Back to Insights- Data Protection
Shorter Reads
Data Subject Access Requests: Six key issues for HR Teams
Data Subject Access Requests (DSARs) are now commonly made by disaffected employees, or those facing disciplinary action.
2 minute read
Published 4 April 2022
Authors
- Visit profile
Patrick Wheeler
Partner - Head of IP & Data Protection
- Read more from Patrick
Key information
- Specialisms
- Business
- Services
- Data Protection
The Data Protection Act 2018, incorporating UK GDPR, has raised the profile of individual data rights. Data Subject Access Requests (DSARs) are now commonly made by disaffected employees, or those facing disciplinary action. They can be time consuming and disruptive to deal with, so it is vital that organisations, and their HR functions in particular, know how to recognise them, who has responsibility for coordinating a response, and what procedures need to be followed.
So what are the key issues?
1. How do I recognise a DSAR?
There is no set form for a DSAR. Any oral or written request to see what personal data an organisation holds, is likely to be a DSAR. Staff should be trained to recognise a potential request and know where to refer it. Either a Data Protection Officer (DPO) or a dedicated manager with both the authority and responsibility to deal with DSAR responses is needed. This can be within HR or a legal/compliance function. A formal policy and procedure can help to streamline the process.
2. Who can make a DSAR, and when does the clock start?
Typically, it will be an employee or a customer, but it could be any living individual. The first priority is to confirm the identity of the requester. If there is any doubt, you should ask for verification, like a photo ID. The clock starts as soon as the request is received, but it can be paused if verification is needed. A full reply should be given within one month unless the request is complex, so any delay in the process risks becoming a breach.
3. What data needs to be disclosed?
A DSAR can either be general (all personal data) or specific, e.g. data in notes of meetings and discussions which led to disciplinary action being taken. Personal data is widely defined so you will need to carry out a search wide enough to capture everything of possible relevance and then conduct a manual review. HR records are likely to be a key source of personal data.
‘Data’ is not necessarily the same as ’documents’. There is no obligation to disclose documents, although that may be the simplest way to provide the data.
If documents contain the personal data of more than one individual, great care should be exercised. You may need either to ask for consent to such disclosure, or to redact data that does not relate to the requester. Disclosing someone else’s data without a valid reason will be a data breach. There may also be sensitive or confidential data which needs to be carefully assessed to establish whether it needs to be disclosed or not.
4. Do any exclusions apply?
There are a number of exclusions that may apply in any particular case, but these are all narrowly defined, so you must be absolutely clear that they apply rather than take a chance.
5. Can I refuse to respond?
Unless a specific exclusion applies, no. If a request is either ‘manifestly unfounded’ or ‘manifestly excessive’ then you may refuse to respond, but the bar is a high one, so you must be able to explain in detail why you believe they apply.
Conclusion
There are numerous pitfalls in responding to a DSAR. Getting it wrong will be a data breach. A regulatory investigation by the Information Commissioner’s Office (ICO) can result in enforcement action (including hefty fines), and a possible claim for damages by the data subject(s).
DSARs are clearly on the increase, so it will be a sound investment for businesses to be prepared. Even organisations with a dedicated DPO and detailed policies and procedures can find it helpful to seek external advice, and if you have neither, an independent expert can significantly reduce both the risk and the stress.
This article was first published on People Management
Related latest updates
PREV
NEXT
Shorter Reads
Read more
Digital Driving Licence to be introduced by the Government
Shorter Reads
Read more
ICO response to the Data (Use & Access) Bill (DUAB)
Longer Reads
Read more
Data (Use & Access) Bill introduced to Parliament – what does this mean for businesses?Shorter Reads
Read more
Fired over Mouse Jiggling: the employment law risks of TikTok ‘work hacks’Longer Reads
Read more
UK Information Commissioner introduces new approach to enforcement
Longer Reads
Read more
Two key decisions highlight issues when handling children’s dataLonger Reads
Read more
Demystifying the UK government’s proposed reforms to data protection lawsLonger Reads
Read more
Recent trends in data breach litigation
Shorter Reads
Read more
Royal Mail cybersecurity incident a reminder of the international reach of the UK GDPRShorter Reads
Read more
Monitoring staff – employers should not expect to see staff chained to their desks all dayShorter Reads
Read more
Scrapping GDPR regulations likely to cause additional red tape for UK businesses
Longer Reads
Read more
Don’t let your cookie compliance crumbleShorter Reads
Read more
Data privacy update: International data transfersShorter Reads
Read more
Rights without responsibilities?Shorter Reads
Read more
Data subject access requests are ‘weaponised’ as disgruntled customers seek to ‘tie businesses in knots’Shorter Reads
Read more
AI regulation in financial services and how the UK diverges from EU rules
Longer Reads
Read more
Domestic CCTV: are you compliant?Longer Reads
Read more
GDPR: New Guidelines on international data transfersLonger Reads
Read more
Dear Santa…A Cautionary Data Privacy Tale
Podcasts
Listen now
Article 27 of the GDPR – Do you need to appoint a UK/EU Data Representative?
Shorter Reads
Read more
ESG and Data ProtectionPodcasts
Listen now
GDPR and Artificial Intelligence in the workplace
Longer Reads
Read more
What are the limits on video surveillance in the workplace?Longer Reads
Read more
Complying with data laws when engaging with freelancers
Shorter Reads
Read more
UK data protection standards to be deemed adequate by the EUShorter Reads
Read more
Ikea fined €1 million for illegal staff surveillance
Shorter Reads
Read more
Is your personal data safe on Zoom?Shorter Reads
Read more
Firmware cyber-attacks: the next big thing?Shorter Reads
Read more
Website cookies crumble as they fail to meet legislationShorter Reads
Read more
Post-Brexit breathing space for EU-UK transfers of personal dataShorter Reads
Read more
Now is the time to review your data protection policiesLonger Reads
Read more
The end of the Brexit transition period: what this means for your business’s data protection...
Shorter Reads
Read more
No rest for the European Data Protection BoardShorter Reads
Read more
Test-and-trace data sharing: a healthy lesson for private-sector businesses on the importance of transparency
Shorter Reads
Read more
Good(ish) news for BA
Shorter Reads
Read more
New EDPB guidelines: copying and pasting GDPR provisions into your commercial agreements isn’t enough
Longer Reads
Read more
Privacy Shield invalidated: what this means for your data flows to the US
Shorter Reads
Read more
No Data Protection Impact Assessment (DPIA) undertaken for Test and Trace programme – but what is a...Shorter Reads
Read more
Preparing for 4 July: Pubs and restaurants required to collect customers’ detailsShorter Reads
Read more
Protecting Personal Data as Lockdown unlocks
Shorter Reads
Read more
Babylon Health admits GP app suffered a data breachShorter Reads
Read more
easyJet’s woes worsenShorter Reads
Read more
Cathay Pacific, British Airways, easyJet – what’s the connection?
Shorter Reads
Read more
Data protection in the time of coronavirusLonger Reads
Read more
WM Morrisons Supermarkets plc v Various Claimants – Supreme Court hands down decision
Shorter Reads
Read more
Zoom under increased scrutiny as popularity rises
Longer Reads
Read more
Privacy and real-time bidding: An updated guide for adtech vendors and publishersLonger Reads
Read more
How to limit reputational damage after a data breach
Shorter Reads
Read more
British Airways facing record GDPR fineLonger Reads
Read more
AI: It’s time to ExplAInShorter Reads
Read more
It’s time to AI-xplainNews
Read more
GDPR anniversary to be marked with big finesShorter Reads
Read more
Why GDPR isn’t last year’s newsShorter Reads
Read more
Facebook and Cambridge Analytica – the GDPR implicationsShorter Reads
Read more
GDPR – Smaller charities at risk
Related content
Shorter Reads
Data Subject Access Requests: Six key issues for HR Teams
Data Subject Access Requests (DSARs) are now commonly made by disaffected employees, or those facing disciplinary action.
Published 4 April 2022
Associated sectors / services
Authors
The Data Protection Act 2018, incorporating UK GDPR, has raised the profile of individual data rights. Data Subject Access Requests (DSARs) are now commonly made by disaffected employees, or those facing disciplinary action. They can be time consuming and disruptive to deal with, so it is vital that organisations, and their HR functions in particular, know how to recognise them, who has responsibility for coordinating a response, and what procedures need to be followed.
So what are the key issues?
1. How do I recognise a DSAR?
There is no set form for a DSAR. Any oral or written request to see what personal data an organisation holds, is likely to be a DSAR. Staff should be trained to recognise a potential request and know where to refer it. Either a Data Protection Officer (DPO) or a dedicated manager with both the authority and responsibility to deal with DSAR responses is needed. This can be within HR or a legal/compliance function. A formal policy and procedure can help to streamline the process.
2. Who can make a DSAR, and when does the clock start?
Typically, it will be an employee or a customer, but it could be any living individual. The first priority is to confirm the identity of the requester. If there is any doubt, you should ask for verification, like a photo ID. The clock starts as soon as the request is received, but it can be paused if verification is needed. A full reply should be given within one month unless the request is complex, so any delay in the process risks becoming a breach.
3. What data needs to be disclosed?
A DSAR can either be general (all personal data) or specific, e.g. data in notes of meetings and discussions which led to disciplinary action being taken. Personal data is widely defined so you will need to carry out a search wide enough to capture everything of possible relevance and then conduct a manual review. HR records are likely to be a key source of personal data.
‘Data’ is not necessarily the same as ’documents’. There is no obligation to disclose documents, although that may be the simplest way to provide the data.
If documents contain the personal data of more than one individual, great care should be exercised. You may need either to ask for consent to such disclosure, or to redact data that does not relate to the requester. Disclosing someone else’s data without a valid reason will be a data breach. There may also be sensitive or confidential data which needs to be carefully assessed to establish whether it needs to be disclosed or not.
4. Do any exclusions apply?
There are a number of exclusions that may apply in any particular case, but these are all narrowly defined, so you must be absolutely clear that they apply rather than take a chance.
5. Can I refuse to respond?
Unless a specific exclusion applies, no. If a request is either ‘manifestly unfounded’ or ‘manifestly excessive’ then you may refuse to respond, but the bar is a high one, so you must be able to explain in detail why you believe they apply.
Conclusion
There are numerous pitfalls in responding to a DSAR. Getting it wrong will be a data breach. A regulatory investigation by the Information Commissioner’s Office (ICO) can result in enforcement action (including hefty fines), and a possible claim for damages by the data subject(s).
DSARs are clearly on the increase, so it will be a sound investment for businesses to be prepared. Even organisations with a dedicated DPO and detailed policies and procedures can find it helpful to seek external advice, and if you have neither, an independent expert can significantly reduce both the risk and the stress.
This article was first published on People Management
Associated sectors / services
- Data Protection
Authors
Need some more information? Make an enquiry below.
Subscribe
Please add your details and your areas of interest below
Article contributor
Patrick
WheelerPartner - Head of IP & Data Protection
Specialising in Intellectual property disputes, Data protection, Digital, Intellectual property and Manufacturing
Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?
Subscribe to our articlesMessage us on WhatsApp (calling not available)
Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.
Close
