Data Subject Access Requests from Employees: What UK Employers Need to Know About New ICO Guidance

A challenging economic situation is prompting contentious staffing decisions. The rise of hybrid work has led employers to generate more information in more places about employees.

Against this backdrop, more employees are exercising their rights to access their personal data under the EU GDPR (General Data Protection Regulation) and UK GDPR. Employees are making data subject access requests (DSARs) to employers to glean information on internal discussions relating to their employment. Some employees are making data subject access requests a pre-litigation tool.

The UK Information Commissioner’s Office (ICO) released updated guidance in May focused predominantly on how employers should respond to DSAR from employees. We recently shared factors employers should consider when responding to a data subject access request. In light of the new ICO guidance, here are seven things employers should know to comply with their statutory obligations towards employees under UK GDPR:

1. A data subject access request does not need to be labelled as one
2. The "manifestly unfounded" threshold to refuse to comply with a request is very high
3. The mere prospect of litigation or tribunal proceedings is not enough to refuse a request
4. Companies must balance competing employment and data rights
5. Don’t assume you can contractually waive data subject access rights
6. Employees are generally not entitled to every email they sent during employment
7. Employers should search social media platforms

1. A data subject access request does not need to be labelled as a data subject access request

The ICO makes clear that there is no specific format for a valid DSAR. As a result, employers should train managers and staff to recognise such requests. The guidance gives examples of requests that would constitute a DSAR, including an email saying, "Please send me my HR file" or a request to a manager that says, "Can I have a copy of the notes from my last appraisal?"

However, the guidance explains ways an employer can clarify a particular request, including its scope.

2. The “manifestly unfounded” threshold to refuse to comply with a request is very high

An employer may refuse to comply with a DSAR in certain circumstances. Whilst the purpose of a DSAR generally does not impact its validity, an employer may refuse to comply with a DSAR where that request is manifestly unfounded or excessive. General guidance under EU and UK GDPR confirms that employers must consider this exemption on a case-by-case basis. weighing factors such as whether someone:

• Has no real intention of exercising their rights or makes a request with malicious intent. (Examples could include a former employee who offers to withdraw a request in exchange for money or someone who makes a request to cause significant disruption or inconvenience.)
• Makes multiple requests for information (e.g., once a week to cause disruption).
• Sends a request that is clearly or obviously unreasonable.

In deciding whether a request is “manifestly unfounded or excessive,” the ICO says, an employer should consider “whether the request is proportionate when balanced with the burden or costs involved.”

This does not necessarily mean that a large request is automatically manifestly unfounded or excessive, but that an organisation should consider all of the circumstances around a request to come to a conclusion. If the DSAR is substantial in the amount of personal data it is seeking, then an organisation may wish to seek further clarification to narrow down the time period, limit relevant search terms or to provide a summary of the information located.

Overall, the threshold remains high for determining that a DSAR is manifestly unfounded or excessive.” The ICO reminds employers to consider a request in context and avoid applying the exemption to a request just because it is voluminous or inconvenient.

3. The mere prospect of litigation or tribunal proceedings is not enough to refuse a request

A request to access personal data is separate from any disclosure process in litigation or employment tribunal proceedings. However, a data subject may attempt to sidestep the standard disclosure process by submitting a DSAR. The ICO says an organisation cannot simply refuse to comply with a DSAR because of ongoing or anticipated proceedings, even if they believe a former employee is attempting to obtain documents for those proceedings.

Unless a relevant exemption applies, a company must respond to a DSAR. Even if the same information has been disclosed in other proceedings, an employer must provide personal data when asked, but a person is entitled only to their personal data. Disclosure obligations in litigation are generally wider. It is therefore unlikely that an individual will receive identical data through a DSAR and litigation disclosure. An employer should consider the request in context and determine proportionate steps to take in response. This may include summarising documents already disclosed in proceedings and providing copies of any additional documents pursuant to the DSAR. If a DSAR appears to be used tactically or intentionally to overburden an organisation during litigation, a company may consider seeking an applicable exemption as outlined above.

4. Companies must balance competing employment and data rights

An employee or former employee may seek documents containing confidential conversations about them in the context of a performance review, disciplinary processes and/or related investigation. Where documents contain personal data of both the requester and others, an employer must balance competing privacy expectations. For example, witness statements used for internal disciplinary and investigative issues in the workplace usually include information about more than one individual in the same document.

The ICO guidance outlines how the third-party exemption in the Data Protection Act 2018 may be applied. Specifically, it considers factors that may indicate whether a third party provided an opinion with a reasonable expectation of confidentiality, such as when a company asks for confidential feedback for a performance review. Whilst the ICO acknowledges that redactions may assist in masking a writer’s/speaker’s identity, there will be circumstances where the nature of a redacted document would disclose that identity even if the name or other identifying information was removed. To protect other employees, organisations should consider all the relevant circumstances including:

• The type of information to be disclosed.
• Any duty of confidentiality owed to data subjects other than the person asking for the data.
• Any steps taken to obtain consent of third-party data subjects, including whether they are capable of giving consent and any recorded refusals.

In a similar vein, where an employee passes on information about wrongdoing under an employer's whistleblowing procedures, the whistleblower's report is likely to include information about those suspected of wrongdoing as well as the names of witnesses. The ICO guidance says employers must balance the rights of the person requesting data with the whistleblower's rights. In addition to data protection issues, companies must consider the Public Interest Disclosure Act 1998 in relation to the whistleblower’s rights to confidentiality and not to be subjected to a detriment as a result of making a disclosure.

5. Don’t assume you can contractually waive data subject access rights

Employers may be negotiating the terms of a non-disclosure or settlement agreement for termination of employment, or the former employee may already be subject to similar terms and employers will often want to seek to limit further DSARs as part of these terms. The guidance outlines examples of when an agreement may not limit data subject access rights. When drafting or seeking to enforce such terms in a settlement agreement, employers should be mindful of the need to protect the rights of employees whilst protecting the employer from unfounded or excessive data requests.

6. Employees are generally not entitled to every email they sent during employment

Data subject access rights do not give employees and former employees the right to the entire contents of their mailbox. They are only entitled to their own personal data within the emails and not to every email they ever sent or received. The UK GDPR defines an employee’s email address as personal data, but the contents of emails relating to business matters are not considered personal data.

The ICO reminds employers to consider emails in context and use the proportionate approach outlined above. Employers should clarify the scope of a data request to confirm whether, for example, it relates to all emails or just emails relating to performance or benefits. Collaboratively limiting the scope with the requester can reduce the burden of complying.

7. Search social media platforms

Often former employees submit DSARs requesting searches of mailboxes, servers and social media platforms. The ICO guidance emphasises that the UK GDPR applies to any social activity carried out in a commercial or professional context. Employers should therefore search social media if the personal data held within its platforms, falls within the scope of the DSAR.

The ICO also reminds employers to have policies and procedures on what employees can and cannot do on the employer's IT systems, such as a reasonable use or personal use policy, to avoid an argument by the worker that the employer should or can search personal email or phones.

DSARs can be challenging and burdensome. As the ICO has shown, employers can face significant consequences for non-compliance. The guidance provides helpful clarification on how employers should address requests in a comprehensive and swift manner to avoid future risks, whilst at the same time attempting to manage the inevitable drain on resources they represent for employers.