Data protection update
The implementation of the General Data Protection Regulation (GDPR) in May 2018 will bring changes.
Section 7 of the Data Protection Act 1998 (DPA) provides individuals with a right of access to their personal data held by a data controller through making a written subject access request (SAR).
For HR teams, dealing with employee requests to see the data you hold about them can be painstaking and a drain on resources. However responding to requests fully and properly is a key responsibility of data controllers.
The law concerning the making of SARs and how data controllers must respond has developed considerably in recent years. This includes two major Court of Appeal decisions published in the last few months.
The implementation of the General Data Protection Regulation (GDPR) in May 2018 will bring changes to the rules on the information you need to provide and the processes you need to follow.
Below are summaries of the two recent cases, the recent changes to the ICO code and a note on some of the changes under GDPR.
Dawson-Damer v Taylor Wessing LLP
In this case, the Court of Appeal considered a number of issues including whether an individual should be allowed to use SARs to gather information for the purposes of litigation.
The facts involved the claimant and her two children who were beneficiaries of a number of trusts, set up and managed in the Bahamas. They became involved in a dispute with the trustees and made an SAR asking for documents including those held by the trustees’ lawyers to support their legal arguments. The lawyers argued that this was not a proper use of the SAR process and refused to comply. However, the Court held that the claimants were entitled to make an SAR even if the ‘collateral purpose’ was to assist in their claims.
This Judgment provides legitimacy to an often used practice by individuals to gather information to prepare for litigation.
Data controllers will still be allowed to withhold information that is subject to ‘legal professional privilege’ (for example legal advice from a solicitor or documents produced specifically in contemplation of a legal dispute). However, this case made clear that this protection is limited and does not extend to documents that are merely ‘confidential’ or might otherwise be protected by the law of other countries.
The Court of Appeal also considered Section 8 of the DPA which permits data controllers to refuse a request that would require ‘disproportionate effort’. It was found that this limitation extends to consideration of the work needed to find the relevant data as well as the work needed to produce copies and send it. This will be comforting for data controllers who may hold large volumes of unstructured data over a number of different systems, as searching and redacting such records inevitably involves time consuming and costly manual review.
If you are tempted to refuse an SAR on this basis though, it is important to think about how you will evidence your decision if the matter ever comes to Court. In this case, the Court ordered the data controller to produce a plan and provide evidence of the work it would need to do to identify and review personal data before deciding whether the request was disproportionate.
This decision reiterates that a Court will always try to balance any difficulties faced by the data controller in collating the information against the potential benefit to the data subject in receiving it. Wherever possible, it is advisable to record the applicable facts and figures so that you have evidence to demonstrate just how onerous it would have been to comply.
Deer v Oxford University
This case centred on the Court’s discretion (under section 7 DPA) to order a data controller to take further steps to comply with an SAR.
The claimant had been involved in litigation with Oxford University for eight years. She brought numerous claims against the University including a claim of sex discrimination and five claims of victimisation. In consideration of these claims she submitted two wide ranging SARs.
After some initial resistance, the University answered the request. The claimant however did not believe the response to be sufficient and applied to the courts asking that further searches should be carried out and additional information handed over.
The Court of Appeal refused to make the order, on the grounds that the University had already taken “reasonable and proportionate” steps to identify and disclose the data requested. It did not matter that not every item of data relating to the claimant had been retrieved. It was confirmed that a search may be adequate even if “there may be things lurking beneath another stone that has not been turned over”.
Reassuringly, the Court also made clear that if it appears that the request has been made to impose a burden on the employer (rather than to source information of real value to the employee) a Court will be far less willing to order an employer to carry out further searches. The decision is highly critical of the claimant’s “essentially antagonistic attitude” and the use of “low level attritional warfare” against the University.
Changes to the ICO Code
In light of these decisions, the Information Commissioner’s guidance on subject access requests (essential reading for HR practitioners dealing routinely with data disclosure) has been revised and updated.
Most usefully, the section of the Code stating that the ‘disproportionate effort’ argument should only be relied on “in the most exceptional of cases” has now been revised to contain more practical guidance on how to decide when a request is disproportionate. The guidance stresses that the data controller must demonstrate that all reasonable steps to comply with the request have been taken and that the concept of ‘disproportionate effort’ “cannot be used to justify a blanket refusal”. However, importantly, it factors in the principle discussed above that the cost and effort of the search for as well as the supply of information will be taken into account.
The other changes to the Code are to reinforce best practice, encouraging data controllers to put in place well designed and maintained information-management systems to locate and extract data requested and to redact any third party data. Data controllers are also encouraged to engage with the requester about the information they require to avert unnecessary cost and effort. The element may have been inserted with the forthcoming GDPR rules (discussed below) in mind.
General Data Protection Regulation (GDPR)
GDPR will come into force in May 2018 and will replace the DPA. The new regulations include important changes to the rules governing subject access requests.
A data subject’s right to access their personal data will be broadly the same. However, the current compliance period of 40 days will be replaced with an obligation to comply “without undue delay” and within one month. Accordingly, data controllers will need to consider how their processes can be streamlined to respond in compliance with this timescale.
There is however an extension of two additional months available when the request(s) are sufficiently complex. This extension may often be applicable in an employment context given that such information is often spread across different systems but data controllers should not assume this will always be the case.
The £10 fee applicable to requests under the Data Protection Act 1998 will be abolished. However, where a request is “manifestly unfounded or excessive” you will be entitled to charge a “reasonable fee” to take into account administrative costs. In some circumstances you may even refuse to act on the request altogether. Whether a request is “manifestly unfounded or excessive” will depend on the circumstances and may be a difficult judgement call but a good start point is likely to include consideration of the ICO’s guidance on ‘disproportionate effort’ under the DPA (discussed above). Hopefully, these changes will discourage very onerous requests.
Additional requirements under the GDPR also include the provision of additional information to employees requesting access to their data including the envisaged period of storage and information about their rights (which are enhanced under the new legislation).
The GDPR will also amend the use of consent when processing data and will require the recording and in some cases reporting a data breach. With much tougher fines available (up to €20million or 4% of global turnover) also being introduced it will be crucial to be up to speed.