DSARs, or Data Subject Access Requests to give them their full name, are becoming an increasingly common phenomenon in the world of employment.
Surveys suggested a spike after the pandemic struck and that this has continued to trend upwards, albeit with fluctuations along the way.
DSARs are typically asked for in an employment context in one of four scenarios. These are relating to:
- Disciplinary action
- Grievances
- Termination – where they may be exploring whether they have a case for unfair dismissal
- Promotion – but not from the person who was promoted, rather someone who was passed up.
Data Subject Access Requests are renowned for being a nuisance and time drain to manage. So what should you do if you receive a dreaded DSAR from an employee or ex-employee?
Our handy DSAR Do’s and Don’ts will give you the lowdown, including actions to take before one even lands on your desk.
Do – Have a data retention policy and stick to it
So much of good HR starts with having a policy, and how you handle employee data is no different. Without one, you may just accumulate employee data indefinitely and haphazardly. And trust us, that will make things very difficult for you if you get a DSAR.
Formulating a policy will help you think about why you keep data, and for how long you do so, minimising the data estate you need to manage.
Don’t – Leave your data unmapped and uncategorised
This goes hand in hand with developing your data retention policy. Take the time to understand where data is kept, for instance on email servers, databases etc. If necessary, explore better platforms for storing it, ones which allow you to perform simple searches, for example. Categorise different types of data so it is easy to understand what will be relevant in specific types of request.
Don’t – Underestimate the extent of personal data
Personal data includes emails and CCTV, anything in which a person can be identified directly, or in conjunction with another document. It is important to be fully aware of what you are dealing with.
Do – Have a process in place for responding to a DSAR
By having a policy and mapping/categorising your data, you will have done a lot of the prep work for being able to handle a DSAR efficiently. The other piece of the puzzle, though, is developing a process. Align this with your policy, and make sure it is compliant with the law, for example that you will respond within one month of the request (unless the request is “complex” or part of a series of requests).
The scope of a DSAR is data personal to them. So, for example, company-wide emails that happen to have been sent to the subject are not necessary. If their personal details appear in a document you don’t need to provide the whole document, just the relevant parts. You need to have made a reasonable attempt to gather all personal data, proportionate to the request.
If they do not feel you have complied satisfactorily with their request, they can complain to the Information Commissioner’s Office (ICO). They can exercise enforcement powers. The requester can also seek a court order demanding the information or to seek compensation. Courts decide this on a case-by-case basis.
Having a robust process in place will give you a consistent approach, and save time on each occasion you receive a DSAR.
Do – Consider asking clarifying questions to the person making the request.
If you process a lot of data about the person making the request, you are permitted to ask them to clarify what their request relates to (if not already clear), which may then limit scope of what you need to provide. When you do this, you “stop the clock” on your timeframe for responding to them, until you receive the clarification.
Do – Know how to spot an unfounded request
This is a grey area, but there are circumstances where you can refuse a request. The Information Commissioner’s Office (ICO) states that a request may be manifestly unfounded if:
- The person explicitly states that they merely want to cause a disruption.
- They make unsubstantiated accusations, undeniably motivated by malice.
- They say they’ll take their request back if they receive some benefit from you.
You are permitted to judge whether the request is proportionate in relation to its aim, although you could of course be challenged.
Don’t – Give them data which is exempt
There are classifications of data which you needn’t, indeed shouldn’t, disclose. These include third-party personal data; management information; legally privileged information; and confidentiality (for example, it is subject to an NDA).
Again, there will be a degree of judgement here. You may use devices such as redaction of third-party names at times to get the balance right.
Do – Ask us for help
At The HR Dept, we are experts in helping SMEs comply with DSARs in an employment context. Whether you need to get a policy and process in place, or you are having difficulty responding to a DSAR, we are here to help.
