Employee data sought in connection with potential tribunal cases must generally be handed over, says ICO

Out-Law News | 09 Aug 2013 | 10:00 am | 4 min. read

Businesses cannot refuse to hand over records containing employees' personal information just because they suspect the information could be used against them in an employment tribunal, the UK's data protection watchdog has said.

Only if businesses can claim legal professional privilege can they withhold information that employees ask for through a subject access request (SAR) in such cases, the Information Commissioner's Office (ICO) has said.

"Where legal professional privilege cannot be claimed, you may not refuse to supply information in response to a SAR simply because the information is requested in connection with actual or potential legal proceedings," the ICO said in a new code of practice it has issued on subject access requests (58-page / 1.02MB PDF).

"The DPA (Data Protection Act) contains no exemption for such information; indeed, it says the right of subject access overrides any other legal rule that limits disclosure. In addition, there is nothing in the Act that limits the purposes for which a SAR may be made, or which requires the requester to tell you what they want the information for," it said.

"The code provides a few glimmers of hope about how the ICO will exercise its discretion in relation to enforcement action, but in the main confirms what we already knew about the lack of proportionality in the underlying law relating to what data controllers are obliged to do to comply with SARs," said data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com.

The ICO said that it does not recognise that there is any authority or case law giving organisations the right to refuse access where the request is "contemplating or has already begun legal proceedings" but it conceded that it is at the discretion of courts to determine whether businesses must comply with a SAR.

"If a court believes that the disclosure of information in connection with legal proceedings should, more appropriately, be determined by the Civil Procedure Rules (the courts’ rules on disclosure), it may refuse to order personal data to be disclosed," the ICO said.

"Businesses should be aware that SARs can and are used by claimant lawyers as a mechanism for pre-action disclosure," employment law expert Ed Goodwyn of Pinsent Masons, the law firm behind Out-Law.com, said.

"Generally, only those documents which are legally privileged are exempt from disclosure under a SAR. If you need to communicate between management on an employee on a sensitive issue which could embarrass you, do not send an email – call your colleague instead. It's good to talk! Remember also that simply cc’ing an email to your lawyer will not necessary make something subject to legal professional privilege as, for privilege exemption to work, the lawyer must at least be giving legal advice for privilege to attach," he said.

Under the DPA organisations are generally required to provide a copy of the personal data they hold about an individual when that individual requests access to it within 40 days of receiving that request.

In order to comply with SARs, organisations must generally provide the information in an "intelligible form". The copy must also be in "permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise."

According to the ICO's new code, businesses must "make extensive efforts to find and retrieve the requested information". However, companies are not obliged to carry out an "unreasonable or disproportionate" search for information in order to disclose data under in accordance with individuals' subject access rights, it said. The disproportionate effort exception has caused "considerable confusion", the ICO conceded, but businesses can only rely on it in "the most exceptional of cases".

"It will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive or inconvenient," the ICO said, though.

According to the code, businesses can legitimately determine not to respond to SARs that they consider to be repeats of previous, recent requests.

"The DPA does not limit the number of SARs an individual can make to any organisation," the ICO's guidance said. "However, it does allow some discretion when dealing with requests that are made at unreasonable intervals. The Act says you are not obliged to comply with an identical or similar request to one you have already dealt with, unless a reasonable interval has elapsed between the first request and any subsequent ones."

The ICO said that businesses should consider the "nature of the data" being sought, such as its sensitivity; the purposes for which it is processed, including whether the processing is "likely to cause detriment (harm) to the requester"; and how often data is altered when determining whether there is a need to respond to a repeat SAR.

"If information is unlikely to have changed between requests, you may decide that you need not respond to the same request twice," the ICO said. It said said that businesses should inform individuals of the reasons why they believe it is unnecessary to comply with SARs for this reason.

The ICO's new code also explains how businesses should handle multiple SARs received at once, such as in the context of bulk requests submitted by claims management companies on behalf of individuals.

Even though the ICO conceded that responding to a high volume of requests at once may be burdensome on organisations' resources, it said businesses are not relieved of their obligation to consider SARs on an individual basis and their duty to respond to them "appropriately".

However, the watchdog said that it could be minded to grant businesses a certain amount of leeway when reviewing complaints about their handling of SARs if businesses had to deal with a large number of requests for data at once.

"In considering a complaint about a SAR, the ICO will have regard to the volume of requests received by an organisation and the steps it has taken to ensure requests are dealt with appropriately even in the face of a high volume of similar requests," the ICO said. "The organisation’s size and resources are likely to be relevant factors. The Information Commissioner has discretion as to whether to take enforcement action and would not take such action where it is clearly unreasonable to do so."