Employers inevitably process significant amounts of personal data relating to their employees. This means employers are Data Controllers and are bound by the rights their employees have as Data Subjects.
Under the UK General Data Protection Regulation (GDPR), one of those rights is to ask their employers for copies of any personal data relating to them. These are known as Data Subject Access Requests and are sometimes referred to as SARs or DSARs.
Personal data is any information relating to an employee that could be used to identify them, e.g. name, email address, personnel records and health information. It can also include information relating to their job role, performance and disciplinary or grievance proceedings.
It is very common for current or former employees to submit SARs in order to obtain documents in connection with disciplinary / grievance processes and / or legal disputes, e.g. to find out what has and / or is being said about them by their employer and / or colleagues behind their back.
Although this right of access has been around for 40 years, its use (or abuse, depending on your viewpoint!) for these purposes has become a real problem for employers in recent years, not just because of the time and effort involved in responding to requests, but also because the information caught by such requests can undermine the employer’s position in internal employment processes and / or risk exposure in the context of legal claims.
Here are some tips on how to avoid this happening:
Organisations must respond to a SAR promptly within one month of receipt of the request. This can be extended by up to two months if the SAR is complex. There are serious repercussions for any organisation that fails to comply with a SAR – the employee may lodge a complaint with the Information Commissioner’s Office (ICO), apply for a court order or seek compensation.
Employees can make a SAR verbally or in writing and the request itself does not necessarily have to include the phrases ‘subject access request’ or ‘right of access’. For example, ‘please send a copy of the notes from my last performance review’, or ‘can you send a copy of the emails sent to HR regarding my disciplinary’ are typical phrases that constitute a request that teams should be aware of when identifying a SAR.
A SAR is not limited to email or hardcopy information, it can also include social media, and messaging services such as WhatsApp and Microsoft Teams. It’s important to educate teams to ensure professional boundaries are not crossed when communicating about employees via such platforms.
Carefully read the request and provide only what has been asked for – do not assume you have to provide everything! Conduct a search for the information relating to the employee that has made the request, not forgetting to look in external hard drives, memory sticks and social media. Redact any information that does not relate to the employee making the request and disclose all information securely and in an accessible format.
It’s important not to get caught out! Employers should be mindful to treat other peoples’ personal data as they would treat their own. We would advise to only communicate electronically what you would be happy to share with others, particularly when discussing a disgruntled employee. Know when to break off from written communication and engage in verbal dialogue instead, and don’t be fooled by thinking the use of initials instead of full names will mean related documents won’t be captured by SARs!
If you require assistance handling SARs, or have any other HR, Employment Law or Health & Safety issues you would like to discuss, get in touch on 01942 727 200 or email enquiries@employeemanagement.co.uk to speak to a member of the team without obligation.
Avoid falling foul of a subject access request!
Date: 24/09/2024
Author: Lisa Bradley
Company: EML