SARs in the workplace

Whenever an employer is faced with a dispute or complaint from an employee, it's increasingly likely  the employer will also receive a subject access request (SAR).  Since the GDPR entered public consciousness, more people have become aware of the rights they have under the law to access their personal data and no group more so than aggrieved employees.

But even before the advent of the GDPR, lawyers advising disgruntled employees would frequently tell them to make a SAR to their (former) employer. Occasionally this was in the expectation of finding the proverbial 'smoking gun' or sometimes it was simply designed to cause the employer irritation and disruption. So it's long been the case that SARs are used by employees in disputes with their employers, whether before or during other forms of action such as grievance hearings or employment tribunals.

The impact of technology on responding to SARs

The right to access your personal data is a foundational tenet of data protection law. It's also explicitly referred to in Article 8(2) of the EU Charter of Fundamental Rights and Freedoms. Individuals exercising their rights need to understand the limits to the right (since it's not absolute) and controllers need to properly respond (and not obfuscate) when receiving a SAR.

In the years ahead, it's possible responses by employers to SARs from employees will become both more streamlined and more complex. More streamlined because the nature of human resource management systems may well develop so that it's easier for individual employees to access their own records held on their employer's system. But more complex because, as the nature of the workplace changes and the use of technology encroaches further into the world of work, so responding to a SAR raises new challenges.

For instance, in a workplace where AI tools become more pervasive, an employer complying with the information obligations under Article 15(1)(h) (UK) GDPR (all references to Article numbers are to the (UK) GDPR unless otherwise stated) must provide information on the existence of any solely automated decision making which significantly affects the employee and, therefore, to provide information about the logic involved in the decision-making, as well as the significance and envisaged consequences for the employee. 

If, for example, an AI tool is used as part of continuous staff appraisal to provide regular feedback for employees, the employer will need to consider whether the tool falls within the remit of Article 22 in order to determine whether it needs to provide meaningful information about the logic behind the AI system.  It may, however, fall outside the scope of Article 22 if the employer proves the decision making is not solely based on automated processing and/or that any decisions made do not significantly affect the employee.

The obligation on controllers to provide an explanation behind a decision made about an individual when relying on an AI tool goes further than the normal Article 15 obligations. For instance, by default, there is no overriding obligation on controllers under Article 15 to explain the personal data that they provide to an individual, nor to provide background on the context or the decisions the employer has made. The obligation on the employer under Article 15 is simply to:

• confirm whether it processes personal data on the employee
• provide access to the personal data (usually through providing a copy), and
• provide certain information on the purposes of the processing, categories of personal data etc.

It is only when the employer is processing employee personal data in a way that engages Article 22, that the additional requirement to provide meaningful information about the logic involved in the decision, the significance and envisaged consequences for the individual applies. Granted, an employer should always facilitate the exercise of an employee's rights under Article 15 (see Article 12(2)) but that does not require an employer to respond repeatedly to every question an employee asks about how the employer has acted in using the employee's data (effectively creating new personal data about the employee).

Guidance from the EDPB

While SARs have been part of data protection law for decades, it is only in the last few months that the European data protection authorities (through the European Data Protection Board) have produced draft guidelines on the right of access.  The EDPB emphasises at the beginning of the guidelines that an individual does not have to provide reasons for making a SAR and "it is not up to the controller to analyse whether the request will actually help the data subject to verify the lawfulness of the relevant processing". In other words, the handling of a SAR by an employer should be motive-blind even though it is usually obvious to an employer why an employee is making it.

While the draft guidelines do not focus in detail on SARs made by employees to employers, a number of the examples given focus on workplace circumstances. So, the EDPB's guidelines remind controllers that any national labour law provisions regarding access to personal data must respect the conditions of Article 23 (which allows Member States to restrict access rights in certain circumstances).  Furthermore, the EDPB guidelines envisage a scenario where a former employee makes a SAR during unfair dismissal proceedings against their former employer. In this case, the EDPB points to the need to have regard to any national law which may limit the scope of information to be provided where there are ongoing legal proceedings assuming (again) that such national law restrictions comply with Article 23.

The position in the UK

In the UK, the ICO published guidance on handling SARs in October 2020, which provides a number of examples and practical steps for responding. For instance, where an employee makes a SAR and the employer finds 2000 emails where the employee is copied in as a recipient, the ICO considers the employer does not need to provide the employee with a copy of each email (redacted as necessary) since the only personal data that relates to the requestor is their name and email address.  It is sufficient simply to provide those categories of data to the requestor and explain to them that this is the only information they are entitled to under the GDPR. 

The ICO also addresses the situation where employees use their own personal devices in a work context, recommending that employers have a policy restricting the circumstances when employees can hold work information on personal devices. The use of BYOD programmes can lead to complications in responding to a SAR where personal data held on employee personal devices is within scope. We may well see further guidance from the ICO on handling SARs in the workplace once the new Employment Practices Code (or its replacement) is published following the ICO's consultation on this area in 2021.  In particular, the summary of responses the ICO has received highlights that respondents to the consultation are seeking a steer from the ICO on what personal data to disclose in the context of disciplinary or grievance processes, how to treat private messaging channels used by employees when responding to SARs, and how to respond to SARs seeking CCTV footage.

On 17 June 2022, the UK government published its response to its consultation 'Data: A new direction' on reforming UK data protection law.  The response included certain legislative proposals that will impact employers handling SARs:

• The government proposes to change the threshold for refusing a SAR from the 'manifestly unfounded' standard to 'vexatious or excessive', which mirrors the threshold under the UK Freedom of Information Act. Consequently, if this reform goes ahead, it is more likely that employers will be able to refuse SARs from employees where they can argue the SAR is a manifestly unjustified, inappropriate or improper use of a formal procedure.
• The government will require complainants (such as employee requestors) to attempt to resolve their complaints about the handling of their data directly with the employer before complaining to the ICO.
• Going forward, controllers will be expected to put a complaints handling process in place to deal with complaints from requestors. Employers will therefore need to consider whether they can modify any existing complaints handling process or whether they need to introduce a new process.
• The government will also set out criteria in the law which the ICO can rely on to decide not to investigate a complaint from an individual. This gives the ICO greater discretion on whether to investigate a complaint and should mean the more frivolous and meritless complaints from disgruntled SAR requestors wither away more quickly.

The government has, however, decided not to:

• Reintroduce a small nominal fee payable by requestors for a SAR given the lack of support from consultation respondents, so the UK will not be returning to the £10 fee framework.
• Introduce further exemptions available to controllers to withhold personal data in response to a SAR. Therefore, employers going forward will be left with the existing framework as set out under Article 15(4) and the Data Protection Act 2018 Schedules 2, 3 and 4.

What about separate employee data controllers?

A SAR places an obligation on an employer to search the personal data it processes as a controller to ascertain whether it processes the personal data requested by the employee.  But just because it holds personal data on its systems does this always necessarily mean it is a controller of that data?

The 2020 UK Supreme Court decision in Morrisons v Various Claimants underlined the concept of an 'employee data controller' who is engaged solely in pursuing their own interests. In that decision, the Supreme Court did not hold the employer – Morrisons – vicariously liable for the unlawful actions of its employee. By the same token, if an employee of the employer (who is not the requestor) has used the employer's systems to make ill-judged comments about the requestor which could be said to be wholly outside the employer's business, is that errant employee a separate employee data controller of that personal data? And, if so, would that mean that those ill-judged comments are not within the scope of the SAR sent to the employer?  It may well be a stretch for an employer to rely on such an argument but there could be circumstances where the personal data it finds on its systems about the requestor are so completely removed from normal business as usual that it is merited. 

One of the ways an employer can reduce the likelihood of holding personal data about the requestor (where such personal data could prove controversial) is to train staff in email and communications hygiene, reminding them that any comment they make in an email or communication could see the light of day. Additionally, the employer should introduce email and document retention policies so that emails are not stored indefinitely unless employees make a deliberate decision to store them as part of a document management system.

Connected compliance

Responding to a SAR can often flush out other GDPR compliance responsibilities that an employer needs to focus on due to the information requirements under Article 15. For instance, does it have established and documented data retention periods for employee data? If not, it will be more difficult to comply with Article 15(1)(d). Will the requestor's data be transferred overseas and, if so, how will the data remain protected in accordance with the standards required by the GDPR? If the employer has no records on data flows of employee data, it will struggle to comply with Article 15(2).  The reforms being proposed under UK data protection law will still require an employer controller to be apprised of these elements.

Of course, once an employee has received a copy of their personal data, they may then seek to exercise their other rights eg right to rectification, right of erasure.  While these rights are not absolute either, an employer should always be able to identify these requests and be able to respond. Depending on how many SARs and related requests an employer receives, putting an Individual Rights Request Policy in place which the team involved in handling SARs is trained on and adheres to, is an important good governance step which helps an employer comply with their GDPR obligations.