Thanks to its spat with a “Politically Exposed Person”, Coutts and the BBC have done more to publicise Nigel Farage and Subject Access Requests (SARs) than either Farage or the Information Commissioner could ever have expected. The Guardian now predicts an explosion in SARs. They represent a serious risk for employers.
What is an SAR or subject access request?
An individual has the right to ask an employer, what data that employer holds on them. It could include details about a decision to employ or not employ the individual, a denied promotion or any views that might have been recorded about that individual (leading, perhaps, to their dismissal). The requested information must be provided to the individual within 40 days. “It is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information a person making a SAR would have been entitled to receive” (ICO).
Why do they matter?
Requests can cause huge hassle and potentially expose decision-making that you would prefer to keep private.
Genuine individuals can seek details that might support a grievance, reveal misinformation that might be recorded against them (which they can have corrected or deleted), expose mishandling of personal data, uncover unlawful activity (such as sexual discrimination), and create numerous difficulties and time-consuming activities for their employer.
Dis-ingenious individuals can do much the same.
If you face an Employment Tribunal case, then it is likely the other party will seek to trawl information to find inappropriate remarks in an email or other evidence to support or gain credibility for their case.
What can I do to protect myself?
A policy on data protection will go a long way to ensure you and your employees do not mis-handle personal data. Privacy statements for employees, applicants and, of course other parties such as customers are also important. Remember that in these contexts, intentions are not actions, and it is the latter on which one could be judged. You need to know that employees read the policies, and provide information and training to ensure they follow them.
Prepare to respond. The timeframe for a response is short – 40 days go quickly, especially when there are other business priorities. Usually, the request will go to the most senior person in your business (you!) but making sure they are not “lost in the ether” is crucial. We’ve had a case where the request was made to the wrong email address and critical time was lost.
Brief anyone who might receive an SAR or publish the right person to employees – in that privacy statement, for example.
Keep personal data accessible. While you cannot run a business around the risk of SARs, making sure crucial documents, interview notes for example, can be accessed easily is sensible.
Be cautious what you write. Many, if not most, decisions are tipped by personal experience, “gut feel” and intuition. None of these is easily recorded. What is recorded needs to be capable of being defended. Sadly, recording “gut feel” as the basis for a decision may be transparent and genuine, but it will lead you into dangerous waters.
How do I respond?
A subject access request needs to be focussed on a particular purpose. “Catch-all” requests are unlikely to meet essential criteria. An individual cannot request every document, email or written note that might bear their name. Therefore, asking for more detail regarding what information is sought, and for what purpose, can buy time and subsequently save time in complying with the request. Many dis-ingenious requests are too vague.
If complying with the SAR might prejudice the conduct of your business (other than just by the hassle it causes) then there may be an exemption. There are also other exemptions that may be used to limit the data that is revealed.
It is best to seek advice.
Who can help?
Employer Solutions can assist with policies, privacy statements and generic advice.
The Information Commissioners’ Office (ICO) has proved helpful to cases in which we have been involved where we have been able to fend off disingenuous requests.
Where matters become more complicated, we recommend business-focussed solicitors, please contact us.
In summary
As this blog is written, Nigel Farage and his Subject Access Requests, have led to the NatWest CEO resigning, and put Coutts senior management in a spin – don’t follow them!
Malcolm Martin FCIPD
Author Human Resource Practice
Blogs are for general guidance and are not an authoritative statement of the law.