How to deal with subject access requests
Subject access requests - when an employee asks to see any personal data held on them - can throw legal negotiations into disarray if employers do not tread carefully. Jennifer McGrandle, an associate at Dechert LLP, advises on how to deal with them.
Subject access requests are a useful weapon for the disgruntled employee. They can cost a business significant time and money as well as potentially disclosing a "smoking gun" document, prompting the employer to settle.
Employees have the right, under s.7 of the Data Protection Act 1998, to make a subject access request in order to obtain copies of personal data held by their employer, and receive information on how that data is stored and processed.
Two recent cases have put these types of requests back in the spotlight, making it more difficult and hazardous for an employer to resist a request from their staff.
In the 2003 case of Durant, the Court of Appeal indicated that the purpose of a subject access request was not to obtain disclosure of documents that might assist in litigation.
In the case of Gurieva earlier this year, the High Court (following a Court of Appeal decision which post-dated Durant) rejected an argument that it should not order compliance with a subject access request because it was being made to obtain advance disclosure in litigation.
This was on the basis that the Court should not enquire as to why a subject access request has been made, and that to use a request for the purpose of obtaining early access to information was not improper.
Consequently, until there is a Supreme Court decision to clarify the position, it would be risky to reject a subject access request because it has been made to obtain pre-action disclosure.
Failure to respond
In McWilliams v Citibank, a tribunal decision, the employer's failure to respond properly to a subject access request was a relevant factor in determining whether or not the employee's dismissal was fair.
The employer failed to supply the employee with any documents on the basis of a subject access request made to assist her during a disciplinary process (which she had narrowed at its request) until after her disciplinary hearing.
The tribunal found that the employer's investigation was inadequate and that, together with its failure to respond properly to the request, materially affected the way in which the employee could respond to the allegations against her. Therefore, the failure to comply with the subject access request was relevant to the fairness of the dismissal.
How to deal with a subject access request
In the light of these two decisions, and given the reputational and other risks of enforcement proceedings, it is clear that employers cannot afford to take subject access requests lightly. Following the checklist below may help:
- Check that the subject access request has been made correctly and the £10 fee has been received as time will not start running until then. This can be a useful way of buying extra time.
- Start dealing with a request as soon as possible, as it may be a time-consuming process. Build in time for a review by your legal team, especially if there is third-party personal data which will need to be redacted.
- If the request for data is extremely wide, an employer has the right to request a narrower focus of the search. For personal data stored electronically, it is integral to agree a framework such as time frame and search terms with the employee.
- If you are having settlement discussions, seek an agreement between the parties that the subject access request will be put on hold until discussions are concluded. If discussions break down, attempt to agree an extension to the deadline with the employee.
- If you do manage to settle the dispute, ensure that it is a term of the settlement agreement that the subject access request is withdrawn and that no further requests will be made.
- Consider using document management or litigation support systems if there is likely to be a large volume of data. This will assist with searching for and categorising documents, removing duplicates and redacting information that cannot be disclosed.
- Remember that the normal rules of privilege apply and any documentation created for the purpose of legal advice or in contemplation of litigation should be excluded.
- Consider providing the documents electronically rather than in hard copy form, as the latter can be time consuming and costly to produce.
What the future holds
The General Data Protection Regulation (GDPR), which is already in force and must be applied in the UK by 25 May 2018, will bring some changes to the subject access regime.
As the UK Government has indicated it will trigger Article 50 in 2017, the GDPR will become law in the UK before Britain exits the EU in 2019.
The GDPR will result in two key changes to the subject access request regime. Firstly, data must be provided free of charge, unless the request is "manifestly unfounded or excessive", in which case the data controller may charge a reasonable fee or refuse to act on the request.
The data controller bears the burden of demonstrating that the request is manifestly unfounded or excessive.
Secondly, and more significantly, the time limit for compliance will change from 40 days to "without undue delay and in any event within one month".
Given that many employers currently struggle to meet the 40-day deadline, this could cause problems.
However, the one month period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The employee should be informed of any extension within one month of the request, as well as the reasons for the delay.
The employee will not need to consent to the extension, although presumably a complaint could be made to the Information Commissioner if it was felt that the proposed extension was unreasonable.
Even with these changes on the horizon, subject access requests are likely to continue to play a part in actual or threatened litigation.
Unless an employer is prepared to settle before having to comply with the request (which is likely to make it appear weak and come at a cost), it should ensure that it has the necessary systems in place to ensure that it can deal with a subject access request efficiently and effectively when it arrives.