Being able to request a copy of personal data and knowing how and why it is being processed is an important right in this age of technology and data. Heightened awareness of data privacy rights has resulted in an increase in the number of subject access requests from employees and ex-employees. It is being used as a litigation weapon in the disgruntled employee’s armoury. Preparation and organisation is key for employers when faced with responding to these requests especially in the context of an employment dispute.
Before a request is received
In anticipation of receiving SARs, employers should:
Identify a coordinator either for the company as a whole or, where relevant, for each business unit, who will be responsible for dealing with enquiries on SARs and ensuring consistent responses through-out the organisation.
Establish a policy on retention of records which sets out the maximum retention periods for employee records. Remember, employee records should only be kept for as long as they are accurate, relevant and necessary for the purpose for which they are collected.
Locate the data
It is important that you give careful consideration to the following systems that will need to be searched within your organisation in order to comply with a request:
Centrally held HR resources including personnel files, absence records, working time records, appraisal information
Emails, including inbox, sent items and deleted items, of not only the data subject but also managers and colleagues
Document systems and manual filing systems
It is advisable for organisations to create a checklist and template document to record the searches carried out.
Get started quickly
Employers should note that compliance with and response to an SAR is required within one month. When the request arrives, don’t put it off.
Narrowing the scope
Requests from employees with long employment histories can span years, sometimes decades. Where the SAR has stemmed from a particular issue or dispute, consider seeking agreement from the employee to refine the scope of the searches. Doing this will allow you to carry out the search according to more clearly defined criteria, such as timeframe, search terms and sources. This could result in a significant saving of time and money.
Reviewing the searches
Employers should maintain a record of the searches conducted. Don’t forget the bigger picture. Where there is a dispute with the employee, the review serves a dual purpose. It is to spot exposure in the dispute and also to ensure compliance with data privacy obligations. You should review the documents and consider if any exemptions can be relied on to limit the information provided. It is important to note that not all documents will contain the employee’s personal data. Other employees’ personal information may be contained in the documents. Therefore, a consistent approach to redaction is required.
Keeping a copy
The employee is entitled to a copy of their personal data along with additional information around its processing. Always keep a copy of the documents that are sent to the employee.
Top tips for employers
Subject access requests are becoming a common step in employment disputes. Therefore, employers should consider the following top tips:
Have a strategy in place before you receive a request from a disgruntled employee. This will save your company time and money in the long run.This means developing template documents and establishing robust processes.
Ensure there is tried and trusted system for conducting and recording searches.
Train your HR team and managers about how to handle requests.
For more information on effectively dealing with employee subject access requests, contact a member of our Employment & Benefits or Privacy & Data Security teams.
The content of this article is provided for information purposes only and does not constitute legal or other advice.