In anticipation of the coming into force of the General Data Protection Regulation (GDPR) exactly a year from today, we are initiating a series of blog posts looking at the practical implications for employers. This post looks at individual employees’ right of access to their personal data and takes the form of a Q&A addressing key changes to this right that will be brought about by the GDPR. Given the ambiguous wording of the GDPR, there are more “Qs” than “As” at this stage, but we will update this guide when further clarity is provided by the UK Information Commissioner or at EU level.
Q1: What is a subject access request (SAR) and what are the current statutory requirements under the UK Data Protection Act (DPA)?
The right for individuals to gain access to personal data that organisations hold about them is a key tenet of the DPA and will continue to be so under the GDPR. This right entitles a data subject (here an employee) to ask a data controller (his employer):
- whether it processes his personal data (invariably, yes);
- what personal data the employer holds, the sources of such data, the purposes for which it is being processed and to whom it is disclosed; and
- for copies of the personal data that is held by it.
It is the last element of this right that creates the most onerous obligations on employers. In practice, employers often receive SARs when a dispute has arisen and the employee is seeking to exert pressure on his employer to uncover some evidence of wrongdoing by the employer, and in the process circumventing the court/tribunal’s usual timetable for disclosure.
Q2: How will the GDPR change the current law on SARs?
The SAR provisions of the GDPR are broadly similar to the rights under the DPA. There are, however, some notable differences:
- The list of details that the data subject can request is expanded under the GDPR and includes the following: (i) the retention period for the personal data processed; (ii) information on any automated decision-making or profiling, if relevant, the logic involved and the consequences of such processing for the individual; and (iii) the existence of the rights to rectify or delete the personal data concerning him, or to restrict or object to the processing of his personal data.
- At present, employers have 40 days to provide the information requested. Under the GDPR, the deadline for a response is shortened to: “without undue delay and in any event within one month of receipt of the request”. However, this deadline is potentially extendable by a further two months (so three months in total) if necessary, taking into account the complexity and number of the requests. If the employer refuses to act on a request, it must respond within the same timelines and explain the reasons for not taking action and inform him of his right to lodge a complaint with the relevant supervisory authority (i.e. the ICO in the UK) and to take the matter to court.
- At present, employers can charge a fee of up to £10 to provide information under a SAR. Under the GDPR, this fee will be scrapped and the information must be provided free of charge. However, when a request is manifestly unfounded or excessive, employers can charge a fee or refuse to act on the request altogether. Any fee charged would have to be ‘reasonable’, having regard to the administrative cost of providing the information or communication or taking the action requested. It is unlikely that such a fee would be allowed to cover external support, e.g. legal fees.
- The right to access under the GDPR expressly requires that the rights and freedoms of others should be considered so that they are not ‘adversely affected’. The examples given in the GDPR recitals mention trade secrets or IP. However, these rights should not be used as the basis for a refusal to provide all information to the employee, merely that which would prejudice those trade secrets, etc.
Q3: Aren’t most SARs “complex” – does this mean we can work to a 3 month deadline?
The meaning of ‘complexity’ as used in the SAR provisions of the GDPR would likely be fact and context dependent. Would a SAR be considered complex if it requires the employer to sift through 10,000 documents or, if not, how about 30,000? The GDPR suggests that where the employer processes a large quantity of information about the employee, it should ask him to “specify the information or processing activities to which the request relates”. This is intended to help data controllers refine the scope of the request in order to avoid carrying out extensive and unnecessary searches. In any case, the burden is on the data controller to show that a request is ‘complex’. The more the employee narrows down his request, the harder it will be to show “complexity”.
Q4: And aren’t most SARs manifestly “unfounded” and/or “excessive” – does this mean we will continue to be able to charge a fee or just refuse to respond altogether?
Many SARs require employers to sift through thousands of emails/documents to find the far lower number of documents that actually contain the employee’s personal data and so could be considered ‘excessive’. Likewise, there are questions over what exactly ‘unfounded’ means and whether this re-opens the debate over the relevance of the purpose for the request. To illustrate, if an employer complies with all the guiding principles of the GDPR and processes data fairly and transparently, and the SAR is simply a fishing expedition, would this render the SAR ‘manifestly unfounded’? The recent case law in the UK shows (Dawson-Damer v Taylor Wessing LLP) that “most data controllers can be expected to know of their obligations to comply with SARs and to have designed their systems accordingly to enable them to make most searches for SAR purposes.” The Court of Appeal placed the burden on the data controller to demonstrate that compliance with the request would involve disproportionate effort. The GDPR reflects a similar position and the burden will be on the employer to demonstrate that a request is ‘excessive’ or ‘unfounded’. The GDPR is designed to increase and improve data subjects’ rights, so it is unlikely that the new legislation will be interpreted contrary to that aim by restricting these rights relative to the position under the DPA. The Court of Appeal in Dawson-Damer confirmed that the DPA does not require a data subject to show the motives of the request and thus the motives are irrelevant for the purposes of compliance with the obligation to respond to the right to access personal data. It is expected that the position is the same under the GDPR.
Q5: What are the consequences if we get it wrong?
Under the DPA, the maximum penalty is a fine of £500,000. The GDPR massively increases this financial liability with penalties that take into account the nature, gravity and duration of the infringement.
Breach of the right to access personal data falls under a ‘top tier’ breach carrying a fine of up to €20million or 4% of global turnover (whichever is higher), but it is self-evident that the sort of ordinary slips which employers make in responding to SARs from employees will not get within a hundred miles of this sort of number. Factors that could aggravate the situation are listed under the GDPR to include the intentional or negligent character of the infringement, any previous infringements, any losses or damage to the data subject. The examples of mitigating factors listed, on the other hand, are any actions taken by the controller to mitigate the damage suffered by data subjects and the degree of cooperation with the supervisory authority.
In addition to financial penalties, if an employee complains to the ICO, under the GDPR the regulator can carry out an investigation, issue warnings and reprimands, impose a temporary or definitive limitation on processing, including a ban on processing, and order the employer to comply with the data subject’s rights and/or to bring processing operations into compliance with the GDPR. Alternatively, a complainant may seek court remedies. Note that under the GDPR, data subjects have a right to compensation from the controller even for non-pecuniary damages suffered.
Q6: So what should we do to prepare for these changes?
Employers are advised to do the following to address the changes to employee rights to access personal data under the GDPR:
- Update internal policies and procedures on responding to requests from individuals in relation to their personal data in line with the GDPR requirements and the new rights, including the right to access personal data, right to data portability, to rectify and delete data, to restrict and object to processing, and to lodge a complaint with a supervisory (data protection) authority;
- Train staff on the new right to access and other rights under the GDPR and how to respond to them;
- Update their notices to individuals on the new rights under the GDPR;
- Update data retention policies to comply with the GDPR data retention requirements;
- Update internal IT systems to allow for deletion, transfer of personal data, and the restriction or objection to processing to appropriately address requests;
- Know where they hold personal data – this is in line with the new obligation under the GDPR to keep records of processing activities (Article 30). This exercise will also help address the right to access to personal data as it can clarify where data sits; and
- Take steps to comply with the new requirements under the GDPR now, so that their responses on the processing of personal data from May next year can stand up to scrutiny, as the measures they have around the protection of personal data will themselves be disclosable to employees exercising the right to access personal data.
Q7: Will there be any other individual rights under the GDPR?
The GDPR introduces a new package of rights, including the right to access personal data, right to data portability, right to rectify and delete data, right to restrict processing, a right to object to processing, and the right to lodge a complaint with a supervisory authority.
These will be the subject of future blog posts where we will look at each of these in more detail.