Stronachs Logo

An increasing awareness of data protection rights among employees means employers should carefully consider how they handle information requests from staff, with a wrong move potentially resulting in significant financial and reputational costs for the employer as well as significant diversion of time and resource.

 

With a new data protection regime due to come into force in May 2018, under the General Data Protection Regulation (GDPR), involving bigger fines at stake for ‘data controllers’ such as employers who fail to comply and tighter response times, the requirement for businesses to focus on their data protection compliance systems has become more acute.

Under section 7 of the Data Protection Act 1998, employees have the right to make a request to see any personal information held about them (in  paper or electronic form) and find out how that data is stored and processed – a so called subject access request (SARs).

The right can be enforced either by complaint to the regulator, the Information Commissioner, or by applying to the court to order the data controller to comply with the request. 

While SARs were designed to allow data subjects (such as employees) to simply verify the accuracy of data held and the lawfulness of processing, there has been a clear trend in recent years for employees to use SAR’s to obtain information or documents that may assist them in complaints or legal proceedings against their employer.

Arguments have arisen as to whether a data controller is obliged to comply with requests made for such an ulterior motive. However the Information Commissioner does not accept that any such limitation on the rights applies and in the recent Dawson-Damer v Taylor Wessing LLP case the Court of Appeal effectively agreed.

There are potentially serious implications of this, particularly for Scottish employers where employees may seek to exploit their subject access rights in order to circumvent the relatively restrictive rules on disclosure of documents in Employment Tribunal proceedings. Unlike in England, in Scotland there is no standard requirement to produce documents that may be damaging to the employer and which may compromise the defence of claims.

In an age where huge amounts of unstructured data may be held by employers contained in the likes of years of e-mails, compliance with SAR’s can be incredibly onerous. Employers can however argue that responding to a SAR would involve ‘disproportionate’ effort in comparison to the benefit the data would bring the employee.

This defence has been found to apply not just to the copying of documents but crucially also to the efforts required to locate the data within the employer’s organisations, but it will rarely be advisable for an employer to make no effort to respond.

Separately it is also worth noting that a failure to respond could impact liability in unfair dismissal claims. The recent case of McWilliams v Citibank involved a finding that an employer’s refusal to respond to a SAR adversely impacted the employee’s ability to defend herself against disciplinary allegations and meant there had been a failure to carry out a reasonable investigation resulting in a judgement of unfair dismissal.

Generally, employers should therefore review their policies and procedures on SARs but faced with a specific application they should carefully assess what is requested under the SAR, the purposes for which the data is being sought and consider liaising with the employee to get agreement on what searches will be done and any reasonable limitations on the scope of the exercise.

Documenting any such considerations can also prove helpful for employers who may wish to resist legal action from an employee over a failure to disclose.

Eric Gilligan, Partner, Head of Employment, Stronachs LLP

 

Chambers UK 2106

Contact Info

ABERDEEN OFFICE
28 Albyn Place, Aberdeen AB10 1YL
Tel: +44 1224 845845

 

INVERNESS OFFICE
Camas House, Pavilion 3, Fairways
Business Park, Inverness IV2 6AA
Tel: + 44 1463 713225

The Legal 500 logo