Taking "Subject Access Requests" Seriously in the UK
Overview
Under section 7 of the Data Protection Act 1998 (DPA) employees are entitled to make a data “subject access request” (SAR) in order to obtain copies of the personal data held about them by their employer and certain other related information about how that data is stored and processed.
SARs are often lodged by employees in situations where relations between employer and employee are strained or have broken down. There may be ongoing internal disciplinary or grievance procedures or the employee may have started formal litigation. A SAR can be a valuable tool for the employee in such circumstances. Not only can a SAR potentially elicit material which is of relevance to the situation (by way for example of a “smoking gun” email) but the process of complying with the SAR can also be labour intensive and expensive for the employer. Consequently lodging a SAR may bolster the individual’s position in relation to his or her complaints, not least as part of any ongoing settlement negotiations.
If an employer fails to comply with a SAR then the employee can make a complaint to the Information Commissioner which has various enforcement powers. Alternatively, although the cost involved may be prohibitive, the employee can apply to the High Court for an order for compliance with the SAR.
Narrowing the scope of a SAR
An employer can challenge or limit a SAR in a number of ways. If the request is very wide the employer can legitimately ask the employee to narrow it so that it is more focussed and proportionate. It may be sensible to seek to agree with the individual making the request the search terms to be used, the time period in respect of which a search is to be carried out, and the individuals whose communications need to be reviewed. Also, some of the data may fall into one of the categories which are exempt from disclosure in response to a SAR – examples include where the data is covered by legal privilege, or where data relates to the prevention of crime or the assessment or collection of taxes.
Disputing SARs related to litigation
Until the case of Gurieva earlier this year, employers often objected to SARs which were lodged during the course of or in connection with litigation on the basis that the SAR was not legitimate by virtue of being a “fishing expedition” to obtain advance disclosure of documents during a dispute with the employer. However, in Gurieva the High Court said that the various previous decisions addressing this issue did not give employers the ability to refuse to comply with a SAR on this basis. In Gurieva, the High Court took the view that employees do not have to give a reason for making a SAR, and there is nothing inherently wrong with an employee using a SAR for the purpose of obtaining early access to information that he or she might otherwise obtain later via disclosure in pending or contemplated litigation. It seems that only in clear cases of abuse of the court disclosure process in concurrent litigation may employers be able to resist SAR compliance.
Unfair dismissal claims and failure to respond to a SAR
A recent employment tribunal decision, McWilliams v Citibank, highlighted that failure to respond properly to a SAR can cause problems for the employer in an unfair dismissal claim. The employment tribunal found that the employer’s failure to respond properly or at all to a SAR was a relevant factor in the overall consideration of whether the employee’s dismissal was fair.
In this case, an employee had been suspended pending disciplinary proceedings. She had no contact with her former colleagues and no access to documents. Her SAR was made as an attempt to obtain evidence in order to respond to the allegations made against her. The employee’s original request was very wide and the employer asked her to narrow it down, which she did. However, the employer failed to supply her with any documents on the basis of the more limited search until after the disciplinary hearing. This meant that Ms McWilliams had to rely on her employer to carry out a reasonable and diligent investigation. The tribunal found that the employer’s investigation was inadequate.
Whilst noting that it was not for the employment tribunal to enforce data subject access rules, the employment tribunal considered that, in these particular circumstances, the failure to comply with the SAR was relevant to the overall fairness of the employee’s dismissal and in particular the procedure followed by the employer. The tribunal felt that the inadequacy of the employer’s investigation, together with its failure to respond properly to the SAR, materially affected the way in which the employee could respond to tfhe allegations against her and was unfair. The failure to comply with the SAR was relevant to the fairness of the dismissal decision because it compounded the inadequacies of the process which the employer followed.
Conclusion
The Gurieva decision makes it more difficult for employers to challenge SARs which they consider are fishing expeditions. The McWilliams case, although based on its specific situation, does highlight that failure to comply with a SAR may compound any inadequacies in an employer’s dismissal procedure. Given the reputational and other risks of enforcement proceedings as well as the potential employment consequences, it is clear that employers cannot afford not to take SARs seriously.