How to handle subject access requests
SARs are costly and time-consuming to carry out. But a recent rise in their popularity, and the forthcoming GDPR, mean employers need to get their heads round their requirements
Our firm usually sees one or two clients per year with employees who have lodged subject access requests (SARs), but already this year we’ve seen nine – indicating a possible surge in the number of employees who are lodging such requests.
One likely reason for the rise is the introduction of fees for individuals to bring employment tribunal cases. These increase the incentive for employees to ‘go nuclear’ at an early stage, to extract maximum leverage to force an employer to settle before a tribunal fee even needs to be paid. SARs provide just such a weapon, given the cost, inconvenience and potential risk to the employer of compliance.
The ammunition a judiciously used SAR can deliver is illustrated by a recent example where the retrieval of an email exchange between managers clearly showed redundancy candidates had been identified before any selection scoring or consultation. The redundancy dismissal would have been deemed unfair if it had gone any further.
More generally, employees are becoming more knowledgeable about their legal right to seek information on any company matters relating personally to them, which is contributing to the increase in SARs.
The devil’s in the data
For employers, putting a response together involves onerous duties such as searching for documents and redacting third-party data, with the need for associated legal advice. Then there is the need to consider unhelpful emails that could complicate the defence of an existing or anticipated claim at tribunal.
Such complexities, however, are not necessarily a justifiable reason for non-compliance with a SAR. The Information Commissioner's Office will look unfavourably on any employer that fails to provide relevant data or make a significant attempt to pull together the data that’s been sought. Nonetheless, there are some steps that employers can take to lessen the impact.
Where a SAR is very general, employers can ask the individual to set a specific timeframe for the search for data; for example, a six-month limit in advance of a redundancy consultation or the refusal of a promotion – if the individual suspects discrimination as the reason for the refusal to promote. Having to search through the whole of the individual’s employment is possibly unreasonable.
It is also beneficial to try and agree whose document filing system or inbox should be involved in the search for data, and even the exact keywords to search against; for example, ‘Tom’ rather than ‘Tommy’.
Other strategies include appointing someone within the company to manage the process and be responsible for ensuring an adequate search within the relevant timescale. It is best to advise employees involved in the search not to destroy any data, even if it is unhelpful.
Finally, it is important to ensure that third-party identities and personal data are protected unless consent is obtained, and to consider data that may be exempt; for example, legally privileged advice.
Rougher seas ahead
The challenges created by SARs may appear already considerable, but the General Data Protection Regulation (GDPR), which comes into force in May 2018, will make the process even more complex to navigate for employers.
The current timeline of 40 days to respond will reduce to 30 days. Given that most employers currently delay dealing with SARs until the last moment, such changes open the organisation up to significant fines.
There will be other new requirements, such as advising those who have made a SAR the “envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period”. Employees must also be provided with an explanation of the right to rectify or erase their data, or to object to processing activities, as well as identifying where personal data has been sourced.
There is no doubt that managing SARs will become a great deal more difficult with greater penalties when GDPR becomes law.
Helen Goss is an employment law partner at Boyes Turner
First Floor Offices, 11-23 Market St.
Tel: 01427 678660
HR and Accounts:
26/26a Hickman Street
Tel: 01427 678660
West 1, West Dock Street
Hull HU3 4HH
Tel: 01482 534 348
Hyde Park House, Cartwright Street
Newton, Hyde, Cheshire SK14 4EH
Tel: 0161 367 1214
2450 Regents Court The Crescent
Birmingham Business Park Solihull B37 7YE
Tel: 0121 69 59 290
4th Floor, 86-90 Paul Street
London EC2A 4NE
Tel: 0207 111 0958
Copyright © 2017 Stallard Kane Associates. All rights reserved.