What is your entitlement to data subject access requests?
Central to the UK’s data protection legislation is an individual’s right to access their personal information that is held by others. One of the most common arenas in which this arises is the Employer-Employee relationship.
02 June 2017
If an individual wants access to their data then they must make a Data Subject Access Request (DSAR). There are various rules and requirements about how to make such a request but once made, an employer has 40 days within which to provide the data.
Historically employers have used a number of different arguments to try and circumvent complying with a DSAR. The motive for this can vary from the time and expense it takes for them to comply with such a request properly, to wishing to withhold information that they do not wish the individual to have. The most common argument deployed by employers where there is live litigation (i.e. a claim in the Court or Tribunal) is that the individual is trying to obtain early disclosure of documents (disclosure is a step in the litigation process requiring parties to provide each other with relevant documents in the case) and this should not be allowed. For several years there has been debate over whether this is an acceptable argument for an employer to use.
Why request access to your personal data?
In an employment law context, DSARs can be useful in obtaining information to assist with grievances, ,, performance improvement programmes, and in ascertaining the reasons behind detrimental decisions taken against them, even where litigation has commenced.
Information you can obtain includes:
- Your personal file;
- Emails and telephone records which relate specifically to you; and
- Documents or correspondence relating to any work you have done.
What developments have been made concerned DSAR?
Recently, there has been a number of cases about DSARs and this, alongside new legislation due in 2018, reveals a movement towards prioritising an individual’s right to their data above challenges an employer might level against a request, and therefore in more and more cases it is ordered that requests must be complied with.
We have summarised the key decisions and developments below:
McWilliams v Citibank – Ms McWilliams was subject to disciplinary proceedings by her employer and she submitted a DSAR which she explained to her employer was crucial to her being able to defend herself against the allegations made. Her employer refused to comply with the DSAR. Ms McWilliams was subsequently dismissed by her employer and claimed unfair dismissal before the Employment Tribunal. One of the findings of the Tribunal was that Citibank’s refusal to comply with the DSAR contributed towards the procedural unfairness of Ms McWilliams’ dismissal. This is the first time that a Tribunal has concluded that a refusal to comply with a DSAR can impact on the procedural validity of a dismissal. This is extremely helpful for individuals who find themselves subject to a disciplinary or other internal process.
Dawson-Damer vs Taylor Wessing – This case saw Mrs Dawson-Damer make a DSAR in the midst of on-going litigation. Amongst other things, the Court of Appeal confirmed that the motive behind a DSAR was irrelevant and if an individual makes a request during litigation then it will not be sufficient for the Data Controller to argue that this makes the request void. This is a welcome decision for individuals who will be able to rely on this case to challenge refusals by employers that rely on this argument as a way to avoid complying with the request.
General Data Protection Regulations (GDPR) – The GDPR are due to come in to force in May 2018. The legislation is in many ways similar to current legislation, but under the new regime sanctions for non-compliance with a DSAR could in theory include fines of up to four per cent of a company’s global annual turnover, or 20 million Euros, whichever is greater. While it is unlikely that we are usually going to see this size of fine for a failure to comply with a DSAR (unless the failure is particularly egregious), it does suggest that greater sanctions against non-compliance may be applied and this must mean that employers will have to take such requests more seriously.
It is clear that greater importance is being placed on an individual’s right to access their personal data and it is important that employees are aware of this right and of the rights they have if their employer refuses to comply.
All the above information was correct at the time of publication.