Tag: Data Controller

Categories
Anna Denton-Jones Data Protection Act 2018 Data Subject Access Requests Employment Law GDPR Privacy

Updating your GDPR Privacy Notice

Data use shown on mac screen

It’s hard to believe that it’s 7 years ago since the GDPR came into force on 1st May 2018. I’d hazard a guess that many of us haven’t given our privacy notices any thought since then and have just been wheeling them out.

Given that the world is moving at pace, you may need to update your recruitment candidate privacy notice to inform the candidate about any automated shortlisting software that you are using, or indeed that your recruitment agents are using on your behalf. The privacy notices would need to describe the software that you are using and what it does, and highlights to the candidate their right to have a human review the output.

You will recall that your privacy notice lists out the ways in which personal data of an employee might be used. There is also likely to be a section where you describe what third parties might have access to data and the purposes for which they do so. This probably covers things like accountants but you may not have covered off litigation. Clearly if somebody is suing the organisation then an individual’s personal data may be used, for example, in the disclosure documents for that case. This need not necessarily be the data subject themselves bringing the legal action because they could be being used as a comparator, for example, in an equal pay claim, or when showing consistency of treatment, for example in a disciplinary scenario.

Another legal use might be where a TUPE transfer is occurring or the organisation is, for example, undergoing a round of investment or a sale or merger process. Personal data might well be shared at some point with investors, potential buyers etc. At initial stages of such processes, employee spreadsheets for example are normally anonymised so there is nothing to worry about but further down the due diligence process, questions might be asked which would reveal personal data when answered.

Anna Denton-Jones
Refreshing Law

Categories
Anna Denton-Jones Anonymity Data Protection Act 2018 Data Subject Access Requests Data Use and Access Act 2025 Duty of Care Employment Law Employment Rights Act 1996 GDPR

Loss of an employee’s records — A data breach claim

Royal Courts of Justice, London

An employee who worked for Tesco settled her data breach claim for £3,000. She had requested copies of the information that Tesco held on her, using the subject access request mechanism that you are probably familiar with. She had, during a period of over 15 years working for her employer, given them a significant amount of ‘sensitive personal data’ in the old data protection jargon, now called ‘special category data’. This included details about counselling she had received in relation to her mental health, details of post-natal depression and the management of those health conditions. Most employers will have this sort of ‘special category data’ even if they don’t collect other data like criminal records.

It appears that Tesco could not lay their hands on this information, presumably in a physical format and there was a delay because the file had been lost at some point in the past, perhaps when there was a move of offices.

Tesco had written to her explaining that they had looked for her employment records but couldn’t find them. This then triggered her putting in her data breach claim, which would be to a Court and not an Employment Tribunal.

Tesco settled the case for £3,000 and it has been reported in the local press. The publicity surrounding these events is bound to give other employees ideas. It shows that the loss of data can be just as problematic as retaining historic data that you don’t really need to and can’t justify retaining.

Anna Denton-Jones
Refreshing Law

Categories
Anna Denton-Jones Anonymity Communication Data Protection Act 2018 Data Subject Access Requests Data Use and Access Act 2025 Privacy Video

Video | Data Protection Processors

YouTube video playing on a phone

Our latest video is available to view on the Refreshing Law YouTube channel — please click here to watch Anna discussing the various issues around data protection in relation to other people who you might be engaging with but who are not your employees. 

Anna Denton-Jones
Refreshing Law

Categories
Anna Denton-Jones Data Protection Act 2018 Data Subject Access Requests Disclosure Employment Law Investigations Privacy

Subject Access Request during an on-going process

Data use shown on mac screen

It is not uncommon for somebody who is part-way through a process, such as a performance management process, sickness absence management process, redundancy situation or disciplinary process, to put in a subject access request under the Data Protection Act.

If the employee is off sick or because they’re at a very early stage in the process, they may not even be aware that, for example, a disciplinary investigation has commenced. Or they might not yet be aware of a complaint that’s been received, that you’re looking into that relates to them. Alternatively, you might be towards the end of the process at the appeal stage and you might have a subject access request in an attempt to look for what I call “the smoking gun” they think you have hidden from them in terms of the process so far.

I’ve even heard today of Unions using the SAR as a form of industrial unrest – launching mass employee requests on organisations as part of industrial action.

The first thing to note is that the request under the Data Protection legislation is made in an entirely different relationship with you than the relationship of employee and employer. It is made as a data subject in relation to your position as data controller governed by the rules in the data protection legislation. So, for example, given that you have 30-days under the data protection legislation to access their request and provide them with the data they have asked for, it is entirely possible that your ongoing employment processes will be moving more speedily and for example, a disciplinary hearing or a meeting might be in the diary well before that 30-day period.  There’s nothing in the data protection legislation that requires you to halt your internal employment process or wait until the SAR has been dealt with.

If you have already disclosed the information to somebody for example, as part of an investigation report or in an email notifying them of a complaint against them or as part of a pack given to them for the purposes of an appeal meeting, you have already given them that information so you’re not going to be required to give it to them again as part of the subject access request disclosure – you would just have to cross refer to what you’ve already given them.

The next thing to say about data protection is there is absolutely no substitute in any given situation for tracking through the legislation itself when it comes to determining what you’re required to disclose to the data subject and what you’re allowed to withhold. Making this assessment on the basis of some kind of ‘feel’ is not enough.

There are things you do not have to disclose. This includes:

  • anything relating to negotiations if disclosure would prejudice the negotiations
  • confidential references given by you
  • criminal investigations
  • data processed for the purposes of management planning if disclosure would prejudice the planning (such as telling the subject about a redundancy exercise before the consultation had launched)
  • anything that is protected by confidentiality to a third party or legal professional privilege.

Thus, the list of exemptions is really narrow.  It means most things are disclosable, perhaps with some redaction of bits relating to other people. We all need to bear in mind when we prepare documents that the data subject may see them in future e.g.: – email accordingly.

In your letter to the data subject, which you will send with their response to the subject access request, you need to include a detailed explanation as to how you have gone about your response to the request and why you have excluded anything.

It is important that you consider the rights of other data subjects when processing requests.  If disclosure of the information would identify another individual, you’re not obliged to comply with the request unless the other individual has consented to the disclosure of the information and it is reasonable in all circumstances to comply with the request without the consent of the other person. It is relevant to complaints and investigations – have you informed the complainant that the matter will have to be taken up with the individual? Have you informed those witnesses that have given evidence as part of the process that their evidence is going to be showed to the person that is for example, accused of misconduct?

Where you haven’t got consent, you will have to think about redaction and omitting names and taking out as much as you can that would identify somebody. The legislation itself requires you to take steps with a view to seek consent from the other individual who asks us to look at whether there is any express refusal of that consent.

Of course it is entirely possible that the individual might try and make a second access request if the first request has not revealed what they thought they were expecting and s95(3) requires us to consider whether it is a reasonable interval between the requests having regard to the nature of the data, the purpose for which it is being processed and the frequency with which the data is altered. If you’ve complied with the subject access request and given the employee the data they requested, it is highly likely that you’re going to be able to refuse a second request on the basis that nothing has changed.

Anna Denton-Jones
Refreshing Law