It is not uncommon for somebody who is part-way through a process, such as a performance management process, sickness absence management process, redundancy situation or disciplinary process, to put in a subject access request under the Data Protection Act.
If the employee is off sick or because they’re at a very early stage in the process, they may not even be aware that, for example, a disciplinary investigation has commenced. Or they might not yet be aware of a complaint that’s been received, that you’re looking into that relates to them. Alternatively, you might be towards the end of the process at the appeal stage and you might have a subject access request in an attempt to look for what I call “the smoking gun” they think you have hidden from them in terms of the process so far.
I’ve even heard today of Unions using the SAR as a form of industrial unrest – launching mass employee requests on organisations as part of industrial action.
The first thing to note is that the request under the Data Protection legislation is made in an entirely different relationship with you than the relationship of employee and employer. It is made as a data subject in relation to your position as data controller governed by the rules in the data protection legislation. So, for example, given that you have 30-days under the data protection legislation to access their request and provide them with the data they have asked for, it is entirely possible that your ongoing employment processes will be moving more speedily and for example, a disciplinary hearing or a meeting might be in the diary well before that 30-day period. There’s nothing in the data protection legislation that requires you to halt your internal employment process or wait until the SAR has been dealt with.
If you have already disclosed the information to somebody for example, as part of an investigation report or in an email notifying them of a complaint against them or as part of a pack given to them for the purposes of an appeal meeting, you have already given them that information so you’re not going to be required to give it to them again as part of the subject access request disclosure – you would just have to cross refer to what you’ve already given them.
The next thing to say about data protection is there is absolutely no substitute in any given situation for tracking through the legislation itself when it comes to determining what you’re required to disclose to the data subject and what you’re allowed to withhold. Making this assessment on the basis of some kind of ‘feel’ is not enough.
There are things you do not have to disclose. This includes:
* anything relating to negotiations if disclosure would prejudice the negotiations
* confidential references given by you
* criminal investigations
* data processed for the purposes of management planning if disclosure would prejudice the planning (such as telling the subject about a redundancy exercise before the consultation had launched)
* anything that is protected by confidentiality to a third party or legal professional privilege.
Thus, the list of exemptions is really narrow. It means most things are disclosable, perhaps with some redaction of bits relating to other people. We all need to bear in mind when we prepare documents that the data subject may see them in future e.g.: – email accordingly.
In your letter to the data subject, which you will send with their response to the subject access request, you need to include a detailed explanation as to how you have gone about your response to the request and why you have excluded anything.
It is important that you consider the rights of other data subjects when processing requests. If disclosure of the information would identify another individual, you’re not obliged to comply with the request unless the other individual has consented to the disclosure of the information and it is reasonable in all circumstances to comply with the request without the consent of the other person. It is relevant to complaints and investigations – have you informed the complainant that the matter will have to be taken up with the individual? Have you informed those witnesses that have given evidence as part of the process that their evidence is going to be showed to the person that is for example, accused of misconduct?
Where you haven’t got consent, you will have to think about redaction and omitting names and taking out as much as you can that would identify somebody. The legislation itself requires you to take steps with a view to seek consent from the other individual who asks us to look at whether there is any express refusal of that consent.
Of course it is entirely possible that the individual might try and make a second access request if the first request has not revealed what they thought they were expecting and s95(3) requires us to consider whether it is a reasonable interval between the requests having regard to the nature of the data, the purpose for which it is being processed and the frequency with which the data is altered. If you’ve complied with the subject access request and given the employee the data they requested, it is highly likely that you’re going to be able to refuse a second request on the basis that nothing has changed.