By Deborah Margolis - 30 November 2020
We’ve seen a big increase in the use of data subject access requests (“DSARs”) over the last few years, but we think that the new guidance from the UK’s data protection regulator (the ICO) will provide some reassurance to employers.
DSARs (which allow employees and former employees to access copies of their data) are often dreaded by employers as a costly and time-intensive strategy used to obtain early disclosure as part of a litigation process. The ICO has recently updated their guidance on how to deal with these requests in practice.
Three members of our team, Raoul Parekh, Deborah Margolis and Lisa Rix provided feedback to the ICO as part of its consultation at the beginning of the year (together with other members of the UK Employment Lawyers’ Association), so we were pleased to see that some of our suggestions were included in the final guidance. We’ve set out below five key bits of good news that all UK employers should be aware of.
1) Extending the deadline: the default position is that DSARs should be responded to within one month. However, where a DSAR is “complex” that deadline can be extended by a further two months. The ICO has given some examples of where a DSAR deadline can be extended (although this should be assessed on a case by case basis). Those reasons include:
The ICO has now recognised that a large volume of information may contribute to the complexity of a request (although they do say that this reason alone is unlikely to merit an extension).
2) “Stopping the clock” whilst waiting for clarification: the ICO has clarified that where an employer needs to further obtain clarification from the individual on the scope of a DSAR, the time limit for responding is paused until a response is received. The clock is therefore “stopped” for this period.
This will be welcome guidance for employers, which will now not need to worry about their time limit expiring whilst they await a response from an employee.
3) Refusing to respond: to date employers have struggled to know when a DSAR is “manifestly excessive” (which would enable the employer to charge a reasonable fee or refuse to respond to the DSAR). Although this right should be used with caution, this is a helpful point to be aware of when discussing with an individual what would constitute a reasonable scope. The guidance confirms that employers will need to consider whether the request is clearly or obviously unreasonable and recommends taking all of the circumstances of into account, including:
The employer should then consider whether the response requested is proportionate when balanced with the burden or costs involved in dealing with the DSAR. This is a helpful approach for employers and acknowledges that resources and proportionality are relevant to this consideration.
4) Recovery of costs: as mentioned at point 3 above, where a request is “manifestly excessive”, employers can charge a reasonable fee. The guidance now confirms that a reasonable fee can include the costs of its staff time, copying, postage and other expenses incurred in transferring the data to the individual. Any costs should be based on staff time should be based upon the estimated time it will take staff to comply charged at a reasonable hourly rate.
This will be a welcome opportunity for employers to recover some of the costs for responding to time-consuming DSARs.
5) Employers only need to make reasonable efforts: although there is a high expectation to provide information in response to a DSAR, employers are not required to conduct searches that would be unreasonable or disproportionate. This is something for the employer to determine, and as part of that assessment, employers should consider the circumstances of the request, any difficulties with finding the information and the fundamental nature of the right of access.
If you have any questions about responding to DSARs, please get in touch with Deborah Margolis or your usual GQ|Littler contact.