Employment law- Data protection
The knowledge of your data protection rights may be very important in an employment context. The General Data Protection Regulation (“GDPR”) came into force on 25 May 2018. The Regulation replaced the old Data Protection Act and is concerned with respecting your rights as individuals when your personal information has been processed.
The GDPR Regulation contains 6 principles:
1.Personal data should be processed fairly, lawfully and in a transparent manner.
2.Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.
3.The data should be adequate, relevant and not excessive.
4.The data should be accurate and where necessary kept up to date.
5.Data should not be kept for longer than necessary.
6.Data should be kept secure.
What are my rights as an employee?
The GDPR requires your employer to provide you with a privacy notice. This will outline the legal reasoning and justification for the collection and processing of your data. The privacy notice must include;
-the identity and contact details of your employer as the data controller;
-the data protection officer contact details ;
-the purposes for which the data is being collected and the legal reasoning for processing;
-where the legal basis for processing is the legitimate interests of the employer or a third party, the legitimate interests relied on;
-the recipients, or categories of recipients, of the data, if any;
-details of any sharing of the data outside the European Economic Area and the appropriate procedures in place;
-the period for which the data will be stored,
-the data subject’s rights to request access to, correction or deletion of data; to request restriction of processing; or to object to processing;
-the right to data portability;
-the right to withdraw consent at any time;
-the right to lodge a complaint;
What is considered personal data under the GDPR?
Personal data is data that relates to an identified or identifiable individual and is:
-kept in a filing system (manually or otherwise).
-part of an accessible record, for example an education record.
-held by a public authority.
This includes data that does not name an individual but could potentially identify them, for example a payroll or staff number. Any personal data your employer has in their possession will also be subject to the Regulation. For example, your manager may have a written copy of contact details for your team.
How do I make a subject access request (“SAR”)?
As an employee, you have the right to request the data that your employer holds about you.
There is no prescribed format for a valid subject access request, although your employer can provide a form to assist you with making a request and to streamline the process for responding to the request. You do not have to use particular language, or state that you are making a subject access request. It just has to be clear that you are asking for copies of your personal information. For example, a request for “a copy of all information that you hold about me” or “all information relating to my recent grievance” will be a valid subject access request.
Please see below for guidance from the ICO as to how SAR’s should be dealt with.
What are the time limits for my employer to respond to a subject access request?
Your employer must respond to a subject access request ‘without undue delay and in any event within one month of receipt of the request.’
Your employer is, however, allowed to extend the deadline by up to two months (so they effectively have up to three months in total) where requests are particularly ‘complex or numerous.’ If this is the case, you must receive notification by your employer within one month of making your request as to why an extension is necessary.
The burden of determining whether a request will be considered ‘complex’ is on your employer. As long as they can provide good reasons for the delay, it is generally considered unlikely that a challenge can be made.
Is there a fee to make a subject access request, and can my employer refuse to comply with the request?
The information must generally be provided free of charge, however employers may charge a ‘reasonable’ fee if the request is ‘manifestly excessive or unfounded, particularly if it is repetitive.’ Any such fee must be based on the administrative costs involved of retrieving the information.
In addition, employers can also now refuse to respond to unwarranted requests, although your employer would need to explain why, and also inform you of your right to complain to the supervisory authority without undue delay. It will usually be difficult for employers to justify why a subject access request cannot be met.
What data am I entitled to as a job applicant?
An employer may retain personal information provided by job applicants during the recruitment process, for example, keeping an applicant’s CV on file in case any further vacancies arise in the future. The GDPR states that personal data should not be kept for longer than is necessary for the particular purpose for which it is being retained, so it would seem that such information should be deleted after a reasonable period of time.
The regulations also require an employer to inform job applicants why their data is being processed and exactly what data they will process. Alongside this, a job applicant must be told who will have access to their data and the necessary protective measures that are in place for the sharing of the job applicants data. The employer will also need to outline the rights a job applicant has regarding their data; (these are the same as detailed above.)
What data am I entitled to as a former employee?
Employers can retain personal data relating to former employees only if one of the legal reasonings for processing still applies. For example, retention for a certain period may be required for tax purposes, in which case the legal basis under the Regulations would be that it is necessary for compliance with a legal obligation. However, an employer could rely on this legal basis only for the retention of pay data relevant to that specific purpose-they would not allow for the retention of the former employee’s entire personnel file.
Employers must have a system in place for identifying data that should be kept about former employees, identifying the purpose and legal reasoning for retaining it, determining for how long it should be kept and ensuring that it is deleted thoroughly after the relevant period.
Former employees can request that the employer delete personal data it holds about them. The employer must comply with the request if the data is no longer necessary with regards to the purposes for which it was collected and processed.
Can it be a term of a settlement agreement that you will not make a new Data Subject Access Request after you leave?
You can sign up to such a term, however it is unlikely to be binding as there is nothing in the ICO’s guidance that states an employer can rely on a clause in the settlement agreement as a reason not to provide the requested data.
The ICO’s guidance, however, does allows an employer to reject a DSAR as “manifestly unfounded” where the request is “malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption”. It is possible that this would cover someone who expressly agreed not to make a DSAR but then did so anyway. This is particularly the case if any material time elapses between the promise not to make the DSAR, and the actual DSAR being made. The ICO would need to decide on the facts of the case if your employer refuses to comply with the request.
Can it be a term in a settlement agreement not to proceed with, or complain about an existing DSAR?
Yes, frequently there will be such a term in a settlement agreement not to proceed with an existing DSAR or make a complaint to the ICO, sometimes as part of an agreement not to proceed with a grievance. Most employees would probably leave it at that, however there is some legal question mark over the strict enforceability of such a term due to the overreaching protective nature of your data protection rights. However, the entering of a settlement agreement waiving your employer’s alleged breaches would almost certainly be accepted by the ICO as good grounds for not having responded in a timely manner or addressing your concerns to date, even your employer was ordered to do so going forward.
Guidance from the ICO on how Subject Access Requests should be dealt with.
In October 2020, the ICO published detailed guidance on your rights of access. The guidance doesn’t alter the existing law but rather provides clarification for employers on how to deal with subject access requests (‘SAR’).
There are three main areas that the guidance addresses:
1) What amounts to a ‘manifestly excessive’ SAR?
The guidance confirms that it is a balancing act and the employer must determine whether the SAR is “clearly or obviously unreasonable”. This involves assessing whether the response required is “proportionate when balanced with the burden or costs involved”. Employers should consider all the circumstances, including (but not limited to): the nature of the information, the context of the request, whether not complying with the SAR could cause substantive damage to the employee, your available resources etc.
2) What is a ‘reasonable fee’ for complying with a manifestly excessive or unfounded SAR?
A ‘reasonable fee’ can include: the cost of staff time, photocopying, printing, postage, envelopes, USB sticks etc. Employers can take into account the administrative cost related to assessing the information, locating it, copying it and communicating with the employee.
3) Stopping the clock when clarification of the SAR is required.
An employer can potentially ‘stop the clock’ on the 30 day time limit for compliance with an SAR, if clarification is genuinely required and if the organisation processes a large volume of information about that employee.