< Back

Share |

SARS in the aftermath of Citibank and under the GDPR

March 2017

Under the Data Protection Act 1998 (DPA), as employers will be aware, employees have the right to obtain, on valid request, a description of:

  • the personal data of which the employee is the subject;
  • the purposes for which the data is held; and
  • the recipients of it.

Data Subject Access Requests (SARs) are applications made by individuals to enforce these rights and employees are increasingly using them to obtain information for use in claims against their ex-employers.

SARs can be particularly useful where the information the employee requires is not available through traditional disclosure. This commonly arises where the employee either cannot demonstrate that the document in question is relevant to the ongoing litigation (a fairly narrow test), or does not want to go to the trouble of doing so. SARs potentially give employees access to a wider range of documents and information in addition to or in conjunction with traditional disclosure. Employees also use SARS (currently subject to a maximum fee of £10) as a simple and cost effective way to be difficult and to increase their ex-employers’ use of management resources and legal costs.

SARs in the employment sphere: the impact of McWilliams v Citibank

While it might be tempting for employers to dismiss SARs as not relevant to employment disputes or litigation, the Citibank case suggests that tribunals are becoming more aware of employee data rights and data obligations, and less receptive to the refusals and accusations of SARs being used as a 'fishing expedition'.

Ms McWilliams had been employed as a trader since 1998, and as part of her activities she regularly communicated with individuals at other banks via an online chat facility. These communications involved disclosure of confidential information. When the FCA investigated in June 2013, Citibank also carried out internal investigations, which led to disciplinary proceedings and suspension for Ms McWilliams. Ms McWilliams submitted a SAR shortly afterwards, which the bank rejected on the grounds that it was disproportionate. Ms McWilliams narrowed the scope of the data requested and informed Citibank that the data was vital for her response to the disciplinary allegations. Again, Citibank refused to comply and she complained to the Information Commissioner’s Office (ICO). Citibank also refused to postpone the disciplinary outcome to wait for the FCA findings, and dismissed Ms McWilliams in November 2015. The FCA outcome, which followed soon thereafter, supported Ms McWilliams' defence, finding that the bank's internal guidance on chatrooms was found to be defective.

The ICO has not yet ruled on this matter, but the key point to note is that the Employment Tribunal held that the dismissal was unfair on a procedural basis, with specific reference to Citibank's treatment of the SAR. The Tribunal stated clearly that the SAR in this case did not constitute a fishing expedition because the employee was suspended without access to the documents she needed to defend herself, and this materially affected her ability to defend her case. In essence, the finding was that Citibank's refusal to comply with the SAR contributed to the material unfairness of the process since it had a material effect on the ability of Ms McWilliams to defend herself in the disciplinary proceedings.

This should be food for thought for HR teams dealing with these kinds of employee issues, particularly in light of the enhanced GDPR requirements.

SARs under the GDPR: a growing problem for employers

Under the GDPR, SARs are here to stay and those who were hoping for a limiting of the regime to prevent it being used as a litigation tactic will be disappointed. HR teams, in particular, should be aware that the applicable rules and the penalties are correspondingly more onerous than under the DPA.

  • The current fee of £10 chargeable by employers will disappear. Employers will be given limited discretion to charge a reasonable fee based on administrative costs where the request is "manifestly unfounded or excessive" (e.g. in the case of repeat requests) or where there are grounds to refuse the request.
  • The 40 day statutory timeframe for a response will disappear and instead, employers will be obliged to comply with a SAR "without undue delay" and within at least one month of a request (although an extension of up to two months will be possible for particularly complex requests).
  • There will be no restriction on the number of requests, nor the regularity with which a request can be submitted. Given the cost and time impact for employers in dealing with these requests, employers can expect SARs to continue to be used for wider purposes.
  • The first copy of any SAR outcome must be provided free of charge, although there is some discretion for employers to charge a minimal fee for any additional copies (which an employee can request).
  • Data must be provided in a structured, commonly used and machine readable form. Quite how this will work in practice is currently unclear given the lack of guidance to date, but the costs of meeting this requirement will fall to the employer.
  • The exemptions from providing data in response to a SAR will be limited to:
    • lack of specificity in the relevant SAR; and
    • requests made for non-data protection related purposes.

What steps can employers take?

The attraction of SARs for employees is obvious as they are a cheap and easy way to seek to obtain a broad range of information which may be useful in proceedings against ex-employers while causing their ex-employers headaches along the way.

The increased penalties attached to breach of SAR requirements (falling into the higher tier of fines) under the GDPR means that employers need to be more prepared than ever. Employers should:

  • identify who is responsible for responding to SARs and make staff likely to receive SARs (notably managers and HR teams) aware;
  • have an appropriate policy and procedure in place to deal with SARs as efficiently as possible;
  • provide sufficient training to employees dealing with SARs;
  • document steps taken to respond to SARs;
  • clearly identify deadlines for responding to SARs; and
  • document the process followed for responding to a SAR and further correspondence with the employee in question.

On a practical note, this process should be designed to cause as little disruption to the business as possible and to aid employers' defence of any relevant employment claims.

Employers should be aware of:

  • Onerous requests: compliance with onerous requests can be expensive and time-consuming but there are no provisions in the DPA allowing employers to refuse to comply on these grounds and the GDPR does not change this. Employers dealing with an onerous SAR are obliged to act reasonably and expected to approach the search constructively, save that the ICO currently states it will not enforce a SAR that involves a disproportionate effort on the employer’s behalf.
  • Requests for non-data protection related purposes: technically, SARs should not be used for non-data protection related purposes and, in particular, should not be used as a fishing expedition by employees keen to obtain data ahead of potential litigation. However, as employers who have dealt with SARs will attest, resisting SARs on these grounds is difficult, and given the increased sanctions, employers are likely to find SARs a growing problem.
  • Scope: there is tension between the courts and the ICO regarding the extent of employers' obligations to search for personal data, with the courts acknowledging the difficulties of compliance and the ICO pushing for employers to conduct detailed searches. McWilliams v Citibank further suggests that the employment courts are becoming more alert to employee data issues. The courts have been keen to stress that employees are not entitled to all documents which simply refer to them, that searches should be reasonable and proportionate, and that employees are entitled to use SARs to access data rather than obtain disclosure of documents. The ICO is equally keen to stress that employers are obliged to make extensive efforts to locate personal data following a SAR, and the tension has not yet been resolved.

What to take away?

SARs are not going anywhere, and now come with additional obligations on employers coupled with significant sanctions for breaches. All of this means increased risk and costs for employers, but should be good news for employees seeking to use SARs as a tactic, either in litigation or dispute resolution.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

SARS in the aftermath of Citibank and under the GDPR
Stephanie Creed

Stephanie Creed      


Stephanie looks at the impact on SARs of recent case law and the incoming GDPR

"There is tension between the courts and the ICO regarding the extent of employers' obligations to search for personal data."