, you can ask them to clarify their request to help you respond effectively and more easily locate the personal data they are seeking. For example, you could ask them to provide the date range within which the processing occurred, or the type of documents they would like provided (emails, letters, meeting transcripts etc.). Asking the right questions at the outset may save you a lot of time down the line.
In addition, having an effective retention policy (and applying it), can greatly reduce the volume of personal data you hold on your employees. Whilst the law dictates how long some records must be retained (e.g., payroll information must be held for 6 years), largely it is up to organisations to determine their own retention periods. By disposing of personal data when it is no longer necessary to retain it, organisations are able to limit the amount of information held on their staff members, thus reducing the volume of personal data to be trawled through when fulfilling a DSAR.
Conducting appropriate searches
Personal data of employees will be held in a number of different formats, both hard copy and electronic, adding to the challenge of fulfilling DSARs as finding and extracting this information can be difficult.
When locating information for a DSAR, organisations are obliged to conduct ‘reasonable and proportionate’ searches for the information requested. This means that targeted searches should be conducted across each databases within which the individual’s personal data is stored to locate and retrieve the relevant information. It is important to highlight that personal data consists of anything that can, on its own or with other information, identify an individual. Therefore, multiple search terms should be used to search for information relevant to the request (name, email address, employee ID number, phone number etc.). It should also be remembered that images are personal data, so any photos or videos, including CCTV images, of that individual also fall within scope of the response.
It is very important to know where you hold data about your employees; carrying out a data discovery exercise to document where different types of information are held may be useful.
Understanding and applying exemptions
Once all databases (both physical and electronic) have been searched and the relevant documents collated, before they are provided to the individual, they must be reviewed to remove any conflict between the rights of the person requesting the DSAR, the rights of other individuals or other legal provisions or interests. You must therefore review each document to see if any exemptions to the right of access apply and, where they do, apply redactions to the information that is not to be disclosed to the requester.
There are many different exemptions to the right of access, however, the ones most likely to apply to employee DSARs are:
- Personal data of third parties: Many documents will contain the personal data of other people as well as the requester. The requester does not have the right to see the personal data of other people, so you must assess whether to redact this information.
- Management Information: Personal data processed for management forecasting or planning does not have to be disclosed, if to do so would likely prejudice the business activity. For example, disclosing redundancy plans prior to final decisions being made could cause staff undue stress.
- Legallitigation privilege: This applies to communications between a client and legal adviser where litigation is contemplated or in progress. For example, employment tribunal proceedings.
- Confidentiality: Information that is confidential should not be disclosed unless there is an overriding public interest in its disclosure. Whilst identifying confidential information can sometimes be simple (g., when it is covered by an NDA), in other cases it can be far more challenging.
Whenever you decide not to disclose something on the basis of an exemption, you should document this decision and the rationale behind it.
The COVID-19 pandemic has dramatically changed how organisations work, and the job market has clearly changed with it. Many organisations have had to scale back their workforce drastically, whether this be down to organisations not having the finances to keep on employees or realising that certain jobs are now redundant in this new way of working. Big waves of job losses and consequent employment tribunal cases, coupled with data subjects better understanding their data protection rights, all point to the fact that the number of employee DSARs for HR departments to have to deal with, is likely to continue to rise over the coming months and years. Despite this, DSARs should not be feared by organisations. With the right tools and expertise (whether that is outsourced or in-house) organisations can manage DSARs effectively.
The DPO Centre supports HR departments to comply with DSAR requests. Our DSAR response service is delivered on an ad hoc ‘pay as you go’ basis, where all, some, or just occasional DSARs are outsourced as required. Further details can be found on our website.
Handling Data Subject Access Requests (DSARs) White Paper – Outsourced Data Protection Officers GDPR and Data Protection Compliance (dpocentre.com)
The DPO Centre is the UK’s leading independent data protection officer resource centre, offering expert advice and ensuring organisations have access to the level of knowledge and expertise they require to comply with the highest standards of privacy and data protection.
1 – The UK Data Protection Index, developed by The DPO Centre and Data Protection World Forum, is one of the largest surveys of UK data protection and privacy professionals. More details can be found at www.thedpindex.com