If you were to receive multiple subject access requests would you able to respond effectively? Do you have a process in place that will run smoothly and save you time? The reason this has become a big issue is no small part due to the impact of Covid-19 and the surge in litigation we have seen over the past 12 months. The HR Director has just reported on that. Their headline is 'Litigation boom as Covid-19 sparks wave of claims' and is based on data from claims management companies forecasting a 40% rise in litigation with the impact likely to be felt from spring, so around now, and into the summer. The issues mostly relate to Covid-19 and include workplace safety violations and negligence as well as unfair dismissal and discrimination resulting from job losses. The focus of that article is employers' insurance but we think there is another important angle to this, namely data protection and, specifically, data subject access requests, DSARs, which are, of course, a common tactic to elicit information before a claim is issued. A reminder – individuals have the right to make requests to find out whether or not you are processing their personal data. If you are, they have the right to access copies of that data and you must provide them with information about how you are processing it – so typically things like notes and witness statements relating to a grievance or redundancy exercises. So let's get a view on this. Katy Docherty is a data specialist and has been advising clients on this area. She joined me by video-link from Glasgow:
Katy Docherty: "So I think that what quite a lot of our clients are starting to anticipate is that they are also going to see this litigation boom from their own employees, potentially from subcontractors, clients, or even customers because of the implications of the pandemic both in terms of health and safety and in terms of job security and potential redundancies and we do think that that is a trend that we are going to see increase, we do think there is likely to be an increase in litigation resulting from these different aspects of Coronavirus. What we're starting to see is requests from clients for help in preparing for the various aspects of those litigations and one of the key aspects will be that we also think the increase in litigation will correlate with an increase in subject access requests because as we all know these do come in from disgruntled employees, from those who are facing redundancy, or have a complaint about some aspect of the way their employer has treated them and we think that coupled with an increased awareness that people now half of their data rights, we think that, along with the increase in litigation means that we're likely to see a greater number of subject access requests and plenty of our clients are very alive to that and we're starting to see requests for things like training of the HR team and of managers. Plenty of clients that are aware that they need a better subject access request protocol in place. So I think in terms of some practical advice for those clients who are perhaps at the start of that journey, just starting to get their head around the fact that we are likely to see more litigation arising out of Coronavirus and the associated increase in subject access requests, I think some key issues to think about when you're starting on that process are as follows. First of all, the best tool in your armoury for dealing with a subject access request fairly and in an organised way is having a proper process to follow. So a protocol, a workflow that everybody who deals with requests knows how to access and knows the importance of dealing with that, because it will mean that when you get a request, you've thought in advance of how best you're going to deal with it. Another key thing to start considering is the upskilling, or the training, not just of the HR team who may have to deal with these requests on the ground, but of managers, for example, who are dealing with, for example, large scale redundancy programmes. So training and how to recognise a subject access request that perhaps comes in during a consultation meeting, for example, training on what your internal protocol is so that they know where to send these requests and there isn't a delay in dealing with them. Then also some more basic training perhaps around, you know, if you're about to embark on a big redundancy, letting managers know that people do have the right to see what data the company holds about them and so they have to be quite careful and very professional about what they commit to writing about people because it could ultimately end up being seen by them. So in terms of forward planning I do think that upskilling of not just the HR team, but of the staff members managing, for example, redundancies or, or the health and safety side of things when accessing a site of an office is really important. Some other key points to bear in mind when you're dealing with a SAR is that quite often, particularly in the employment context, they will arise out of quite sensitive situations. So again, we go back to the example of a redundancy, there will probably be quite a lot of emails internally about that redundancy exercise, you may have taken legal advice on it, and so I think that ensuring that team members are aware of the different exemptions to the right of access, what documents don't have to be disclosed to an individual is as important as those team members being able to identify what is disclosable. So for example, an awareness of legal privilege and the fact that documents that are legally privileged don't need to be disclosed is important from the business perspective. The example of management forecasting."
Joe Glavina: "Can I jump in there Katy on these exemptions because I guess a lot of managers won't understand the scope of the request, thinking that they have to hand everything over."
Katy Docherty: "I think quite a common issue that managers will come across as this idea of scope and the worry that every single piece of personal data that the company holds on that person is disclosable. Very technically, if a person wants copies of their personal data they are entitled to see that but what a lot of clients seek advice on is when it's possible to push back on that, for example, if the request is disproportionate, there's too much data, and we will also quite often see companies negotiating and liaising with individuals to work out what is the information that is most important to them? What are they really hoping to get out of the subject access request and does that allow us to narrow the parameters? I think an awareness of that is very important in terms of dealing practically with a DSAR both in terms of managing the workload for the business but also in terms of ensuring that the individual who has made that request gets the data that is most important to them."
Back in October the ICO issued new guidance to help employer's handle data subject access requests. It's helpful because it clarifies some of the grey areas that have really persisted since the new Data Protection Act was introduced in 2018, for example an explanation of what amounts to a 'complex data subject access request'. That's important because, in that case, the normal time limit of 30 days to comply with the request - not long at all - is extended by a further two months, so do be aware of that. We have put a link to that guidance in the transcript of this programme.
- Link to ICO guidance on data subject access requests