SARs in the employment context
The SAR challenge
Following the introduction of the GDPR, we have seen a rise in the number of SARs brought by employees. HR teams are increasingly under pressure to comply.
Employee data subject access request - everything you need to know about responding to a SAR
A daunting task
SARs are time consuming and cumbersome to process, particularly if there is not a centralised storage and retrieval system. The rules surrounding what must be disclosed are not straightforward, which makes it challenging for those unaccustomed to handling SARs to understand what needs to be disclosed and what should be redacted.
Our team of SAR experts can help you to deal with the challenges a request can bring and prepare a GDPR compliant SAR response in the most cost efficient way and on time.
If you wish to learn more about how our SAR solution can reduce your risk of fines and litigation you can call us on +44 (0)118 952 7284, or you can request our SAR solution guide by sending an email to firstname.lastname@example.org.
Below we are going to answer some of the most frequently asked questions about how to respond to a SAR:
Who can request a SAR?
Under the General Data Protection Regulations 2018 (“GDPR”) and Data Protection Act 2018 (“DPA”), individuals have a right to know what data a company holds about them, and to request that the company erases, rectifies or restricts the processing of their data. As part of these rights, an individual can make a request to see what data a company holds about them.
A Subject Access Request (“SAR” or “DSAR”) is a request by a natural person, know as a data subject, to a data controller to find out what data they may hold or are processing about them.
The right of access can only be exercised by, or on behalf of, a data subject.
A data subject is an “identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The data subject can be:
Although a SAR is normally made by data subjects, third parties may make requests on their behalf, for example:
A parent, or guardian, who has joint, or sole, parental responsibility can make a request on behalf of their child - this is dependent upon the age and maturity of the child.
A legal representative acting on behalf of the person
A data controller is responsible for ensuring that a third party is entitled to make a SAR for, and be supplied with, the personal data of another person.
If personal data is disclosed in response to a SAR to someone who is not entitled to receive it, the controller will contravene the principles and the data subject may take remedial action, including making a complaint to the Commissioner (who may exercise corrective powers including reprimands, financial penalties etc.) or seeking compensation through the courts.
In the employment context, SARs are brought by employees to find out what information their employer has about them (often in preparation for bringing an Employment Tribunal or other litigation claim), but this right also applies to clients, suppliers and the general public.
In the employment context, personal data is often stored in an unstructured format, for example in email chains and is also intermingled with highly sensitive information about others.
It is often underestimated just how long it takes and how much effort is involved to respond to a SAR.
For example, carrying out the relevant searches can bring up often thousands of emails and/or documents.
2. How to recognise a SAR?
A SAR no longer needs to be made in writing and does not have to mention that it is a subject access request as long as it is clear that the data subject is requesting a copy of their personal data.
A SAR can be sent to anyone in your organisation, by any means and in any form. It does not need to mention the GDPR or Data Protection Act 2018.
A SAR does not simply entitle an individual to a copy of their own personal data.
They are also entitled to receive a number of other pieces of information like how their personal data is being processed (Article 15 GDPR) including the:
the purpose of processing the data,
the source of the data,
who has the data or will be shared with.
As soon as a request is identified, ensure that any routine data deletion or destruction processes are suspended with respect to the personal data of that individual. In addition, it is now a criminal offence to delete, destroy, alter or conceal personal data to frustrate a SAR (Section 173 DPA 2018).
3. How you can make sure you are disclosing personal data to the right person?
If you have received a SAR the first thing you should do is to make sure this is a genuine request. Therefore, before starting to process the SAR you should establish the identity of the individual submitting the request.
It may be reasonable to seek proof of identity (usually recent photographic ID and utility bill) from an unknown client but not an employee with whom you are in day to day contact.
A request may be made on behalf of the individual by a representative, for example, a solicitor. If that is the case you should also seek reassurance that the individual has authorised the representative to make the request, correspond with you and receive the response on their behalf.
Requests made on behalf of children need to be carefully considered with reference to the ICO’s guidance.
4. What to do if the SAR request does not make it clear what information is required?
Often there is large amount of data you hold on your employees (e.g. emails), and if the employee has been vague or deliberately wide in the SAR, it is advisable to ask for clarification as to the information sought.
Even if you think your employee is asking for this information to progress a legal action you still need to comply with the request.
The employee is not obliged to tell you why they are making a request, nor what they intend to do with the personal data they receive. The fundamental right of access is not affected by any prospective, or ongoing, legal action, including employment tribunals.
If there is any doubt as to what personal data the employee requires, it is best to speak with them to clarify the matter. Checking with them may save a lot of time and effort. You might want to ask for:
which types of communications should you search through
if the search should include certain people
if the search should be limited to specific dates
if they can suggest search terms e.g. first and last name or initials.
This will make sure that you as, the data controller, are looking for the right personal data and the data subject will receive what they really want. The data subject may refine their request as a result, or still want “all personal data”.
You cannot, however, reasonably expect a data subject to know how your filing systems work, where the information is stored, or who may have sent emails or correspondence they are requesting. The data controller's obligations are wide ranging and it cannot use an individual's failure to identity specific information as an excuse for not providing it and complying with the SAR.
5. How much time do you have to respond to a SAR?
You must respond promptly to a valid request and within one month after the request is made, or any information to identify the data subject to clarify the request is received.
If the SAR request is complex, the response time may be extended by up to two calendar months, starting from the day of receipt.
If the request is to be extended the data controller must explain why it is necessary, within one calendar month.
6. Can the SAR response time be extended?
Any SAR must be dealt with effectively, within one month of receipt. This can be extended by up to two months, if the SAR is complex.
When a request is made the data subject is only entitled to his/her data, not that of others. This may mean that documents need to be redacted.
The complexity of responding to the SAR arises if it involves information from many different email accounts or requires significant amount of redaction of others’ personal data.
Not only can searching the documents take a long time but the redaction is also complex and time consuming process which can put a strain on company resources. If the documents redaction is not done properly it may be possible for the data subject to remove the redaction or "see through it".
Following the introduction of the GDPR employers should have considered alongside their privacy notice, retention periods for documents. Providing these are adhered to will help reduce the pain of a SAR.
7. What are the possible reasons why an employee would request a SAR for?
SARs can be raised by employees in different circumstances. Some employees can be genuinely concerned to discover what data is being held and processed, and want to check it is accurate.
However, many employers feel employees are tending to use SARs to put pressure, administrative burdens and expense on employers. Equally, where an employment dispute already exists, the submission of a SAR may just be the opening of another battlefront. It might also be an attempt to try and find a piece of evidence that the employee ‘believes’ exists in preparation for an Employment tribunal claim.
8. What information should you disclose?
There are some limitations to what you should provide when responding to a subject access request.
Documents containing information about others:
If any document contains information about someone else, your employer may be able to exclude this document or to delete the information about the other person.
Documents subject to legal privilege:
You do not need to disclose details of any legal advice recieved in regards to the data subject
You do not need to respond to a request if it would be “disproportionate” to do so. Employers should take legal advice before deciding the request is disproportionate.
9. What must be included in a SAR response
When sending your SAR response there are other things you need to include alongside the employee’s personal data such as details about:
The purposes for processing their data
The categories of personal data processed
Third parties to whom the personal data has been or will be disclosed
The envisaged period for which the personal data will be stored where possible, or , if not possible, the criteria used to determine that period
The source of the data (if available) if they were not obtained directly from the data subject
Details of any automated processing or profiling and the logic involved
Details of the appropriate safeguards (Applied GDPR, article 46) relating to transfers of personal data to any third country
The existence of the rights to rectification, erasure and restriction of, and/or objection to, processing
The right to lodge a complaint with the Commissioner
Most of this information should be recorded in some way by the controller, for example in mandatory records of processing activities or other records maintained about the processing. This is part of accountability for, and governance of, the processing.
There is no exemption from providing those details even if the controller has not made such a formal/informal record.
10. How should you provide the response?
If a subject access request has been made electronically, the expectation is that you can provide the response electronically too. However, is it best not to assume and ask the individual first. Especially where sensitive or special category data is being disclosed, ensure that this is disclosed in the most secure means possible.
You should keep an audit trail of the request, including the sources of information which was collated, the review undertaken, key decisions made concerning whether information amounted to personal data and whether exemptions applied, the response provided and disclosure made, as well as all communications with the individual and other third parties. This will be essential if the individual seeks an internal review of the response or complains to the ICO.
11. What happens if I don’t respond to a SAR?
Those who fail to respond to a SAR can expect initially to receive a letter from the ICO to remind them of their obligations. If a data controller continues to refuse to comply it can expect to receive an Enforcement Notice and ultimately a Penalty Notice of up to 20 million Euros or 4% of the total worldwide annual turnover.