Data Protection in the Workplace - Part 2

In the second of a three-part blog series covering Data Protection in the Workplace, Information Commissioner Paul Vane delves into Data Subject Access Requests.

One of the most common issues faced by employers is the often ‘dreaded’ Data Subject Access Request (DSAR). I say ‘dreaded’, because they are more often than not complicated, time consuming, emotive and generally linked to some other form of conflict, such as an employment dispute or civil claim for example. They can be unpleasant for sure.

But as I have said previously, the Law makes no distinction between a DSAR from a customer and a DSAR from a member of staff. The requirements are exactly the same. The only difference is you are highly likely to hold more personal data about your staff member than you would about your customer, which means good records management is essential.

So, some key tips I can offer to make it easier for you are:

Firstly, and probably most importantly, recognise the request. DSARs don’t necessarily have to have ‘DSAR’ written all over them. They don’t have to be written either, or on some sort of pro-forma. They don’t have to quote the Data Protection (Jersey) Law 2018. The onus is upon you to recognise it as a DSAR and deal with accordingly.

Secondly, and as mentioned in my previous blog, know your data. If you know where to find the requested information, this is going to save you time and effort. If you don’t know where the data is, or it’s scattered all over your organisation then you’re going to have problems finding it all, and you’re going to struggle to meet the statutory timeframes for a response. You’ll also probably leave yourself wide open for the data subject to allege that you have missed something.

Thirdly, don’t waste time. 4 weeks is not long and remember it’s 4 calendar weeks, ie. 28 days, not 4 working weeks. So out of that 28 days, you can almost certainly cut out 8 of those for weekends, and more if the timeframe covers Bank Holidays or Christmas. So as soon as the request is received, get the ball rolling.

Which also leads into the 4th part… engage! Surprisingly few controllers actually positively engage with the requestor until they respond to the request, assuming of course they do. Good early engagement ties in well with transparency and accountability, so talk to the requestor, have an honest and open discussion with them about what they want and perhaps why, even though they’re under no obligation to tell you. This will help manage their expectations and give you a better idea of how to handle the request.

Granted, many requestors simply want everything. But it might be they are looking for something specific and thus you could save a lot of time searching for something that doesn’t exist or is not needed.

Other points to remember:

  • A DSAR is no substitute for legal discovery.
  • You may not have what they want.
  • Keep your search wide.
  • Remember to check for 3rd party data.
  • Remember there might be exemptions that apply.
  • Always provide as much as you can, as early as you can.

But it’s not always work-related data held on work systems. What about social media, WhatsApp or text messages? Or personal chatting on Teams?

Firstly, my question would be what does your policy say on acceptable use of work IT systems for personal use? This is always a grey area, but particularly where the boundaries of acceptability are not defined and communicated to staff.

Some organisations I have dealt with over the years have had significant problems with this because they failed to set out the ground rules. Others have taken the opposite view and will not allow their systems to be used for any personal use at all. A zero tolerance if you like.

So, in summary.

If it’s work-related on work systems - It’s disclosable.

If it’s private information on work system - It’s disclosable.

If it’s private information on personal devices/accounts - it’s not disclosable.

If it’s work-related on personal devices/accounts - it’s probably not disclosable, but may be a security breach.

So where do employers fall down when it comes to data protection compliance?

In my experience, there are probably 6 key areas:

Insufficient controls, i.e. policies and procedures to protect data. An example would be the rules around when an employee leaves and takes client data with them. How do you prevent that? Clear policies about not taking client data with you when you leave. Failing to do so leaves you wide open to a data breach.

Lack of communication with staff is another. You need to make sure you not only tell them about the policies and procedures in existence, but also why they apply and what they’re there for. Too many organisations fail to engage properly with their staff. If you want a good data protection regime that works, then you need everyone on board.

Poor records management and incomplete staff records. Not only do they expose you to potential data protection breaches, but they leave you wide open to allegations of improper conduct and potential litigation.

Do you regularly provide meaningful data protection training to staff? I dealt with a case a few years ago where an employee took client data with them to a new company and started to use it. As part of the case against them, the Attorney General wanted to know what training this employee had had in relation to data protection. This was crucial in proving that the former employee knew what they were doing was wrong, and gave protection to the employer.

Also poor data security. The law talks about technical and organisational measures being in place to protect the data from unauthorised access, loss, destruction and so on. What policies and procedures do you have in place to protect the data? And what IT measures do you have in place to protect the data?

My office has a wealth of data protection guidance and resources on our website.