Identifying Personal Data for the purposes of a Data Subject Access Request – Employment Law context (Part 01)

Here is Part 1 of our two-part guide to dealing with Data Subject Access Requests (DSAR). While much of what is outlined will apply to responding to all requests, the main focus is receiving a request in an employment context. Part 1 outlines the general guidance on what to consider in the context of receiving the request. Part 2 deals with redaction, minimisation and agreeing the scope.

Data Subject Access Requests are a feature of data privacy rights which have been highlighted by the implementation of General Data Protection Regulation (GDPR). The general idea behind a DSAR is that should you hold personal data which relates to an individual (the data subject) then they should have the right to know all about it and within certain bounds request for you to undertake certain actions in relation to it such as alter it, move it or delete it, at any time within the course that you hold it?

Many times a DSAR will take the form of a request for a copy of all the data you hold on that individual, which may prove a lengthy and onerous task as first you must identify all the data that is personal to that individual and secondly you may seek to insert any redaction that apply. A person does not need to give a reason for submitting a request and a DSAR may only be refused on the basis of your organisation believing that the request is a) manifestly unfounded or b) excessive in regard the number of requests made.[1] What follows in this two part series are examples of the obligations which attach to such a request and an outline of the best ways to reduce the burden on organisations when faced with one.

What is personal Data?

Personal data is defined as being any information which relates to or identifies (directly or indirectly) an individual. Subject Access Requests relate to all personal data of an individual.

Here are some examples of personal data; Name, Signature, ID number. All of these categories of data identify an individual.

You can also be identified by a combination of data, for example;

Male, 5ft 3in who lives in Áras an Úchtarán at 5.15, in that residence seen eating a packet of M&M’s

The definition under Article 4 GDPR also points to the fact that what is meant by personal data is that which relates to the individual. This may be regarded as clearly identifying the President of Ireland tucking into a cheeky snack.

If you hold personal data on an individual, they have the right to know about it. So, while Michael D may be well aware he ate those delicious treats at the time in question, he has the right to also be aware of the information you have detailing it. The way he exercises this right is by DSAR.

Personal Data in the employment context

What employers sometimes do not understand is that when an employee sends in a Subject Access Request that the same rule applies, and the request relates to all personal data that they may hold on the individual in question. Therefore, when responding to a SAR you must think in terms of gathering all personal data which may include any of this information. This will include all that which is stored on an employee’s HR file such as their starter form, medical or disciplinary information, but outside of that it also applies to correspondence. Which means emails too which may be a trickier aspect of the DSAR to comply with.

Take the following example:

Manager to HR

Time/Date: 25 May 2018 @ 12.15

Madame FuFu has informed me that DR Bog has not been in today.

Using this example, if Dr Bog was to put in a data protection request, then the request would apply to the email also. As it is as statement of fact which relates to Dr Bog, the content of the email should be sent.

[1] Section 93(4) Data Protection Act 2018