The right of individuals to access their personal data has been a fundamental facet of data protection law for a number of decades, with the introduction of the General Data Protection Regulation (the GDPR) in 2018 bringing personal data rights into the mainstream. A frequent headache for many employers, data subject access requests (DSARs) give employees the right to obtain from their employers information as to whether or not personal data is being processed about them, as well as the right to request a copy of such data (along with other prescribed information) without undue delay.
DSARs are often made in the context of an ongoing dispute or may be used as a precursor to one where an employee is going through a performance management, redundancy or disciplinary process. Whilst some employees may genuinely wish to find out what data is being processed about them and ensure its accuracy, often employees will see the time, effort and expense for businesses responding to a DSAR as useful leverage in a dispute. With a wave of redundancies anticipated as the government scales back its COVID-19 wage support schemes, employers can expect to see a rise in DSAR requests. Therefore, knowing how to deal effectively with DSARs may now be more important than ever.
It is timely then that the UK Information Commissioner’s Office (the ICO) has published further guidance for organisations on how to deal with DSARs. The guidance runs to 81 pages, but in our view the three key points for employers to be aware of are as follows:
- How long do employers have to comply?
Generally, the GDPR requires an employer to provide copies of the individual’s personal data without undue delay and, in any event, within one month of receipt of the DSAR. An employer may extend that period by up to two further months where necessary, taking into account the complexity and number of requests. It is typical for the employer to send a letter to the employee stating that it will be extending the time period to respond. However, thought should always be given to the justification for any extension.
The ICO has helpfully explained when a DSAR might be complex, noting that this is subjective and likely to be dependent on the size and resources of an organisation. More importantly though, the ICO has clarified that an employer can “stop the clock” for clarification of the DSAR. This allows an employer to ask the individual to specify the information or processing activities to which their DSAR relates, pausing the time limit for responding until clarification is received. Note that an organisation should only seek clarification where: (a) it is genuinely required; and (b) the business processes a large amount of information about the individual.
- Can employers charge a fee?
Employers can only charge a “reasonable fee” for the administrative costs of complying with a DSAR if: (a) it is manifestly unfounded or excessive (more on this below); or (b) an individual requests further copies of their data following a request.
Some clarity has been provided by the ICO as to what a “reasonable fee” may include. According to the guidance, a “reasonable fee” may include the costs of: (a) photocopying, printing, postage and any other costs involved in transferring the information to the individual (such as the costs of an online platform); (b) equipment and supplies (including discs, envelopes or USB devices); and (c) staff time (provided it is charged at a reasonable hourly rate). These costs should be explained clearly to the individual and should be able to be justified in the event that the individual complains to the ICO.
- Can employers refuse to comply with a request?
While an employer must make genuine and extensive efforts to respond to a DSAR, it does not have to go so far as to leave no stone unturned. The DSAR requirements are subject to the principles of proportionality (i.e. measures adopted should not exceed the limits of what is appropriate and necessary to achieve the objectives pursued) and reasonableness (i.e. the employer is not required to do things that would be unreasonable). Additionally, an employer may refuse to act on a request (or part of it) if it can demonstrate that the request is “manifestly unfounded or manifestly excessive”.
The guidance confirms that each request must be considered on its facts and in the context in which it is made. A DSAR may be “manifestly unfounded” if the individual clearly has no intention to exercise their right of access or if the request is malicious in intent. To determine whether a request is “manifestly excessive”, employers must consider whether it is clearly or obviously unreasonable. All circumstances of the request - including amongst other things the nature of the requested information, the context of the request, and the organisation’s available resources - should be considered in order to determine whether the request is proportionate when weighed against the burden or costs involved. It is ultimately a balancing act, and one that might be difficult to strike.
While the new ICO guidance is likely to be welcomed by employers, the DSAR landscape is far from clear-cut. If an individual suspects that a data controller has failed to meet its requirements under the GDPR, they can ask the ICO to investigate. The ICO can require the organisation to provide the requested information and failure to comply is a criminal offence. Alternatively, the individual could seek a court order requiring the organisation to comply with the DSAR or claim damages. It is therefore important to ensure that the exercise is carried out thoroughly and systematically, and compliance with the latest ICO guidance will be a key part of that.
In its update, the ICO has stated that it is planning a suite of further resources for extra support, so we will watch this space.