In the second of our five part blog series on Data Subject Access Requests (DSARs), we examine the notion of “complexity” and how that might affect the way you respond as an employer to a DSAR. Read part one here.
What is “complex”?
Under the General Data Protection Regulation (GDPR), data controllers must respond to DSARs “without undue delay and in any event within one month of the receipt of the request. The period may be extended by two further months where necessary, taking into account the complexity and number of requests.”
However, there is little to no guidance on what would be considered “complex” for these purposes.
In our view, given the particular nature of employee DSARs, where it may be necessary for an employer to process numerous different sets of information across the organisation, many such requests could cross the threshold into complexity.
Imagine a DSAR made by you against your bank. Compliance would likely involve little more than an admin clerk clicking on your file and downloading all information it holds on you. A DSAR to an insurance company with which you have been in dispute would also primarily involve a search of your case file and possibly a narrow, time-limited, search of the case-handler’s emails. There is little likelihood of your data being inter-mingled with that of their other retail customers or of their having received your personal data from sources who may be coy about their identity being disclosed to you. These are examples of DSARs which would plainly not be considered complex.
Why an employee DSAR is a different beast
Employee DSARs are a different matter altogether given the information (personal data) potentially held about staff by their employer. The relevant data typically includes employment history, schooling, skills and qualifications, health information, performance data, pay history, grievances, disciplinary actions, bank details, next of kin details, and possibly biometric data and CCTV/call recordings. Although some of the personal data will be housed in a personnel file and payroll records, far more will be stored as unstructured email data spanning possibly hundreds of mailboxes and over the entirety of the individual’s tenure.
The ICO recommends that this data should be identified through the use of search tools but, even so, it is not a precise science and there will often be a large number of false positives. A search for “Jones” will throw up not only Mary Jones (the person making the request) but also Bob Jones (Accounting), David Jones (customer) and maybe even Tom Jones (Sue in Procurement is a fan). Searches by initials for Sara Owens, Neil Osborne, Hattie Rayner and (in particular) Ian Trent will pull up countless results before you even get onto names and nicknames at all.
An initial IT assessment could therefore easily lead to tens, or perhaps hundreds of thousands of emails/documents being potentially within the scope of Mary’s DSAR.
“Complexity” can be complex
All of this data would need to be reviewed to work out what is and what is not Mary’s personal data and to identify any personal data of third parties that needs to be redacted in order to avoid infringing their privacy rights — not to mention any trade secrets or intellectual property of the employer that may need to be deleted, and information that is subject to legal privilege (see later blog post in this series on withholding third-party data).
In situations where the controller holds a significant amount of personal data about the requester, the employer has the right to ask the requester to specify the information or processing activities that are the focus of the request in order to better understand the nature of their request and the search parameters to apply. These discussions alone can take significant time out of the now truncated one-month response period.
In such circumstances, it may (subject to further guidance on this point from the authorities) be reasonable to take the view that such DSARs are “complex” and request an extension commensurate with the work entailed (up to two additional months). This would allow the employer the time necessary to comply with the request whilst at the same time ensuring it is not in breach of any third-party’s privacy rights. The same might be argued if the employer faces multiple requests at the same time; hence the GDPR’s reference to the number of requests as a factor distinct from their complexity as justification for extending the one month response period.
Practical steps you can take now
As mentioned above, we await further guidance, including the Information Commissioner’s updated Code of Practice on DSARs. Our recommendation in the meantime is that if, despite your best efforts, you find yourself in a tight corner time-wise when responding to a DSAR, it makes sense to identify and describe these complexities to the employee in writing as soon as they become apparent, notifying him/her that in consequence you are invoking the right to extend, and providing what information you can to the employee within the one month deadline. You must inform the employee of the need for additional time before the expiry of the initial one month period. Timely communication of the issue will be a plus so far as the ICO is concerned, should the employee lodge a complaint about an extension of time he/she considers unwarranted.
What should you do now?
In the meantime, it is wise to seek specialist help should you be contending with an employee DSAR or preparing yourself for one.
Read more on this subject in Part 1, here.