A Data Subject Access Request (DSAR) is a right under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 that allows individuals to request access to the personal data an organisation holds about them. This includes details on how the data is being processed, who it is shared with, and the rationale behind its use.
Employers, like all data controllers, are obligated to comply with DSARs, usually within one month. However, they can extend this period if the request is particularly complex. DSARs are designed to provide transparency and ensure that personal data is handled lawfully.
The use of DSARs as a tool against employers: Fair or unfair?
While DSARs were primarily intended to give individuals control over their personal data, they are increasingly being used by employees (or ex-employees) as a tool against employers, particularly in the context of employment disputes. It’s becoming more common for employees to submit a DSAR as part of a strategy to pressure their employer into settling a potential claim.
The reasoning is simple: responding to a DSAR is time-consuming and can be costly for an employer. It may involve trawling through vast amounts of data, redacting sensitive information, and compiling extensive reports. For employers already facing the threat of legal action, the prospect of dealing with a DSAR can be daunting. It is also circumventing the usual disclosure process so an employee can go on a fishing expedition for documents to flesh out a claim whether one existed or not.
Employers’ obligations in responding to DSARs
Despite the strategic use of DSARs by some employees, employers cannot deny a request simply because it is made in contemplation of a legal claim. Even if the employer suspects that the DSAR is a tactical move, they are legally obliged to comply.
That said, employers can mitigate the burden of a DSAR by:
Extending the response period
If the DSAR is particularly complex or involves a large amount of data, employers can request an extension of up to three months. However, this extension must be justified, and the employee should be informed of the reasons for the delay.
Limiting the scope of the request
Employers can push back on overly broad or disproportionate DSARs by asking the employee to clarify the specific data they are seeking. If the request is deemed too costly or difficult to fulfil, the employer can negotiate a more manageable scope.
Claiming exemptions
Certain data may be exempt from disclosure, particularly if it concerns third parties, legal advice, or confidential information. However, exemptions should be applied carefully and in compliance with the law.
The issue of stolen confidential data and DSARs
A significant concern for employers is the misuse of confidential data by employees, particularly when they are leaving the organisation. Some employees may take data, either to use in future employment or as leverage in disputes with their current employer. If an employee has unlawfully obtained data, this can be addressed separately from their DSAR.
The exception to the rule about employee’s retaining data becomes more complex if the employee claims to have blown the whistle about corporate wrong-doing or they can show they are seeking legal advice concerning the documents . however, this is not always the case : The case of Nissan Motor (GB) Ltd v Passi for example required the employee to destroy/return the documents even where a claim for whistleblowing was active. Nissan sued former employee Ravinder Passi for the return and destruction of confidential company documents he had kept. Passi, who worked at Nissan, had already filed lawsuits claiming his treatment and dismissal were due to whistle-blowing. During these proceedings, Nissan discovered Passi had retained sensitive documents, which he claimed were for legal advice and to ensure their availability if Nissan did not disclose them. He also admitted sharing some documents with a journalist related to his whistle-blowing claims.
The High Court Judge ruled in favour of Nissan, stating the company had a strong case that the documents were its property and should be returned. The Judge dismissed the idea that Passi had any legal right to keep the documents, even for legal advice. Additionally, the Judge rejected the argument that returning the documents would interfere with Employment Tribunal proceedings, emphasising that disclosure in such cases follows its own rules and cannot be bypassed by holding onto company property. This decision provides comfort and assistance for employers, but it raises questions about the protection of whistle-blowers. The ruling prioritised document ownership over public interest, as a result, we suspect, this decision may be challenged in the future.
There is a prescribed process for legitimately seeking data either through a DSAR or disclosure during an active court or Tribunal process and the law very much maintains this should be addressed through these channels, as per the case Nissan Motor and Ravinder Passi.
In reality, pursuing legal action against an employee for data theft can be costly and time-consuming. It maybe also be that the employer reports this to the ICO if there is a chance any client information could be sold on or abused and come into the public domain.
How employers can protect themselves
To mitigate the risk of data theft and the strategic use of DSARs, employers should take proactive steps:
Implement robust contracts and policies
Ensure that employment contracts and data protection policies are clear on the handling of confidential information and the consequences of data breaches. This should include clauses specifically addressing the return of data upon termination of employment and transferring data to personal devices is an act of gross misconduct.
Obtain declarations from departing employees
When an employee is leaving, ask them to sign a declaration confirming that they have not taken any company data and that they have complied with the data protection policy such as deleting any information they hold. This can provide a legal basis for action if it later emerges that data has been taken.
Conduct exit interviews and monitor activity
An exit interview provides an opportunity to remind departing employees of their obligations regarding data protection. Monitoring their activity during their notice period can also help identify any potential data breaches before they leave.
Limit access to data
Throughout employment, ensure that employees only have access to the data they need for their role. Restricting access can reduce the risk of data being taken or misused.
Use meetings and minutes instead of emails
Where possible, sensitive discussions should be held in meetings rather than over email. Emails can easily fall within the scope of a DSAR, and limiting written records can help protect the employer’s position. However, recording discussions and outcomes is also beneficial and controls the narrative for the employer at a later date if it’s taken at the time and maybe emailed or signed by the employee.
Conclusion
While DSARs are a legitimate tool for individuals to understand how their data is being used, they can also be misused in employment disputes. Employers must be prepared to respond to DSARs, even if they suspect ulterior motives. By taking proactive steps to protect data and manage DSAR requests effectively, employers can minimise the disruption and potential costs associated with these requests, while still complying with their legal obligations.
