Under Article 15 of the UK GDPR, employees have the right to obtain from an employer confirmation as to whether or not their personal data is being processed and if so, copies of the data.
There are also rights under this article for an employee to request supplemental information such as the purpose of the processing, the categories of personal data concerned, etc.
An employee can request access to their personal data (in line with Article 15) by making a data subject access request (DSAR). This right can be (and often is) utilised by an employee with a view to obtaining information/documentation in support of employment tribunal proceedings. It is therefore important for employers to know what information they do and do not have to provide in response to a DSAR.
An employer can refuse to comply with a DSAR either wholly or partly in the following limited circumstances:
- If permitted to do so under a relevant exemption set out in Section 15 and Schedules 2 – 4 of the Data Protection Act 2018 (DPA 2018); and/or
- If the request is manifestly unfounded or excessive.
Exemptions
Exemptions should not be relied upon or applied in a blanket fashion. An employer must therefore consider each exemption on a case-by-case basis and in the context of the specific pieces of data/categories of data that they process.
If an employer considers that an exemption does apply to a specific piece of data or category of data, this does not mean that it necessarily applies to all of the data that they process. Employers need to ensure that they properly document their reliance on an exemption and justify their reasons for this.
It can therefore be incredibly complicated and time-consuming to consider and respond to a DSAR. In the context of employment tribunal proceedings or anticipated employment tribunal proceedings, there is also the added pressure of disclosing only the required data and nothing that could potentially be used against an employer.
To be clear, just because data may implicate an employer does not necessarily mean that the employer can refuse to disclose it in response to a DSAR. This is why all data needs to be considered individually before disclosure takes place.
Manifestly unfounded and excessive requests
An employer can refuse to comply with a DSAR either in part or in full if they consider that the request is manifestly unfounded and/or manifestly excessive. As with exemptions, an employer should consider each DSAR on a case-by-case basis and in the context that it is made.
A request may be manifestly unfounded in the following circumstances:
1. If the individual clearly has no intention to exercise their rights;
2. If the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption.
According to the ICO’s guidance, to determine whether a request is manifestly excessive the employer needs to consider whether it is clearly or obviously unreasonable. When coming to their decision, the employer should take into account all of the circumstances of the request, including:
1. The nature of the requested information;
2. The context of the request and the relationship between the organisation and the individual;
3. Whether a refusal to provide the information will cause substantial damage to the individuals;
4. The organisation’s available resources;
5. Whether the request largely repeats previous request; and
6. Whether it overlaps with other requests.
It is a common misconception that a request is excessive simply because the individual is requesting a large amount of information.
An employer must be able to demonstrate to the individual why it considers the request to be manifestly unfounded and/or manifestly excessive and, if asked, will need to explain their reasoning to the ICO. It is therefore important to keep a written record of the decision and the reasons for this.
Comment
You only have 1 calendar month from receipt of a DSAR to respond. Whilst in some circumstances it may be possible to ask for an additional 2 months to respond, it is incredibly important if you are unsure as to your position to seek legal advice immediately upon receipt of a DSAR.
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us