Your privacy is important to us.
A 2021 Enforcement Notice by the Information Commissioner’s Office (ICO) is a useful and salutary reminder about what not to do when your organisation receives a request from a person for a copy of their data (technically a Data Subject Access Request or “DSAR”).
All organisations process data – client, supplier, employee, potential client – and it is important for everyone in an organisation to understand what to do if they receive a request for information in the form of a DSAR.
The starting point is that an individual has a right to request a copy of their personal data from an organisation. This is a broad right of access and there is limited scope to refuse to deal with such a request (unless an exemption applies or if the DSAR is manifestly unfounded or manifestly excessive).
The employer-employee relationship, and the knowledge that an employee has about an employer’s business means that DSARs have the potential to expend significant time and cost. DSARs have the potential to escalate quickly, create litigation and cause reputational damage.
Practitioners have noted an increase in the number of DSARs as lockdown restrictions ease. It would appear that, as we unlock, businesses are evaluating their models and individual employees are thinking about their working situation as things continue to evolve.
In 2021 an individual issued Employment Tribunal proceedings against their former employer, recruitment agency First Choice Selection Services (“First Choice”). The individual also submitted a DSAR in clear terms. It is worth pointing out that employment law rights and data rights are entirely separate, albeit in this case they should have run concurrently.
What happened next was an ebb and flow of inaction in which nobody benefited and in which First Choice risked a significant penalty.
Upon receipt of the DSAR from the individual, First Choice declined to provide the data on the grounds that there were Employment Tribunal proceedings in process and it would disclose information only when instructed to do so by the Employment Tribunal.
After this, the individual sought advice from the ICO and lodged a complaint. In turn, the ICO wrote to First Choice requesting they provide an appropriate response. The ICO wrote again. Then again. Then it provided 7 days to respond.
First Choice responded to the final correspondence sent, albeit reiterating their previous position which was that they were instructed by the Industrial Tribunal to not provide any information to the individual until instructed to do so during proceedings.
The ICO contacted the Industrial Tribunal directly who stated that they had no jurisdiction to deal with matters relating to DSARs.
The ICO determined that First Choice had in fact breached data protection laws for failing to comply with the DSAR. The ICO found that First Choice had sought to avoid complying with the subject access request despite stating that they were instructed not to do so by the Industrial Tribunal. The ICO found that this was insubordinately misleading and breached the requirements of Article 15 of the EU GDPR, and Article 15 of the UK GDPR.
Given these findings, the ICO issued First Choice with an enforcement notice. An enforcement notice requires the receiver to comply with instructions or face a fine of up to £17,500,000 or 4% of annual global turnover, whichever is higher for the company.
The enforcement notice issued required First Choice to comply with the subject access request within one calendar month.
Guidance from the ICO states that under Article 12(3) of the GDPR a data controller (a company / organisation that receives a DSAR) must respond to a DSAR without undue delay and within one calendar month. The time limit to respond to a DSAR starts from the day the request is received, whether this is a working day or not, until the corresponding calendar month.
It is important to note that data controllers may seek to extend the time limit by a further two months if the request is complex and voluminous documents are involved.
Once a DSAR is received it is imperative that as a data controller, you respond to acknowledge receipt of the DSAR and that you will comply with the time limit to produce the same, if the one month limit is achievable.
To avoid receiving an enforcement notice, is it important to keep all lines of communication open and clear between the data controller and the individual; keep the individual updated with their request and let them know if you will be able to meet the time limit or not.
Here at Cleaver Fulton Rankin, we have a specialist DSAR team, expertly trained in using legal technology. We provide high quality services to assist companies who have received a DSAR, a number of DSARs or where there are large amounts of data involved. We are here to help avoid the issues caused in the above case and to ensure that all ICO guidance is complied with correctly.
Our services are fast, cost-effective and completed by a team of experts to relieve any company of the pressures of time constraints and resourcing issues.
If you think we can help you please contact our Legal Technology Team who will be happy to assist with any queries.
This article has been produced for general information purposes, and further advice should be sought from a professional advisor. For advice or information, please contact the Legal Technology team at Cleaver Fulton Rankin.