Subject access requests: Do you have to spend £100k?
Daniel Pollard and Christopher Stone, May 11, 2017
The Data Protection Act gives employees to know what information you hold on them
An individual has a right to make a request for his personal data under the Data Protection Act 1998 (DPA). This right was intended to allow data subjects to understand what information is held about them but is often used by disgruntled employees who want to dig for information that might prove useful in an employment tribunal claim.
There has been much uncertainty about the extent to which employers have to respond to such requests. This has recently been considered in three key Court of Appeal decisions: Dawson-Damer v Taylor Wessing, Ittihadieh v 5-11 Cheyne Gardens, and Deer v University of Oxford.
How much time and effort do we have to go to?
It can be relatively easy to locate references to individual employee’s names using automated key word searches. However, not every reference to an individual’s name constitutes their personal data and a manual review of those search results are required to:
- decide what information (if any) in proximity to their name constitutes that individual’s 'personal data.'
- extract the personal data from the document in question;
- apply the various exemptions.
This process is important because often employees are seeking advance disclosure of entire documents but, in contrast to disclosure in legal proceedings, the employer does not have to provide the entire document. Just the personal data within it.
DPA includes an exception where “the supply of ... a copy … would involve disproportionate effort”. The Court of Appeal has made it clear that that exception applies to the entire effort in finding and providing the personal data, not just providing copies. It said “the EU legislature did not intend to impose excessive burdens on data controllers”.
This is hugely helpful for employers because it means that an employer does not have to do further searches where the cost of doing so would outweigh the benefit to the employee of the data provided. But knowing when that point is reached is not easy. In one case the data controller’s solicitors had already charged £116,000 to review some 500,000 documents before the courts said it did not have to go any further.
Do we have to respond if the employee is already suing us?
For many years, there was a line of cases which suggested that an employer may not have to respond to a subject access request if the purpose of the request was to obtain pre-action disclosure of documents that may help in future litigation. The Court of Appeal has agreed with the ICO that the purpose of making the request does not invalidate a SAR but an illegitimate purpose may be a relevant factor when the court exercises its discretion to order compliance.
What if an employer does not comply?
The usual response from employees is a complaint to the ICO. The employer will need to be prepared to explain to the ICO the steps it has taken to comply. Following the decisions of the Court of Appeal employers should seek guidance from the ICO on the application of the proportionally principle.
Less commonly, employees may instead bring a claim under the DPA asking the court to order compliance or payment of compensation. These claims are brought in the civil courts with the cost consequences that follow. The court has a discretion as to whether to order disclosure. The Court of Appeal has confirmed that it should take into account that there may be employment tribunal proceedings ongoing, the extent of the breach, the reason for the request and whether the request was proportionate.
What’s an action plan and why should we have one?
Many subject access requests ask for “all information” held about the employee and in these cases employers should create an action plan for responding:
- Consider what is requested, why it was made, the benefit for the employee and any alternative sources of that information.
- Determine where the data are held, in what format and how can they be searched.
- Run initial searches to determine the number of hits; consider liaising with the data subject at this stage to get agreement on what searches will be done, which keywords used and what reasonable limitations on the scope of the exercise can be agreed.
- Evaluate the risk of disclosing information in documents which goes beyond the personal data to which the subject is strictly entitled and the extent of the (costly) manual review.
- Document a 'plan of action' for searching, reviewing and extracting the personal data. Estimate the costs of this exercise – both internal management time and external legal cost (if applicable).
Documenting a plan of action in this way will place the employer in the best position if it has to later justify its position to either the court or to the ICO.
Daniel Pollard is a partner at GQ Employment Law and Christopher Stone is a barrister at Devereux Chambers