Data subject access requests


Author:


One of our former account managers, who has recently resigned from her role after five years, has made a data subject access request asking for a copy of all emails about her. Are we compelled to respond to her request?

All of your employees and former employees have a right to make a data subject access request (DSAR) to you in order to find out what “personal data” is held about them and, generally speaking, you have a legal obligation to respond to the DSAR within 40 days of receipt of the same. The Information Commissioner has produced a Code of Practice which sets out how to deal with DSARs, and can be accessed by clicking here.

In practice, DSARs are often used as a tool by employees and former employees as a means of assisting them in litigation or potential litigation and can often be frustratingly onerous and time-consuming for employers, particularly where (as in this case) there is five years’ worth or more of data about the individual.

If the scope of the DSAR is particularly wide or onerous, you could consider asking the account manager to clarify or narrow the ambit of the DSAR by providing you with the subject matter of the emails she would like you to search for and the date ranges of such emails. This will also have the effect of buying you a little more time. Alternatively, if you and the account manager are in the throes of litigation, you may wish to try to delay responding to the DSAR further by explaining to the account manager that much of the requested information is expected to be provided in due course as part of the disclosure exercise under the Civil Procedure Rules or the Employment Tribunal Rules.

If and when you do comply with the account manager’s DSAR, the information requested should be provided in “intelligible and permanent form”. However, if you are at all wary about providing the requested information, a useful (albeit time-consuming) strategy could be to set out all of the “personal data” in one, long document, instead of copying each of the emails in a user-friendly electronic format.

Of course, a final strategy (and the riskiest approach of all) would be to ignore the account manager’s DSAR entirely. The remedies available to her at this stage are fairly limited and include:

  • the Information Commissioner serving a notice requiring you to give the information;
  • a court order ordering compliance with the DSAR; and
  • an award for damages, if the account manager can show that she has suffered damage.

Many individuals may not wish to go to the cost and effort of trying to enforce the DSAR (indeed, there have been no enforcement notices issued by the Information Commissioner in relation to DSARs in the past year). However, each DSAR should be considered on its own merits and, before deciding to ignore a DSAR, you should weigh up the risks of becoming involved in these, potentially costly, disputes and of being named publicly by the Information Commissioner as “at fault”, against simply complying with, what could turn out to be a fairly simple request.

Finally, in preparation for any future DSARs, you may also wish to consider:

  • introducing a data protection policy, which deals specifically with DSARs and how they should be dealt with;
  • training your staff so that they know how to respond to DSARs;
  • having a form or system which tracks the progress of a DSAR, which would assist you if you are ever required to demonstrate compliance with the subject access provisions by the Information Commissioner; and
  • whether it would be appropriate to have a data management system pursuant to which personal data, particularly in relation to former employees, is deleted once it is no longer required.

View by author:


Would you like to hear more?