Data Protection & GDPR

Charlotte Farrell and Ryan Mitchell | 27th October 2022

Subject Access Request

The Paris Smith Employment Podcast is a regular podcast that discusses all things related to employment law. The podcast is hosted by Charlotte Farrell and Ryan Mitchell, both are lawyers at Paris Smith LLP. In today’s episode, they discuss subject access requests and the key things businesses need to know about them. The GDPR was introduced in 2018 and has led to individuals becoming much more aware of their rights regarding their personal data. As a result, Paris Smith has seen more people making subject access requests.

You can find out more info here: https://parissmith.co.uk/your-business/commercial-law/data-protection-and-gdpr/


01:00:00 – The right to access personal data held by organisations is a legal right given to individuals.

02:00:00 – Personal data is any information that relates to an identified or identifiable living individual.

06:30:00 – Anonymised data can be excluded from a subject access request.

07:00:00 – Subject access requests are being used more often as a way to find information for employment tribunal claims.

07:54:00 – The main use for subject access requests in a commercial setting is to upgrade complaints to “super complaints.”

09:00:00 – The main points to consider when dealing with a subject access request are verifying the requester’s identity, diarising key dates, and trying to locate the requested information.

11:17:00 – Subject access requests are usually free, except for when they are excessive. If someone refuses to pay or withdraws their request, businesses may have trouble recovering costs.

13:38:00 – The business doesn’t have to send everything to the individual who they find. Someone needs to go through it and identify any documents which don’t need to be disclosed.

15:00:00 – Organisations need to include a cover letter with personal data when sending it to someone in response to a subject access request.

16:20:00 – Employees use subject access requests to check their personal data is being processed correctly and tactically.

18:16:00 – The government is proposing to decrease the threshold for an organisation being able to refuse to respond to a subject access request, or to be able to charge a reasonable fee.

19:19:00 – The word vexatious could potentially help to stop requests where the person is only using it to cause trouble for their employer or ex-employer.

19:50:00 – The top tip for dealing with subject access requests is to have a written procedure and use systems which allow for personal data to be easily searched, reviewed and extracted.

21:07:00 – HR and line managers should train all staff on the GDPR and data protection issues, including subject access requests. Staff should be aware of what they can and cannot do with personal information. Deleted emails are still searchable.

23:25:00 – The risks of getting subject access requests wrong include complaints to the Information Commissioner’s Office and investigations which can lead to instructions on how to correct procedures.

Transcript

Welcome to the latest edition of the Paris Smith Employment Podcast.

I’m Charlotte Farrell and for today’s podcast we are very pleased to also welcome a guest from our commercial team, our colleague Ryan Mitchell.

We regularly work alongside Ryan on all things GDPR and data protection related and today we’re delighted that he’s joined us to discuss subject access requests and the key things businesses need to know about them. With the arrival of the GDPR in 2018, data protection and the rights of individuals when it comes to their personal data has come to the forefront of many people’s minds.

We are definitely finding that individuals are much more aware of their rights when it comes to how their personal data is handled and we have seen an increase in people, not just employees, bringing subject access requests against business. This brings with it many practical issues need to bear in mind when carrying out their day to day tasks.

So today we’re going to look at some of these issues, not only from the employment angle but also the general issues businesses should be aware of.

So I suppose the first thing we should talk about is what a subject access request is. Ryan, can you give us a brief overview of what a subject access request is.

Of course! A subject access request is a request by an individual (which can be verbal, in writing or via an automated system) to receive copies of the personal information which an organisation holds about them. We call that personal information ‘personal data’.

When making a subject access request, the individual can also ask for additional information about how and why the organisation uses their personal data.

Individuals have a legal right to make subject access requests. This is called the ‘right of access’. It’s a right which is specifically set out in data protection law. Because it’s a legal right, organisations have a legal duty to respond to a subject access request, subject to some very limited exceptions which we’ll come on to.

So it’s a really broad right in that case then which can be very time consuming for a business to comply with. When you say, “personal data” or personal information, what does that cover. Is it any time that someone’s name is mentioned or is it more limited?

So ‘personal data’ means any information that relates to an identified or identifiable living individual. That individual is called the “data subject” in data protection speak.

To work out whether a piece of information is classified as ‘personal data’ it’s helpful to ask two questions:

1. Does the information identify a living individual? The information could be identifying on its own, for example a person’s name. Alternatively, it might be possible to combine this piece of information with other information the organisation holds (or may in the future hold) in order to identify someone. For example, an employee number can be combined with HR records to work out which specific individual in the business has that employee number.

If we’re combining information to identify a person then we call that ‘indirectly’ identifying personal data. If it’s obvious from the piece of information alone who the person is then it’s ‘directly’ identifying personal data.

2. The second question we need to ask ourselves is whether the information ‘relates to’ the individual. It’s not enough just to be able to identify the individual from the information. The information must ‘concern’ the individual in some way.

Let’s take two examples: the statement “Joe Bloggs lives at 15 Beachcroft Road” and a personnel file note that says “Mary Stewart is dishonest and I think she has been stealing from us”. These are both pieces of personal data. We know this because:

The answer to our first question – does the information identify a living individual – is yes. Each of these two statements contains the individual’s name, meaning they are directly identified.

The answer to our second question – does the information relate to the individual – is also yes. The statement about Joe Bloggs’ address relates to where he lives. The note about Mary relates to her work performance and her integrity as an employee.

Because these are statements containing each individual’s personal data, they would need to be disclosed following a subject access request.

However, let’s take another example. Say we have hundreds of work emails with Joe Bloggs’ name on where the content of the email doesn’t relate to Joe Bloggs as an individual. In that situation, Joe Bloggs’ name and email address on those emails would identify him (so the answer to our first question is ‘yes’) but these pieces of information don’t actually ‘relate to’ Joe (so the answer to our second question is ‘no). Rather, they’re just a record of who sent or received the emails. In this scenario, the emails wouldn’t need to be disclosed in response to a subject access request. The situation would be different if the substance of the emails did actually relate to Joe. For example, because they discussed his performance at work.

The second question, of whether information ‘relates to’ an individual, can lead to some grey areas. When these types of questions arise, a good starting point would be the ICO’s guidance (available online at www.ico.org.uk). The guidance includes a number of worked examples which are really helpful.

But what if the data is anonymised, does it still count as personal data then?

No – if the data is anonymised then isn’t treated as personal data. This is because it doesn’t identify a living individual. Provided you’re confident that the data is truly anonymised, it can be excluded from a subject access request.

Thanks Ryan for that very clear explanation. For three little words the process actually has some quite big implications and many businesses don’t understand that until they have to deal with it in practice themselves. We have definitely found over recent months and particularly since 2018 and the introduction of the GDPR that individuals are much quicker to make a subject access request and much more aware of what thy should be sent. Even though it wasn’t what the process was set up for, we’ve always seen them used in the employment world as a fishing expedition to see if there is are any juicy documents that its worth using to start a tribunal claim. If anything that has got worse since the GDPR.

Ryan, are there any particular ways that you regularly see them used in the purely commercial setting by clients or customers of business?

In a similar vein, we sometimes see customers make subject access requests if there’s a dispute. It’s a very easy way for an individual to upgrade their complaint to a ‘super complaint’ which can take a lot of time and sometimes money to respond to.

The main protection against these sorts of complaints is to have a good subject access procedure in place in readiness. When choosing new IT systems, it’s also a good idea to think about how easy it will be to search for personal data and extract it from the new system if a subject access request is received. This thought process when choosing or developing new systems is known as ‘privacy by design’.

Ok so I think it makes sense to now touch on the process a business should follow if someone makes a subject access request. If someone makes a subject access request there are key steps to take:

Firstly, always check the identify of the person making the request to make sure that it isn’t someone trying to commit fraud. If it’s an employee or someone the business knows personally you can speak to them to check the request came from them. Otherwise you can ask for ID such as a passport or drivers licence or copy of a bill to check the request is legitimate.

Secondly, make sure you diarise the key dates. Since the introduction of the GDPR you have 1 month to process the request. This can be extended by a further two months if the request is particular large or complex. If that’s the case you have to update the person and tell them that you need more time with the first one month time frame so make sure those dates go in the diary and don’t leave dealing with the request until the last minute. In some cases it can take a long time to go through all the documents produced so it’s worth starting early!

Thirdly, always check that the subject access request makes sense and that you understand what they’re asking for. if not you can go back to them to clarify the request and ask them to provide more information. The ICO doesn’t like companies that always ask for clarification though so make sure there is a legitimate reason for asking. The clock stops while you’re waiting to hear back from the person so this can be helpful when the request is very big.

Once you know what is being asked for the business must make reasonable efforts to find the information that was requested. They don’t have to conduct searches which would be unreasonable or disproportionate but will need to explain what searches they have done and why. It might involve searching servers, data bases, email folders and paper filing systems.

Ryan do you want to tell us a bit more about the costs of a subject access request.

Yes of course. So normally a business can’t charge someone if they make a subject access request – there used to be a £10 admin fee but that doesn’t exist anymore.

Now, the only times a business can charge for responding to a subject access request is if:
1. the request is ‘manifestly unfounded’ or ‘excessive’; or
2. the organisation is being asked to provide copies of information which the individual already has.

In either of these scenarios the organisation can charge a ‘reasonable fee’. Alternatively, if the request is ‘manifestly unfounded or excessive’ then the organisation can refuse to process the request altogether.

If you’re thinking of trying to charge the individual then it would be sensible to double-check with them that they still want to proceed, before carrying out any activities which you would look to charge for. If the individual refuses to pay, and you’ve already incurred the costs, then you may struggle to recover the money. If the individual withdraws their request, or part of their request, then you’ve saved the effort and cost of having to respond to it.

Additionally, we’d always recommend taking advice if you suspect a request is ‘manifestly unfounded’ or ‘excessive’. If the data subject complains to the ICO that you’ve unfairly refused to respond to the subject access request for these reasons then the ICO might want to double-check your reasoning. You may face a enforcement action (which could include a fine) if you got it wrong and failed to respond to a valid request.

For this reason, it’s good practice to still process the parts of the request which you don’t object to and then explain in the cover letter why you couldn’t or wouldn’t respond to the other parts of the request. The ICO will see this as a better compromise than refusing to comply with the entire request.
Leading on from this, Charlotte, does the business have to send everything to the individual that they find?

That’s a really good point and one that is often forgotten about. The simple answer is no. Once the company has found all the documents containing the personal information requested, someone needs to go through it and identify any documents which don’t need to be disclosed. There is a long list but some of the most common ones we are see are documents which also identify other people, documents which are covered by legal professional privilege, references, documents for the purposes of management forecasting or business planning which would prejudice the business if the information got out (i.e. a planned redundancy programme) and documents about negotiations between the parties which could cause problems in the negotiations if they were shared.

If any of this information is found the business needs to consider whether the document can be redacted to remove the personal information or whether consent can be obtained from the other people named in the document. If not then this can be withheld and a note added to the cover letter to explain this.

So having mentioned the cover letter, Ryan I know these are letters that you often have to put together for clients when they are responding to subject access requests, what information do businesses have to put in the cover letter when they send the personal information to someone.

Yes, the letter is an important part of the process. The ICO guidance sets out what information has to be in the letter and says which documents need to be sent with it. Often the letter is repeating information that is already set out in the organisation’s Privacy Notice or Privacy Policy, and so much of the content can be adapted from there.

I won’t summarise every item that needs to go in the cover letter, but it’s basically the ‘what, why, where and how long’ of the organisation’s data processing activities. The individual also needs to be reminded of their legal rights, including the right to complain. I’d recommend double-checking the comprehensive list of information in the ICO’s guidance before the cover letter is sent, just to ensure that everything has been covered.

Charlotte, you mentioned earlier that you often see unhappy employees sending subject access requests to their employers. Would you like to talk more about the trends you’ve seen with these types of request?

Yes we definitely do. I’m not sure employees always use them, in the right way though. the idea of a subject access request was so that an individual could check a business was processing their personal data in the correct way and for the reasons it was given to them. For example, not selling their contact details to people who want to sell them new windows, or sharing their health information with insurance companies. In the employment world, people tend to use them in a more tactical way.

We regularly see individuals make a subject access request at the same time as they raise a grievance to complain about something happening at work. Or if they are trying to negotiate a settlement package from their employer, an employee will make a subject access request in the hope that dealing with it will be too difficult for the employer and they will agree to the payment to avoid having to do so. Employees do also do it as a fishing exercise to decide whether or not they want to bring a claim and IU would say that more often than not they bring them for the nuisance factor. Sometimes this works and the employer responds to it, in other situations it annoys the employer and they dig their heels in and comply with the request to avoid giving in to what they can perceive as a threat.

Interesting. From the organisation’s perspective, it’s unfortunate that the law can be used in this way.

I know that last year the government consulted on whether to reintroduce a nominal fee for making subject access requests, like the £10 charge we had under the old law. In the end they decided not to go ahead with it.

Following that same consultation the government did decide to proceed with looking to decrease the threshold for an organisation being able to refuse to respond to a subject access request, or to be able to charge a reasonable fee to respond. You’ll remember from earlier that the current threshold is that the request needs to be ‘manifestly unfounded’ or ‘excessive’. In response to the consultation, the government said they would look to reduce this so that the organisation only needs to show that the request was ‘vexatious ‘or ‘excessive’.

This approach hasn’t been finalised but do you see this change as being a positive for employers?

Yes I really think it would be. We often see the word vexatious used to describe things in the employment world and it could potentially help to stop requests where the person is only using it to cause trouble for their employer or ex-employer. Those types of requests weren’t stopped by the “manifestly unfounded” Category as it didn’t quite fit!

What would your top tip for dealing with subject access requests be Ryan?

I previously mentioned that it’s important for organisations to have a written subject access request procedure. This ensures all the key personnel involved in responding to a subject access request know what to do and can take action within the legal time limit. Where possible, this should be supported by the organisation using systems which allow for personal data to be easily searched for, reviewed and extracted following a subject access request. If searching and collating the data is an issue then there are third party service providers who can help with this process, although they can be costly to use.

A data audit of the organisation’s systems can reveal which repositories of data are most likely to cause an issue. Often these are old, legacy systems or paper-based records which can’t be easily searched. The organisation might want to prioritise searching those sources first when receiving a subject access request. That way they don’t overrun the deadline to respond.

Charlotte, is there anything else which HR teams and line managers can specifically do to prepare for the eventuality of receiving a subject access request?

There definitely are and it is worth investing some time in training all those with line management responsibilities in them to try and make the process as easy as possible if someone does make a subject access request. Some common sense things are :
– to make sure email and filing systems are kept up to date and are easily searchable
– to keep all HR related emails and documents together in one central system and not on individual email accounts or hard drives
– be careful about what is said by email – if in doubt have a conversation
– when writing internal notes and emails, bear in mind that the person it is about and/or a judge could potentially read it in the future. If you wouldn’t want them to read it then reconsider what you’re writing

We also recommend all staff have training on the GDPR and data protection issues in general, including subject access requests so they know what they are and how they fit into the business. This doesn’t just apply to those who manage staff anyone who handles personal information about clients, customers or employees should be aware of the legislation and duties and know what they should and shouldn’t do.

It’s also important to remember that deleted emails are also searchable and so just because something has been deleted doesn’t guarantee that

Before we end our discussion on subject access requests today, I think its worth us just briefly touching on the risks of getting it wrong as well. Ryan do you want to share some final thoughts with us about that?

Of course. If the data subject doesn’t think that the organisation has complied with the process properly then they can complain to the Information Commissioner’s Office (the ICO). The ICO may launch an investigation in response to the complaint. It will take management time (and possibly legal fees) for the organisation to respond to the ICO’s enquiries.

If the ICO finds that the organisation has not followed the law then it may give binding instructions on how the organisation should correct its procedures and documentation. If there has been a serious breach of the law then the ICO might use its other enforcement powers, such as publishing a public notice about the breaches (which can lead to reputational damage) and/or issuing fines.
It’s therefore worth investing the time to ensure you respond to subject access requests properly and promptly first time around!

So that brings us to an end of our brief foray into data protection and subject access requests. Thank you to Ryan for being our first guest star on the employment podcast and thank you to you all for joining us too. We hope you found it useful. For further information in relation to the issues we have discussed today, please contact us via our website www.parissmith.co.uk or find us on LinkedIn.