If you’ve been involved in dealing with a grievance from a particularly aggrieved employee, you’ve probably also been on the receiving end of a data subject access request.
Like just deserts (not to be confused with just desserts – which are far more palatable), dealing with a DSAR can be particularly unpleasant, taking up much time and potentially revealing information which you’d rather not have found.
DSARs are now a standard tool in the employee’s box for finding those off-the-cuff comments or managerial asides which should never have been made. In the hands of the well-informed employee, they are a weapon in the fight to prove alleged unfairness and victimisation.
We regularly advise both employees and employers not to put in writing (which nowadays includes email, text message, WhatsApp and other instant messaging services) anything about someone which they would not be happy that person reading. It’s so easy to send that message thinking that it’s private, but it can come back to bite and haunt the unfortunate sender (and their employer) when it ends up being disclosed to the data subject.
The recent case of Dawson-Damer v Taylor Wessing LLP (a third judgment in the same case) provided updated guidance on the scope of DSARs and the scope of the investigation required to respond to them. Firstly, when deciding whether a hard copy record fell within the definition of “relevant filing system”, it was necessary not just to establish whether the data could be “easily retrieved”, but whether the record was structured by reference to specific criteria “related to individuals”. It was held that a file with the data subject’s name on and arranged in chronological order was sufficient to meet the definition.
The court also held that where a data controller wanted to argue that a data search would be disproportionate, it was necessary to provide sufficient evidence to explain the time and cost involved. Therefore, an employer should always give informed estimates (perhaps by reference to the number of individual documents or emails to be searched) if it wishes to raise this argument in response to an employee who has made a general request for “all data you hold on me” and who refuses to narrow the scope of their request. In the Dawson-Damer case, the court held that it was not disproportionate to require a search of personal folders of current employees. It was also necessary to search for all undisclosed documents which were cross-referenced in disclosed documents to see if those additional documents contained personal data.
Finally, it was found that the data controller had redacted too much information and they were required to review their redactions. Over-redacted documents often come to light when the same email is disclosed in two forms (perhaps the original email and then as part of a chain) and different redactions are made to each email. The inconsistency can be evidence that the data controller has been too liberal with its digital black marker pen. Best practice is to remove all duplicate emails at the document collation stage and thus avoid inconsistency.
The contents of this newsletter are intended as guidance for readers. It can be no substitute for specific advice. Consequently we cannot accept responsibility for this information, errors or matters affected by subsequent changes in the law, or the content of any website referred to in this newsletter. © Mundays LLP