The Coronavirus pandemic has unfortunately put a lot of companies and organisations in a precarious financial position, causing employers to make some very difficult decisions – for example, going through a redundancy process. This in turn has led to a rise in Subject Access Requests.
At Stephens Scown, we have seen an increase in redundant employees requesting access to their personal data, which is held by their employer – often to review the redundancy process. It is important that employers comply with data protection laws, particularly when responding to Subject Access Requests – getting a SAR response wrong could mean committing a criminal offence.
Subject Access Requests
Data subjects have extensive rights in respect of their personal data, for example the right to rectification of the data a business holds about them, erasure of the data, and even to object to the processing of their personal data. However, the most, often used (and weaponised) right is the time consuming data subject’s right to access the details you hold about them – this is called a Subject Access Request (“SAR”).
A SAR can be written or oral and does not have to be in any particular form as long as it is clear that the individual is requesting their personal data. Data protection legislation dictates specific information and time frames concerning how you should respond to a SAR.
It is fundamental that the content of your SAR response letter (which is to be sent to the data subject who made the SAR) ticks off your legal obligations and clearly sets out the data subject’s rights. If a data subject is not satisfied with your SAR response and/or the data set provided, there are a number of avenues that the data subject can take to ensure your compliance with data protection legislation; for example, the data subject has the right to apply to a court for a compliance order if they believe that their rights have been infringed.
The risks of getting it wrong
There are a number of offences under the Data Protection Act 2018 (“DPA”), but for the purposes of this article, we have only focused on a few of the offences:
Destroying or falsifying information and documents
Under Section 148(2)(a) of the DPA it is an offence for a person to destroy or otherwise dispose of, conceal, block or (where relevant) falsify all or part of the information, document, equipment or material; it is also an offence to cause or permit such actions (section 148(2)(b)).
Unlawful obtaining of personal data
Section 170 of the DPA builds on section 55 of the Data Protection Act 1998, which criminalised knowingly or recklessly obtaining, disclosing or procuring personal data without the consent of the data controller, and the sale or offering for sale of that data. Section 170 adds the offence of knowingly or recklessly retaining personal data (which may have been lawfully obtained) without the consent of the data controller.
However, there are some exceptions, for example where such obtaining, disclosing, procuring or retaining was necessary for the purposes of preventing or detecting crime.
Re-identification etc. of de-identified personal data
Section 171 of the DPA criminalises the re-identification of personal data which has been ‘de-identified’ (such as personally identifiable information that has been redacted, removed or concealed). It is also an offence for a person to knowingly or recklessly to process personal data that has been re-identified.
Alteration etc. of personal data to prevent disclosure to data subject
This section is particularly relevant when preparing a data set in response to a data subject access request. Section 173 (3) makes it a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure.
It is increasingly common for employers and employees (or previous employees) to reach a settlement agreement following a redundancy. However, employers should note that they cannot contract a data subject out of their rights under data protection laws.
In order for an employer (or a recipient of a SAR) to be released from their obligations under data protection laws, the data subject must withdraw their SAR, preferably in writing, if not in the settlement agreement itself. It is crucial that this is not overlooked as employers are at risk of committing a criminal offence by entering into a settlement agreement which does not require the data subject to withdraw their SAR (and then default on their obligations in relation to the SAR) or which requires a data subject to forfeit and/or contract out of their rights to make a SAR in the future.
Personal data of third parties
It is also very important to be alive to the fact that a data subject is only entitled to their personal data and not the data of third parties.
There are some circumstances where the data subject will have already had sight of a document and/or email which includes the personal data of others i.e. if they have been copied into an email or previously received a copy of a document in the course of their employment. However, the personal data of third parties is to be handled with caution when preparing and collating a data set in response to a SAR and cannot be disclosed to the data subject making the SAR, unless it can be shown that they have already had access to that document/email i.e. it is stated that they were in copy/a recipient.
It is absolutely crucial for a recipient of a subject access request to comply with data protection legislation. Upon receipt of a subject access request, it is prudent to take specialist legal advice as soon as possible to avoid the risk of falling foul of the law and to reduce the risk of committing an offence under the DPA 2018, be it inadvertently or otherwise.
As specialist data protection legal advisers, our clients rely on our expertise to ensure that their businesses are (and remain) compliant under data protection legislation.
For further information, including support on the documents and actions required to help you meet your obligations, please feel free to get in touch.