“To disclose or not to disclose – that is the key question”….

In Part 1 of our series we wrote about what to do when you receive a subject access request under the Data Protection Act 1996 (“DPA”). Now turning to your response to a request, the DPA provides exemptions which you may be able to apply in order to withhold certain types personal data. The most common exemptions which may apply are:

  • Confidential references given by the data controller. A ‘request’ must however be complied with in relation to a reference received by a data controller (for example, a new employer), subject of course to the rules on disclosure of third party information.
  • Personal data processed in connection with management forecasting or planning, to the extent that any disclosure would prejudice the conduct of the business. i.e if information on a staff redundancy programme is disclosed in advance of it being announced to the rest of the workforce.
  • Personal data relating to negotiations between the data controller and the employee, to the extent that any disclosure would be likely to prejudice those negotiations i.e. any internal pre-settlement discussions relating to the company’s intention/position, before a settlement has been signed.
  • Personal data subject to legal professional privilege. Legal advice privilege covers confidential communication between a lawyer and their client for the purpose of seeking or giving legal advice. Litigation privilege would apply where the communication comes into existence for the dominant purpose of being used in connection with actual or pending litigation. Neither of these are likely to apply if a lawyer is just being ‘cc-ed’ into emails in the hope that it will apply!

Summary: It is important to keep a detailed record of all data which was identified as being within scope, data disclosed and data not disclosed. Keep a clear record of why certain data has not been disclosed and the exemption applied. If contested, this evidence and your reasoning will be key.

Although a recent case held that disclosure was not required where it was not reasonable or proportionate to carry out the search for personal data, this runs very much contrary to the general stance taken by the Information Commissioner’s Office (“ICO”). We would advise that taking such a position is risky; the employee making the request may very well challenge your position with the ICO and the time and costs involved in dealing with the challenge may outweigh the savings you might have made in not responding to the request.

Insights.

Stuck in the middle with you
5th March, 2021

Need to avoid getting stuck in a lease? Are you a Landlord who is worried about new tenants’ ability to pay the full rent? Looking for flexibility or being forced…

The hidden cost of COVID-19 #SolicitorChat with The Law Society
4th March, 2021

Whether it's our vulnerable citizens, struggling to access justice, employees feeling badly treated, or a walk, unsure of the rules. Several questions have been answered on the hidden costs.

Selling a home after a relationship breakdown #SolicitorChat with The Law Society
25th February, 2021

Going through a relationship breakdown can be a difficult time which can be more complex if you share joint assets such as a home. Alice Barrett and Bethan Campbell discussed…

Freshen-up your equality and diversity training
25th February, 2021

Training is a common element of most modern offices. Most employers have equal opportunity policies, and implement some kind of diversity training for their staff.