Top tips for effective handling of Data Subject Access Requests

A Data Subject Access Request (DSAR) is a request made by an individual to access personal data held about them by an organisation. It can be used by workers to request information from their employer. Disclosable data could cover anything with their name, initials, job title or anything else that would personally identify them in it.

DSARs exist to help individuals and employees understand how and why their personal data is being processed, and to make sure that it is being used lawfully. However, they are often tactically deployed by employees seeking to gather information and documentation in support of an on-going employment dispute.

Employers need to know what to do on receipt of a DSAR and what they might need to disclose. Failure to handle a DSAR appropriately could lead to enforcement action by the ICO (including fines). It could also indirectly impact on any associated employment dispute – either by being used as evidence of less favourable treatment in a discrimination claim or, if documents are uncovered which had not previously been disclosed as part of legal proceedings, to support allegations of failure to disclose.

Top tip 1: Don’t panic

All too often, employers who receive a DSAR throw their hands up in panic and then try and hide the offending document under a pile of paper – hoping it will just ‘go away’. Requests are often lengthy. They are also often written in such a way as to require the review of a vast amount of source material. For an overstretched HR professional, they are the stuff of nightmares.

The request is not going to go away. Panicking is not going to solve anything. Take a deep breath. Take the time to read the request thoroughly and work out exactly what it is asking for. Work out where that information might sit within the organisation. Work out what resourcing you will need to respond to the request and brief them. If necessary, get IT involved in a supporting capacity.

Top tip 2: Have systems set up and ready to go in advance

Take the time now, when you don’t have a DSAR burning a hole through your desk, to consider what systems you might be able to put in place to make handling any requests received in an efficient manner. If you are part of a large team this might involve providing specific training to certain individuals on the rules surrounding DSARs, and the exceptions to disclosure. These employees become your ‘DSAR champions’ – ready to work efficiently to respond to any request received.

Work with your IT teams to make sure that they are ready and able, on request, to extrapolate electronic communications using name references or other key words. Although human oversight is still required, this can massively increase efficiency.

Top tip 3: Be aware of time limits – and the right to extend time

Once a valid DSAR is received, the employer must respond within one month. Diarise this date as soon as the request is received. Employers are able to extend the time limit for responding by up to two months if the DSAR is complex or a number of requests have been sent. If an employer wants to extend time it must let the employee know this in writing and explain the reasons why.

Top tip 4: Know your exceptions

There are exceptions to the obligation to disclose information in response to a DSAR. You should consider critically whether any of these apply to information which would otherwise be caught be a request. The exceptions are narrowly interpreted – be ready to explain why you think you can rely on any of them. They include:

• where other people are mentioned, and the information is inextricably mixed up. You must try to separate or seek consent from the other person. If not possible, you can withhold if it is unreasonable to disclose it.

• management forecasts/planning: if disclosure would prejudice the conduct of business (e.g. redundancy planning), you can sometimes withhold it.

• legally privileged material, such as emails between HR and legal advisers about handling a grievance. These do NOT need to be disclosed.

• ongoing negotiations: if disclosure would prejudice negotiations with the employee (e.g., settlement discussions), then it need not be disclosed – but you need to be certain this is a real problem, not just hypothetical.

• manifestly unfounded or excessive requests: in extreme cases, if the DSAR is being used abusively to disrupt internal operations, you can refuse.

Top tip 5: Have a consistent approach to avoid any legal risk

This includes having a clear separation between DSAR and any ongoing internal dispute. Also being consistent. If you put DSARs on the backburner where the employee has raised a discrimination complaint but deal with routine requests promptly then this indicates potential victimisation. You may be handing the employee a claim on a plate – even if their initial complaint had no sound basis.