Top Tips for dealing with Employee Data Subject Access Requests
Many of the businesses we work with are seeing a surge in receiving Data Subject Access Requests (DSARs) from their employees. Under the data protection legislation in the UK, any individual has a right to access their personal information that is stored by an organisation – this could be a bank, a sports club, their GP surgery, their employer or any provider of services etc. In the employment context, employees may decide they wish to access the personal data that is held about them, often when they have a dispute with their employer or after their employment has ended. Responding to a DSAR is not always easy, you cannot pick and choose what you disclose. If there is information, perhaps on email or messaging services, that refers personally to the individual, it has to be disclosed.
RWK Goodman Employment Partner, Lauren Harkin, shares her top tips on dealing with Employee Data Subject Access Requests.
- Prepare a data map – understand what types of data you are processing in relation to employees, who accesses it, how long do you keep it etc? You cannot write a privacy policy and other data protection policies without one! This will also identify any special category data that you process, and how it is treated.
- Be prepared – act before you receive a Data Subject Access Request (DSAR). Clean your data and ensure that all necessary data protection policies are in place.
- Ask your IT team where the employee data is stored – You will be likely to find data in emails, but it will also be stored on work phones, including WhatsApp or other messaging services, as well as in the cloud.
- Manage the DSAR appropriately by:
- Identifying a team to deal with the DSAR and nominate one person to lead;
- Identify who is making the request;
- Identify what locations will need to be searched;
- and Identify the search terms.
- Do you need to clarify the request? – You are not able to ask employees to narrow their request, but you can ask for clarification.
- Decide which platforms you will use to access and assess the data
- Decide whether you need to ask the individual for identification – Don’t simply do this to be difficult, but if you have employees with the same or similar names, it may be necessary.
- Exceptions – Do any exceptions apply? Is it manifestly unfounded or excessive?
- Can you deal with the DSAR in one month or is it complex to the extent that you will need to extend the timeframe to 3 months?
- Decide how you will give the data to the data subject? – Will this be electronic or paper copies? If providing electronically, ensure that any redactions cannot be reversed.
- Redact the data – the data subject is only entitled to their own personal data, not the personal data of other people. You will therefore need to ensure that other people’s data and identities are redacted.
- Ensure that you send correspondence to the data subject – firstly acknowledging the request and confirming whether there needs to be an extension of time, and secondly when sending the data.
Dealing with Employee DSAR’s is complex and a huge administrative task – which frequently comes within responsibility of your HR team. It is imperative that the process is dealt with efficiently and that it is legally compliant. Our Employment and HR team at RWK Goodman regularly advise businesses on dealing with Employee DSAR’s and other aspects relating to data protection.