Personal Data & The Right of Access – Managing Requests from Employees

Data Subject Access Requests (DSARs) are becoming increasingly common in the workplace. As more companies embrace a work-from-home culture and introduce new software systems to increase productivity (for example, through the introduction of AI tools), more personal data is being stored in different places. The UK GDPR gives employees the right to obtain a copy of their personal information which you, as their employer, hold about them. This includes where their data has come from, what it is being used for and who it is being shared with (both internally and externally).

Employees will commonly request “all information held” concerning them, this usually includes requests for copies of all correspondence, documents, emails, text messages (including iMessage and WhatsApp), Teams messages, handwritten notes, and internal communication between certain staff members. Requests of this nature will often leave employers with decisions to make about what constitutes personal data and how to conduct a reasonable and proportionate search for personal data. Requests are commonly made by employees following the termination of their employment or during a grievance procedure. Whether an employee is going through a grievance procedure, or the request has been made in advance of a mounting Employment Tribunal claim, you should disregard an employee’s possible motive in making their Data Subject Access Request, even if you suspect the individual is trying to achieve early disclosure of information that may be used in an ongoing or future grievance or tribunal claim.

Who can make a DSAR?

Former and current employees can make a DSAR to any part of your company and in any format, e.g. verbally or in writing, including via social media. The Information Commissioner’s Office (ICO) is seeing an increase in the number of complaints it receives from individuals who feel dissatisfied with their employer’s response to their DSAR. This dissatisfaction often comes from unnecessary delays in an employer’s response to a request. It is therefore important that you ensure requests are dealt with effectively, for example by implementing and following a procedure on how Data Subject Access Requests should be handled internally. You should ensure that a request for personal data is passed on to the internal data protection lead or an appropriate member of staff as soon as possible.

Staff should be receiving regular data protection training, and this should include training on how to recognise requests for personal data. Often, employees will refer to their right of access under the UK GDPR, but a request will still be valid if an employee simply requests to see a copy of their HR file, or if they request to see emails/correspondence that refer to them. In some circumstances, it is acceptable to ask an employee to clarify the scope of their DSAR, particularly where you hold a large amount of information about them.

Time Limits & Clarification

DSARs must be responded to within 30 days of the receipt of the request. In some cases, you may be able to extend the time limit for responding by up to two months if the request is complex or if you have received multiple requests from the same employee. In deciding whether you need to extend the deadline, you should take into account the specific circumstances of each request. You should avoid applying a blanket policy to all requests that you receive.

If you receive a request for information which is not clear, you can ask the employee to clarify what it is they are looking for. For example, you can ask them to refer to certain subject matters or refer to dates/specific periods. If you are seeking clarification, you should make the employee aware that the one-month time period to respond will be paused until they respond to you. You should avoid seeking clarification as an excuse to extend the one-month time limit. Asking an employee to clarify their request should only happen in practice where you feel it is genuinely required in order to respond to their request, or if you process large amounts of personal data.

Searching for personal data

New and emerging technologies mean that it is becoming increasingly difficult to conduct a reasonable and proportionate search for personal data. Depending on the size of your business, you may hold personal data about employees in more than one place. You are required to undertake a reasonable and proportionate search for personal data. This will include performing searches of various systems, including email systems, HR records, and instant messaging platforms (including in some instances, Teams and WhatsApp). While your search doesn’t need to involve disproportionate effort, you must still consider the circumstances of the request and at the time this request was made.

You should make sure that the data is then reviewed carefully to check for references to individuals other than the employee making the request, for example, disciplinary documents, investigation reports or grievance notes are likely to contain personal data relating to other employees. You should ensure that, where appropriate, third-party data is redacted to ensure that the privacy and confidentiality of third parties are protected.  

In some circumstances, personal data is exempt from the right of access including where:

• the information is subject to legal professional privilege.
• the information is being processed for management forecasting or management planning.
• the information is the reference about an individual. The data included in a confidential reference is exempt from the right of access.

Employers should be aware that not all exemptions apply in the same way and these should be looked carefully to see how it applies to an employee’s request.

Refusing to comply with a request

The mere prospect of a disciplinary or grievance procedure or an anticipated employment tribunal claim is not enough for an employer to refuse to comply with a request. It is important to remember that the right to access personal data should be kept separate from any process in tribunal proceedings.

Unless an employer can demonstrate that a relevant exemption applies (i.e. where a request is manifestly unfounded or excessive), the request must be complied with. It is important to note that you must apply exemptions on a case-by-case basis, and you must be able to justify and document your reasons for refusing to comply with a request, for example, if you can reasonably demonstrate that the DSAR is being used to cause disruption to the organisation or is malicious in intent.

Best Practice Tips

Responding to Data Subject Access Requests can be challenging and time-consuming, particularly in the new digital age that we are living in. The responsibility for responding to Data Subject Access Requests will often fall to IT or HR teams, with the potential for thousands of documents needing to be analysed, redacted and disclosed to the employee. It is therefore that you understand your obligations under UK data protection law and ensure that you deal with requests appropriately and, where possible, within the one-month statutory time frame.  

• Develop and publish a comprehensive policy: your business should have procedures in place for handling DSARs, including response times, how to search for data effectively, and exemptions.
• Diarise key dates: DSARs must be responded to within one month of receipt of the request. An employee has the right to lodge a complaint with the ICO if they feel that you have failed to comply with their request. In some cases, the ICO may investigate the process which was followed when responding to a DSAR.
• Record a copy of your search: this should include the terms which were used to search for relevant personal data, whether you have relied on an exemption to withhold data or where you have refused to comply with the request in full and why you think you are justified in relying on the exemption, and ensuring appropriate redactions are made. You should also keep a record of the DSAR you have received, the response, and any supporting documentation and be prepared to explain your decisions.
• Consider your use of AI transcription tools: if you are using transcription tools to create written records of meetings, consider whether the content of such records falls within the definition of personal data and whether it falls within the scope of the employee’s request.
• Provide the data in a concise, transparent and intelligible manner: the employee making the request must be able to understand how their data is or has been processed.

For assistance in responding to DSARs or any data protection issues your business may have, you can contact Maria directly at mspencer@prettys.co.uk.