Out-Law / Your Daily Need-To-Know

Employers will face tough challenges in handling subject access requests under new data protection regime, say experts

Out-Law Analysis | 21 Apr 2016 | 11:41 am | 5 min. read

FOCUS: Employers may need to rethink the way they handle subject access requests (SARs) from staff to ensure they comply with new EU data protection laws that have been finalised.

The General Data Protection Regulation (GDPR) will require employers to respond to SARs in a shorter timeframe than that which applies under existing UK data protection laws when it comes into force in the middle of 2018.

The new timeframe will pose a challenge for employers that do not have a defined process for handling SARs. A failure to meet the deadline or provide employees with access to all the data they request could expose employers to a significant fine under the new Regulation.

Handling SARs under the Data Protection Act

Under the UK Data Protection Act people have a right to obtain a copy of the personal data organisations hold on them upon filing a request for that information. This includes employees requesting data held by employers. Those requests are called data subject access requests (SARs) and must generally be complied with within 40 days.

Supplemental information also has to be disclosed by organisations alongside the personal data they provide in response to SARs. That includes information about the type of personal data they hold about the requester, what the purposes of their processing is and details of the third parties to whom the requesters' data may be disclosed, as well as the logic involved in any decisions taken on the basis of personal data processing carried out by computer algorithms.

If individuals are not happy with what information they have received under a SAR, they have the option to complain to the UK Information Commissioner's Office (ICO) or to seek a court order requiring disclosure. The ICO and courts have the power to order organisations to comply with SARs if they consider those organisations have not complied fully with the SAR, for example where an organisation did not disclose all personal data held because it had failed to conduct adequate searches. 

Employers are often asked to disclose the data they hold about employees in the context of a broader employment dispute. The data employers hold about staff can be contained in a number of different systems, from HR records to email exchanges between other employees, and so retrieving all the data employees request can be challenging within the prescribed 40 day timeframe.

The proportion of data protection complaints handled by the ICO that concern SARs highlights the difficulties many organisations already face in complying with the rules on SARs.

Last year the way in which organisations handled SARs was the most commonly complained about data protection issue raised with the ICO, accounting for 46% of all data protection complaints handled by the watchdog. The previous year half of all data protection cases dealt with by the ICO were about SARs. Despite receiving a high number of complaints about the issue, the ICO's enforcement action in relation to SARs cases is proportionality lower than in respect of other data protection issues, such as data security breaches.

However, under the GDPR the time that employers will have to respond to SARs will reduce, raising questions about the ability of many organisations to fulfil their obligations in line with the new Regulation.

Handling SARs under the General Data Protection Regulation

The GDPR's provisions on SARs place new obligations on organisations.

Under the Regulation organisations must respond to SARs "without undue delay and at the latest within one month".

Extra supplemental information also has to be provided to requesters alongside their personal data than is the case under the DPA. This includes, where possible, details of "the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period".

Further information must also be provided to explain requesters' rights to request the rectification or erasure of their data or to object to processing activities, as well as their right to lodge complaints with data protection authorities and to identify where they have sourced requesters' personal data from where it has not been collected directly from the individual.

Requesters also have a right to be given details of the safeguards applied where their data is transferred outside of the European Economic Area.

What should employers do in practice?

To comply with the new requirements it will be important for employers to outline a specified process for handling SARs. Employers will not have the luxury of waiting days before beginning to retrieve data from their systems. It is important therefore that staff are sufficiently trained to identify that a request from an employee constitutes a SAR and that individuals tasked with managing the response to SARs are handed the requests that come in expeditiously.

The process should be designed so that work can begin on the retrieval of data as soon as is practicably possible, so that an informed decision can be made about what information constitutes personal data and whether other information contained alongside that data should be withheld or redacted for reasons of commercial sensitivity or to respect the privacy rights of others, for example.

In addition, employers should develop standardised wording that provides the supplemental details they require to disclose alongside the requesters' data.

Consequences of non-compliance

To-date organisations have avoided heavy fines for non-compliance with the rules on SARs under the DPA. However, the ICO could find itself under more pressure to fine businesses that do not meet their obligations under the GDPR.

Although the Regulation's formal mechanism for ensuring cross-border data protection cases are handled consistently by data protection authorities will generally not apply to SARs cases, the general theme of greater harmonisation of data protection policy across the EU could require the ICO to ensure its actions are in step with those taken by other watchdogs in terms of determining when an organisation's non-compliant SAR response is sufficiently serious to warrant a monetary penalty and if so, the level of that penalty.

The extent to which the ICO would be bound to follow actions of other authorities in the EU is uncertain. An ICO spokesperson told Out-Law.com that the Article 29 Working Party will discuss "general enforcement co-ordination" under the Regulation. The Working Party is made up of representatives from all national data protection authorities in the EU.

The ICO spokesperson also confirmed that EU countries will also have some room under the Regulation to pass their own specific derogations for SARs, particularly for public sector bodies.

What is certain is that the potential penalties for non-compliance with SARs rules will increase substantially under the GDPR. At the moment the ICO can issue fines of up to £500,000 for serious breaches of the DPA. Under the Regulation it will have the power to serve fines of up to 4% of a business' worldwide annual turnover of the preceding financial year, or €20 million if higher.

The potential stiffer sanctions and the uncertainty around the extent to the which the ICO's actions will be in step with those taken by other watchdogs further stresses the need for companies to establish the correct procedures and training for managing SARs under the new regime.

Christopher Mordue, Sue Gilchrist and Kathryn Wynn are experts in data protection and employment law at Pinsent Masons, the law firm behind Out-Law.com.