A Subject Access Request, known as an S.A.R., is a request made by an employee to their employer for information held about them. Although there could be a number of motives for these requests, they are typically made as part of an intended grievance.
As an unexpected side effect of living and working in a pandemic, many organisations are considering the potential for an increase in these requests over the next few months, primarily from disgruntled employees furloughed or laid off due to Covid-19.
Today, in our first ‘Q&A’ style blog, we will be addressing the nature of the S.A.R., what’s required, and how employers can be prepared for handling this decidedly tricky event.
Q. An employee has asked to know what personal data we hold on them and how we are using it. I’m used to hearing this from clients but not employees. Is this a genuine thing?
Yes. When an individual asks what data you hold on them, it is known as a Subject Access Request, or an S.A.R. You can receive them from current or former clients and customers, as well as current and former employees.
Q. They didn’t call it an ‘S.A.R.’ They just asked for all of their data.
A request such as this qualifies as an S.A.R, even if the employee doesn’t use those specific terms. An S.A.R can be made in written form (letter or email), or orally (in person or over the phone), and can even be submitted via social media/messaging platforms, both internal or external (Intranet messaging system, Facebook, Twitter etc). It is important that you and your relevant team members are trained in identifying an S.A.R when it comes in, to ensure it is responded to promptly.
Q. Why would they ask? Might they have a problem with me?
An S.A.R can be motivated by general interest, but the overriding reality is that most requests like this come from individuals who have taken issue with the organisation or have a dispute with their employer or another colleague. Since the change in Data Regulations introduced via the GDPR in May 2018, now incorporated into the Data Protection Act 2018, more and more businesses have been receiving S.A.R’s from disgruntled former employees. Be careful not to make unsubstantiated assumptions though, as the request could be quite innocent.
Q. Do I have to do it?
You do indeed, and it needs to be a priority. Under the Data Protection Act 2018, incorporating the GDPR, you are required to respond within a calendar month of the request.
Q. What information do I need to include?
You will need to provide HR records; paper records; telephone logs; Internet logs; CCTV footage they appear in; emails to and from the employee and any emails containing their name (including deleted emails); any content from shared network folders; databases; back-up files; CRM systems; and shared work devices. You will also need to provide any information about them used during the recruitment process to learn about them, record their performance, make decisions about them, influence the way they are to be treated, give opinions about them, or have an impact on them. You must also keep a record of all of the searches made to gather their personal data.
In addition, when you provide the information, you will need to explain and detail the purposes for processing personal data, categories of personal data retained, recipients of personal data, safeguards you have in place for transferring data, and retention policies and periods. This should have already been stated in your Privacy Notice that should supplement their Employment Contract, as well as on your public documents (i.e.: websites, communication templates).
Q. Yikes. Can I charge them for all that?
It may seem an onerous task to gather all of this information, but by law, you should provide the employee with their personal data for free. However, in some circumstances it is acceptable for a business to charge a ‘reasonable fee’ to cover administration costs to comply with the S.A.R when an individual has requested additional copies of their data or if the request is deemed ‘manifestly unfounded or excessive’.
Q. Can I amend or delete any of their information?
No, you cannot delete or amend any of the employee’s personal data.
Q. Ah, that’s tricky. What if some of the data include details of another employee?
It is important that you do not reveal the information of other individuals without their consent – this would be a breach of their privacy rights. Therefore, once you have gathered all data for the employee who made the S.A.R, you will need to go through it all and blank out (redact) any personal data of any other individual who could be identified by it. The rules guarding against deleting or amending personal data relate specifically to details belonging to the employee making the S.A.R.
Q. This seems like a huge job. What if I opt not to do it?
If you fail to respond to an S.A.R, you are at risk of the Information Commissioner’s Office (ICO) taking action against you. They can fine you up to 4% of your global annual turnover or approximately £18 million, whichever is higher.
Q. Wow. Well, is there any way that I can get more time? A month is not long for such a large task.
You have the option of extending the time period to 3 months if the request is complicated (manifestly unfounded, excessive, complex or repetitive). However, you must inform the requester, within one calendar month of their S.A.R, of your intentions to extend the response period to 3 months, providing legitimate reasons – this last part is essential as the ICO will look very carefully at these reasons in the event a complaint is logged or you fail to comply within the promised 3 months.
Q. What can I do to make this easier next time?
To ensure you are not caught off guard, instruct legal professionals to create procedures, policies and template responses to quickly refer to and use in the event of a S.A.R.
To ease access to the required information, create a good IT infrastructure and use software that allows you to quickly and efficiently access, search, track, isolate and disclose the personal data needed, while safeguarding the rights of the individual and those of any other colleagues who may be associated with them. You may even want to consider setting up a ‘data subject access portal’ that allows employees to access their own information when they wish.
To ease the task further, you may ask the employee if they will narrow the scope of their request – are they asking for all personal data, or do they simply want sales or performance records gathered over the last 12 months, for example? However, be aware that if they choose not to narrow the scope, you are still required to provide the information.
Subject access requests and the Data Protection Act 2018, incorporating the GDPR, particularly in relation to employment issues during a pandemic, are huge topics. Today we have covered the basics you need to know, but if you require more in-depth guidance or have specific questions, please do not hesitate to get in touch with us.