The second session at our Data, privacy & security in the workplace: key issues in 2023 event was an interactive scenario-led session, looking at the lifecycle of an employment subject access request from receipt to response, to data subject challenges and possible regulatory complaints. Benjamin Favaro and Sean Illing were joined by Florence Chafiol, Partner at August Debouzy to consider these issues from a UK and an EU perspective.
Our top five takeaways are:
- SARs often accompany an employment claim and, due to the contentious background, can often result in complaints to the ICO; it’s always best to separate the SAR and employment correspondence. Be courteous and cooperative to the data subject, even if the relationship has soured - the ICO won’t care about the underlying dispute and appearing fair and proportionate is key.
- Always acknowledge a SAR as soon as it comes in and, if you need to extend the deadline, do this sooner rather than later.
- You may want to refuse a request as being manifestly unfounded or excessive, but guidance suggests it’s difficult to do so and in any event it’s often best to narrow the scope of the request rather than refuse it entirely (e.g. provide something rather than everything).
- Consider tech tools which can assist in carrying out searches to narrow down the number of documents to review and redact. Be careful about ensuring that redactions can’t be reverse engineered, which may cause embarrassment or, worse, result in the disclosure of third party (or other) data.
- If you are dealing with a SAR with an international element, be aware of diverging approaches between the UK and the EU. For example, in the EU it’s generally not accepted that searches can be narrowed by reference to principles or reasonableness and proportionality, and in Ireland the Data Protection Commission expects SAR’s to be fulfilled within fifteen days (even if in practice searches are narrowed and these expectations are not always met).