Under UK data protection legislation, employees, also called “data subjects”, have the right to make a data subject access request (DSAR) to their employer who “processes” their personal data.. Amongst other things, as part of a DSAR, data subjects can expect to receive a copy of their personal data.
The 2023 EY Law survey highlights that, in the financial sector at least, the number of DSARs are on the increase, with 60% of those surveyed reporting a rise since 2022. According to the survey, a contributory factor to this upwards trend is the UK’s Information Commissioner’s Office (ICO) campaign to raise awareness of access rights.
While DSARs are not a new right, they continue to be a challenge on an employer’s resources.
Many initial requests are for a broad “all personal data applications. This is often a huge undertaking for employers, who may find themselves processing a significant amount of personal data. For employees, this data often goes back many years. Without further clarification on the scope of the request (or where clarification of the request does not prove helpful), a wide search involving a number of people may be needed. “Personal information” generally refers to details associated with the individual. It might not be easy to locate and could be stored in a variety of places, such as HR and payroll systems, social media platforms used for business purposes, personal data in emails and minutes of meetings. Electronic information also may be held in harder to reach places, such as archived files or backups, which can add to the time and costs of accessing the information.
How hard should you look?
The ICO guidance states that organisations “should make reasonable efforts to find and retrieve the requested information”. This might mean, for example, using targeted searches. Your organisation may well have a policy or protocol in place for locating information.
After locating the information, the next step would be to review it an and possibly redact or see if it is exempt from being supplied to the employee – or ask for permission from a third party. While technology can be used to assist, without a tested system in place to review and redact information, the ability to locate, review and analyse information within the timeframe remains a concern.
How long should this take?
An employer must respond to a DSAR without undue delay and in any event within one month of receipt of the request. Breaking down the one-month timeframe means that, on average, the organisation will only have between 20-22 working days to complete the request and respond to the data subject. When broken down to that timeframe, the efficiency needed to complete an access request on time is evident. A fine-tuned system, once overrun with bulk requests and high volumes of unstructured data, will find it difficult to deal with in the time permitted.
Employers will also need to consider any period of leave for employees dealing with the process or whether to ask for technical or legal assistance in order to complete the request.
There is the possibility of extending the time limit for responding by up to two months if, for example, the DSAR is “complex”. Not every DSAR will be “complex”. The ICO states that “a request is not complex solely because the individual requests a large amount of information”.
The time also can be “paused”, but organisations should only use this where it is genuinely required and the organisation processes a large amount of information on that individual. Neither method for extending the time should be used as a default reaction on receipt of a DSAR.
What about Tribunal proceedings
It has long been the position of the ICO that it will not look at the motivation behind a DSAR when considering complaints by data subjects. The time-consuming job of managing and dealing with tribunal proceedings alongside processing a DSAR can be resource heavy.
Preparation is key
The ICO reported there were over 15,000 subject access complaints last year. If organisations fail to respond to a DSAR within the time limit, they will likely be in breach of their obligations under Article 15 of the UK General Data Protection Regulation. This may lead to a reprimand from the ICO – and possibly a fine.
Whether or not your organisation receives a DSAR on a regular basis, the ICO states that it will be important to prepare and take a proactive approach to compliance. Consider your internal processes and whether they can be improved in light of the challenges noted here or the ones your organisation may have already come across. With the right tools and expertise, organisations can manage DSARs effectively and efficiently.
13th September 2023