As outlined in our previous article on the 2022 DPC annual report, data subject access requests (‘DSARs’) continue to be a significant source of complaints, representing 42% of the total complaints received by the DPC in 2022. Towards the end of 2022, the DPC issued detailed guidance to data controllers in respect of handling DSARs which employers should carefully review and consider. The guidance closely aligns with the guidelines issued by the European Data Protection Board on the same topic. Both sets of guidelines reflect the extremely high standard to which employers will be held in their handling of employee DSARs.
DSARs
Employees, as data subjects, have the right to request access to and copies of personal data (information directly or indirectly related to them) which is being used in any way (i.e. processed) by their employer (the data controller), subject to certain limited restrictions. This must be provided in an accessible form, free of charge and within certain time limits. The DPC guidance looks at some of the core practical issues that commonly arise for data controllers in managing and responding to DSARs.
Receiving employee DSARs
The guidance raises some initial key points for employers to be aware of:
- Employers should ensure that employees know how they can submit a DSAR.
- Employers should ensure that they record DSAR requests and keep records of how they responded to those requests (this is particularly important in order to be able to deal with any complaints received by the DPC).
- While employers should establish a dedicated internal process for employees to submit DSAR requests, they should not ignore DSARs received through other channels.
- Even where an employee submits their DSAR other than through the established channel, the timeline for responding to the DSAR still starts when the request was received by the data controller so it’s crucial your employees are adequately trained to recognise DSARs when they are lodged and to re-direct them promptly to the relevant team/department who will deal with them.
- How DSARs are lodged is entirely up to the employee and it is common for employers to receive DSARs from an employee’s solicitor or from a union representative on their behalf. If there is any doubt over a third party having authority to lodge the DSAR on the employee’s behalf then the employer can look for evidence of that authority. However, in most scenarios this should not be necessary, particularly if it comes from an employee’s solicitor and the employer has already been in correspondence with that solicitor about the employee. In our experience, when solicitors make such requests on behalf of employees, they will typically include a letter of authority from their client. This is sufficient for the employer to act on the request.
Clarifying requests
This is an issue of particular interest for employers, given the potentially significant volume of personal data that could be processed by employers in respect of their employees.
The basic principle confirmed in the DPC guidance is that data subjects are entitled to access ‘any and all of their personal data’. However, the guidance provides that, where the data controller processes a large quantity of information pertaining to the data subject, they can ask the employee to specify the information they want to be provided or the specific processing activities they want to access. While this sounds like helpful guidance for employers, it should be noted that the employee is not actually obliged to provide a response to their employer, and the employer must continue to deal with the DSAR even where any such request for clarification remains unanswered. This is an important point for employers to note as it could impact the timelines for responding to the employee. It is also recommended that employers carefully document the reasons for any request for clarification.
Timelines for responding
The DPC guidance outlines that DSARs must be responded to ‘without undue delay’. The guidance goes on to highlight that ‘the response to an access request may be considered untimely even before the maximum term provided for by law has expired, depending on the circumstances of the case’. This is another important point for employers to note. By way of example where this might arise, if at the time of a request, the permanent deletion of the personal data sought was imminent, then this could prompt an obligation of quicker action by the employer to respond to the request.
The guidance makes it clear that the one calendar month period under Article 12 of the General Data Protection Regulation (GDPR) is a maximum one, not a minimum, and so we expect to see the DPC being more critical of employers (data controllers) if they are delaying in responding when they could have responded earlier (for example, if the request is only seeking a small amount of personal data that could have been provided quickly). The guidance is also very clear that exceeding the maximum time limit for a response will automatically constitute a breach. This highlights the importance for employers to ensure their employees recognise a DSAR when it is made and immediately escalate it to the appropriate team within the organisation so it can be addressed without undue delay.
The DPC provides useful practical guidance on how to calculate the calendar month period for response from the date the DSAR is received. Employers should consider that:
- the period shall end with the expiry of the last hour of whichever day of the following month falls on the same date as the day which initiates the period;
- the period includes public holidays, Sundays and Saturdays;
- the day which initiates the period is the day during which a valid access request was received;
For example, if you receive an access request on 22nd December, on 22nd January the following year the minute starting at 23:59 will be your last minute in order to respond to the requester, regardless of the intervening Christmas holidays.
- where the period ends on a public holiday, Sunday or Saturday, the period shall end with the expiry of the last hour of the following working day;
- where the day on which the period should expire does not occur in the month, the period shall end with the expiry of the last hour of the last day of that month.
For example, if you receive an access request on 31st August, September ends on its 30th day and your maximum one-month period to comply with the access request would expire accordingly.
Although the statutory period within which employers must respond to DSARs is one calendar month, it is interesting to note that, in its guidance, the DPC ‘strongly recommends’ that data controllers put policies and procedures in place aimed at responding to DSARs within 15 days. This could be challenging for employers to comply with, particularly where there may also be a legal dispute with the employee and the employee has been working with the employer for a long time and may have raised multiple grievances.
Extending the timeline
The guidance addresses the issue of extending the timeline to respond to a DSAR by a further two months but confirms this can only be availed of when it is necessary to do so and in the event of complex or multiple requests. Employers should be careful about exercising blanket extensions to all employee DSARs and make sure they keep a record of the reasons why they determined the extension was required as this could be queried by the DPC in the event of a complaint. The guidance sets out that extensions may be legitimate where:
- the amount of data is not readily available on the data controller’s systems;
- the data controller would need to employ extra resources to comply;
- the response will need considerable redaction of third parties’ data;
- the response requires exemptions to be applied before it can be provided.
However, the DPC guidance is clear that the situations outlined above will depend on the specific circumstances and the resources of the data controller. Poor control over personal data and poor procedures around dealing with DSARs will not assist an employer in being able to rely on any of the above points when extending the timeline to respond. In any event, the DPC recommends that the data controller extends the time as little as possible in order to comply. A blanket two month extension policy without any justifiable explanation will be difficult to stand over.
The DPC also points out that where data controllers can partially satisfy the DSAR within the initial one month timeline they should do so, and only apply the extension to the more complex aspects of the DSAR. We often recommend that employers provide everything that is easily accessible and doesn’t require redaction or exemption review to the employee as soon as possible on receiving a DSAR, for example, the employee’s contract of employment and personnel file.
The DSAR response
The guidance summarises best practice in terms of responding to a DSAR, which is similar to previous guidance issued by the DPC, but includes some interesting points and practical examples, particularly around providing context to the employee on the results. The guidance states that data controllers must allow the data subject to have ‘meaningful interaction’ with the personal data requested and must provide access to the personal data in such a way that allows the requestor to ‘grasp the actual relationship’ between them and the personal data provided. The DPC gives the example of where the personal data at issue includes handwritten notes about the data subject, the data controller cannot simply provide the data subject with access to the notes as typed up by a secretary on a digital format as the handwriting itself constitutes personal data.
The DPC also makes it clear that data subjects should not be overwhelmed by the DSAR response unnecessarily (which can sometimes be tempting with a challenging data subject!).
The DPC does recognise the time and expense that can be incurred in dealing with DSARs and helpfully reiterates that data controllers are not obliged to conduct searches which go beyond what is reasonable in terms of time and money, taking the specific circumstances into account. By way of example, where deleted emails are easily retrievable by searching the deleted folder in an email inbox then this should be included in the search. However, if the emails are permanently deleted in accordance with the employer’s retention policy, the employer is not expected to implement technology to retrieve this deleted information unless it is readily or already available to the employer.
Redaction
How far redactions should go when responding to employee DSARs is always a hotly debated topic and different organisations take different approaches to this. The DPC has a separate guidance - Redacting Documents and Records - which is a further useful guide for employers when considering their DSAR processes. In its most recent guidance, the DPC points out that redaction of names may not be enough to render third parties unidentifiable and that, for example, other details may need to be redacted to ensure a third party can’t be identified e.g. their position in the organisation.
However, employers should remember that the employee is entitled to the context in which their personal data is used and should be able to have ‘meaningful interaction’ with their personal data so an appropriate balance needs to be achieved when considering redactions.
Charging for providing the response
The guidance reiterates the position under the GDPR that data controllers may, in limited circumstances, be able to charge a reasonable fee based on their administrative costs. This would arise where two or more access requests are manifestly unfounded or excessive, or where additional copies of the personal data have been requested. In our experience, this rarely arises in the employment context. The DPC also points out that there is a high threshold to prove that a request is unfounded or excessive.
Restrictions on the right of access
The guidance sets out a helpful summary of some of the limits on the right of access under the Irish legislation. The most relevant and potentially useful exemptions for employers when considering an employee DSAR are:
- Section 60: processing for important objectives of general public interest (e.g. to exercise or defend a legal claim or in relation to opinions given in confidence); and
- Section 162: processing related to legal advice, privileged communications, or court orders.
Where an employer relies on a relevant exemption to withhold certain information, they will have to identify the relevant exemption, explain to the employee why it applies and consider conducting a necessity and proportionality test. They are also obliged to inform the employee of their right to lodge a complaint to the DPC or seek a judicial remedy. It is also important to remember that utilising the “expression of opinion given in confidence” exemption in the employment context is extremely difficult and generally employees will be entitled to see emails where managers discuss them, regardless of how potentially embarrassing or problematic disclosing these emails may be for the employer.
Conclusion
Employee DSARs are not going anywhere. DSAR related complaints and litigation is only likely to grow in number and so employers should continue to keep their DSAR processes under review to ensure employee DSARs are properly addressed and to minimise the risk of challenge. The guidance reminds us that there is no one size fits all approach to handling DSARs and each request must be considered based on its own facts and the context. While the guidance is helpful for employers, it also highlights that handling employee DSARs continues to be a burdensome and challenging area.
Our advice to employers is to ensure anyone dealing with employee DSARs is aware of the guidance issued by the DPC and that, where possible, reference is made to the DPC guidance in any decisions made in respect of individual DSARs, particularly where organisations are limiting their response to an employee or seeking to extend the timeline for response.
The first article in this series looked at what employers needed to know from the Employer Guidance issued by the DPC. To access this article click here.
For more information on this topic, or any other data protection or employment law matters in Ireland, please contact the Lewis Silkin team.