Identifying Personal Data for the purposes of a Data Subject Access Request – Employment Law context (Part 02)

Last week we dealt with outlining the basics of a Data Subject Access Request  (DSAR) and the data which may be considered ‘personal’ in this context (See Part 01). This week we deal with the second stage of responding to the request; Redaction, minimisation and agreeing the scope.

Redaction

While we will not go through all the exemptions which may be applied to a DSAR reply here in any great detail, there are a number of key ones which we should all be aware of: such as third party data, legal professional privilege, criminal investigation and confidential expression of opinion. If an exemption applies it may be that it applies to all of a document, but in most instances exemptions will only apply to part of a document. Every time you redact you must give justification for that redaction in your response to the DSAR.

In the following example we are applying a ‘third party data’ exemption, meaning that Dr Bog’s personal data is included but that of the third party is not. Just as Dr Bog’s name is regarded personal data, then so is that of Madame FuFu. Has she given permission for this data to be sent on to Dr Bog? In most cases not, so then her name must be redacted or we will be in breach of her privacy rights by sending a copy of the email correspondence to Dr Bog. The response would therefore look like this:

Manager to HR

Time/Date: 25 May 2018 @ 12.15

Madame FuFu has informed me that DR Bog has not been in today.

But what If the email has no information at all which relates to the individual bar their name?

From Accounts to DR BOG

Time/Date: 26 May 2018 @ 11.25

Invoice ABC has been sent by client 123.

Yours sincerely,

Jane Accountant.

As Dr Bog’s name is personal data all aspects of the email must be redacted bar his name. This means that much of what you send back to a request may end up looking like this:

Accounts to DR BOG

Time/Date: 26 May 2018 @ 11.25

Invoice ABC has been sent by client 123.

Yours sincerely,

Jane Accountant.

The problem is if an employee is working with a firm for a long enough period, that there are likely to be thousands of emails which may feature in this way. Meaning an organisation may find themselves bogged down in gathering, analysing, redacting, justifying and responding to the request.

How do I minimise my risk to a debilitating Data Subject Access Request?

There are a number of ways to do this. The best is to adhere to the data minimisation requirements as outlined in General Data Protection Regulation (GDPR), which in simple terms means that an organisation should only hold as much personal data as is strictly necessary. This means that firstly you must have a clear reason for collecting data and that nothing outside of that which is necessary is gathered in the first place. At the other end of the life cycle it is important to have and to implement a retention schedule in order to only hold data that is relevant. Another clear means by which to minimise your data load is to de-personalise communications or records, for example using emails which are role-specific such as hr@company1.ie or legal@company2.ie .

However, regardless of whether this is being done in your organisation or not, the best means by which to reduce the volume of data which has to be sifted through on receipt of a request is by engaging with the person who made the request in order to agree the scope of the data which is required by the individual. As has been stated in Part 1, an individual may request a copy of all their personal data held by an organisation without having to give a reason. However, sometimes there is a reason behind the request.

This may often arise in the course of an employment dispute. Many employees submit DSAR’s in the course of taking a claim against their employer via the Workplace Relations Commission. As there is no Discovery process which applies to the WRC, a DSAR may be used by some claimants in its place.

Employment Example of engagement with Employee making the request

If we take the example of an employee of 10 years experience who claims they were bullied and forced to resign. The employee may not be seeking, nor want, all the personal data which relates to their 10 years employment, but without any further instruction this is what is what they should be given in response to a DSAR. The information which may be of relevance in a bullying claim may be their employment file, and given that they are claiming they were bullied, any information about how the organisation dealt with their initial complaints. Further, they may claim that messages in emails were part of this bullying, this may relate to a number of messages within a specified time.

Once this is ascertained, what can be put to them is the following

Dear Dr Bog,

If agreement can be reached on these terms it would lessen greatly the time and resources which are needed for the production of the response to the request.

Conclusion

To conclude, a Data Subject Access Request, applies to all the personal data of the individual in question and can cause a serious headache when coming from an employee of an organisation. The easiest way of dealing with a request is by holding as little data as is necessary in the first place which can be regarded personal data and then once a request is made lessen the burden further by narrowing the issues with the person.

Keep reading To retain or dispose? That is the question