For those who have missed the (admittedly quite restrained) fanfare, 28 January marks Data Protection Day. The original purpose of Data Protection Day appears to have been educational - raising awareness amongst businesses about the importance of protecting data privacy and amongst individuals of their data privacy rights. It has now expanded into a broader discussion about data privacy, the latest tools available and best practices observed.
If we’re going to spend time reflecting upon data privacy, one obvious point of reflection for employment lawyers would relate to data subject access requests (DSARs) and their place in an employment relationship. Love them or hate them (which probably depends in large part on whether you sit on the employee or employer side of the fence), the chances are you will have spent many hours dealing with them. In the new(ish) world of GDPR that shows no signs of changing - if anything, employers are forced to take DSARs more seriously in the face of potentially significant penalties and a regulator that appears keen to show its teeth and hold violators to account.
Going back to basics, the underlying purpose of a DSAR is to inform a data subject of what personal data a data controller is processing and for what purpose, and to allow a right of challenge. In many relationships (customer and business, or for an unsuspecting individual whose data has made its way without consent into the hands of a telephone marketing company), that ability makes a lot of sense. In an employee/employer relationship the dynamics are arguably different and, from a purely practical perspective, the volume of personal data being processed is likely to be materially greater - making it much more time consuming and expensive to deal with such a request. Bear in mind, too, that DSARs first saw the light of day in the Data Protection Act 1998. It’s fair to say that the volume of data being processed in 2020 is significantly higher than it was 22 years ago. Add to that the overlay of DSARs almost routinely being rolled out by employees as a pre-cursor to litigation and an attempt to obtain pre-action disclosure, and you can start to understand why they may be viewed with a degree of cynicism by employers.
Against that backdrop, the recently announced amendment by the Information Commissioner’s Office (ICO) to its GDPR: Right of Access guidance will be particularly unwelcome. The guidance now states that the clock does not stop while a data controller attempts to clarify the scope of a DSAR (in contrast to the previously understood position, which had been reflected in the ICO’s Subject Access Code of Practice). Data controllers are often encouraged to engage in a dialogue with data subjects to understand the scope of their request and to seek to refine it in a manner which preserves the objectives of creating transparency around a data controller’s processing, and enabling the challenging of that processing. The ICO has now said that the deadline for responding to a DSAR is unaffected by such attempts and will continue to run in the background.
Other challenges frequently dealt with by employers in the context of DSARs, which are perhaps more acute than for other data controllers, include:
- how to deal with mixed personal data (particularly prevalent when, for example, one employee is expressing their views about another, perhaps in the context of a grievance or an investigation, and often with the expectation of confidentiality); and
- how to approach the mountains of personal data of which the data subject is already well aware. In particular, an employer may be faced with thousands of emails sent to or from the data subject which contain small amounts of their personal data - their views on a particular topic, a passing reference to their weekend plans or their availability for a meeting. If the core underlying objective of a DSAR is transparency and an ability to test the accuracy of the data being processed, there is an argument that there should be no need to “re-disclose” to the data subject any data of which they were the author or recipient. This transparency-based argument was approved by the Court of Appeal in Ittihadieh v Cheyne in 2017, but it remains to be seen whether the ICO is convinced. This is the type of point that an employer might previously have sought to clarify with a data subject upon receipt of a DSAR, but given the ticking clock in the background (and the likelihood in many cases that the data subject may choose not to lessen the employer’s burden), this is an area where employers may simply now decide to take their own view.
A consultation by the ICO on new DSAR guidance is underway and we await its outcome with interest. Anyone whose Data Protection Day wish is that DSARs will disappear off their to-do list is likely to be disappointed - nothing in the consultation comes close to proposing a material change, let alone an abolition. DSARs are here to stay, and the best wish for 2020 may be for a technological solution to ease the burden and to make those requests easier for employers to manage.
The ICO's amended GDPR: Right of Access guidance now states that the clock does not stop while a data controller attempts to clarify the scope of a DSAR. This change will be particularly unwelcome.