During the month of November we are considering the Data Protection Act and, more specifically, Subject Access Requests. In the first in our series last week we considered the form that requests must take and issues around verifying identity and time limits. This week we’re focussing on the extent to which you need to search for data and how wide the concept of ‘data’ is.
HR Professionals be aware!
Any HR professional will be familiar with the Data Protection Act and the ability of an individual to make a Subject Access Request under the Act which may (or may not) be used by people on occasion to conduct a ‘fishing expedition’ to support a grievance.
When I provide advice to my clients, the contents of emails that I will be writing to clients will be subject to legal professional privilege, which excludes their contents from the requirement to disclose the personal data they might contain to an individual upon request, an HR professional’s communications with their clients will be different. This will affect, for example, smaller businesses who might buy in HR support or larger businesses that may engage the support of other professionals for specific projects including mediators.
Indeed, on occasion when I have been acting for individuals I have used this route myself to try and obtain, for example, email correspondence between an HR consultant and their employer client that might reveal, for example, pre-judgement in a disciplinary process or useful evidence in a grievance.
HR professionals need to be very careful, therefore, to plan how they give advice on occasions. Sometimes it might need to be face to face meetings with their employer client rather than by email but even if they keep notes of the minutes with their clients, those notes themselves may become capable of disclosure under a Subject Access Request.
I would, therefore, be very careful about committing to writing, for example, a plan to dismiss an employee for gross misconduct following a disciplinary hearing – I would always make it clear in correspondence that there are a range of possible outcomes depending on the decision that the employer ultimately makes at the hearing when it happens.
How much effort do we have to put into searching? In this video Anna explains the Information Commissioner expects you to make extensive efforts to find and retrieve personal data.
When was the last time you reviewed your Data Protection Policies?
We offer the following services:
- Full Data Protection Audit
- Advice on the storage and retention of data
- Handbook policies for staff – setting out what data is held about them and why (there is an obligation under the Act to set out the purpose for which data is being held)
- Subject Access Request support
- Data Protection training for HR
Question: What about repeated or unreasonable requests?
Answer: We’ve all come across situations where someone gets a bee in their bonnet and won’t let a subject go. To what extent does the Act enable an employer, as data controller, to refuse to deal with repeated requests? The Data Protection Act itself doesn’t limit the number of Subject Access Requests an individual can make but it does say that you are not obliged to comply with an identical or similar request to one you have already dealt with unless a reasonable interval has elapsed between the first request and subsequent ones. Obviously what is a ‘reasonable interval’ will depend upon the nature of the data, what it is being used for and whether that could cause any detriment to the person and how often it is altered. So, for example, if it hasn’t changed at all, you would simply write back and confirm that to the individual. However, if, for example, the request related to medical information that you have received from, for example, Occupational Health, and there has been correspondence since the last report was given, given this could cause detriment to the individual if, for example, the employer were to terminate their employment and the data is of a sensitive nature (health information is sensitive personal data under the Act) you may well be required to provide fresh correspondence that has occurred since the last time you dealt with a request.