In a decision of 8 April , the Belgian Data Protection Authority has reminded employers of the reach of the GDPR principle of right of access by the data subject.
An employee of a school who had left more than 5 years earlier asked for access to his full personnel file and to “every document mentioning his name”. He also requested to know about the source of any information which had not been collected from him directly, particularly if this information had been shared with other schools. The school refused to give access, claiming that the right to access does not extend to “all documents mentioning the data subject’s name”. The employee insisted, referring to certain “negative experiences” which he believed had been shared with other schools and used to his detriment as part of their selection and recruitment processes, but the school could not be convinced.
In an entirely unsurprising decision, the Belgian Data Protection Authority unequivocally rejected the school’s position. The DPA acknowledged that the right to access is not absolute, not least in that it should not adversely affect the rights or freedoms of others. However, the result of those considerations should not be a refusal to provide all relevant data to the data subject. The DPA further noted the European Court of Justice decision in the Nowak case, where the ECJ had ruled (equally unsurprisingly) that personal data may also extend to subjective information about a person, such as an opinion or an evaluation. As a consequence, said the DPA, the former employee’s right of access could extend to e-mails which included a personal opinion on or assessment of the former employee. The school was ordered to give access to the data on the employee which had been transferred by it to other schools, or to justify (properly) why it could not do so.
The principles of right of access
As mentioned, nothing surprising about this decision. But it does present a good opportunity to remind ourselves of how the right of access can work in an HR context. Data access requests from former employees are on the rise: following the termination of the employment relationship, employees increasingly request (as a minimum) a copy of their personnel file. As per Article 15 GDPR, the data subject may at any time request access to certain information regarding the processing of their personal data. Access must be granted to the following information:
- confirmation as to whether or not personal data of the data subject is being processed; and
- if so, information on, inter alia, the processing purposes, the categories of personal data concerned, and the recipients or categories of recipients to whom the personal data has been or will be transferred.
The controller (employer) must provide the data subject with a copy of the personal data being processed. The first copy must be provided free of charge. For additional copies, a reasonable fee may be charged to cover administrative costs.
If you process a large amount of data relating to the data subject (which NB includes simply holding it), you may ask him prior to providing the information to specify exactly which information or which processing activities the request relates to. Unfortunately there is no obligation on his part to provide that assistance, and the data controller cannot use compliance with that request as a pre-condition of searching for the data in question.
Balancing rights
The right of access is not absolute: Article 15.4 GDPR clearly states that the right to obtain a copy must not infringe on the rights and freedoms of others. Trade secrets and copyright materials belonging to the employer are cited explicitly by the GDPR as excluded, for example.
Protection of the company’s business secrets may indeed justify complying with an access request partially only, but only to the extent that those secrets cannot be separated from the employee’s personal data. The Belgian DPA has ruled in this sense on the request of an employee to receive a copy of all emails he had sent and received over the course of his employment. The DPA concluded that the request to inspect all IT logs could be refused if this would lead to a disproportionate burden (given the amount of information to be verified), especially when the employee did not provide any explanation of the interest he would have in accessing this data (though strictly he has no obligation to do that either), or any other assistance in narrowing down the scope of the search.
But there are also more subtle conflicts. A former employee might be eager to access more-or-less formal evaluation documents that they had not seen during their employment, such as the manager’s personal opinion on the employee for pay/bonus review, promotion or redundancy selection decisions, etc. However, a record of the managers’ view that employee X is lazy and over-paid also constitutes the manager’s personal data (because it says something about what that person thinks), for which he/she also enjoys the protection of the GDPR.
Exactly how that balancing of the right to access and the rights of affected third parties should be done is still unclear today. In a previous decision, the Belgian DPA has opined that the employer should communicate the requested data to the applicant after the name and all personal data of the author of the notes in the personnel file have been anonymised . But how far may this removal of personal data go without completely eroding the right of access? How do I as employee X challenge a derogatory view (and its consequences for my role or money or retention) when I do not know who holds it?
The European Data Protection Board (EDPB) has weighed in on this topic. It believes that information about others should be redacted as much as possible instead of refusing to provide a copy of the personal data at all, but also that if it is impossible to find a solution to reconcile the relevant rights, the controller must decide which of the conflicting rights and freedoms prevails. On the basis of what criteria this decision should be made is not specified. The nature and context of the access request, as well as the precise nature of the personal data in question and the reasonable expectation of privacy that the third party concerned might have about them, seem to us to be factors to take into account in this decision. If it is disclosed , what harm will actually be done? To whom? Is the content of the data based on incontrovertible facts? Is any decision taken by the employer based on that data challengeable on other grounds? What rights to make legal claims for recourse in relation to the contested data still exist? It would be desirable for the data protection authorities to provide more guidance in this regard.
(Not so) practical guidelines
In fairness, the Belgian DPA has taken a first stab at providing some guidance. Reminding employers that they are required to develop adequate internal procedures that enable them to comply with their data protection obligations, the DPA has suggested the following with respect to evaluation documents:
- A designated area should be provided for “comments” as part of the evaluation of employees.
- The information included in there should be objective, relevant, adequate and not excessive.
- For example, a system with a drop-down menu or filtering by keywords could facilitate this.
- The authors of the notes should keep in mind that employees can access the information concerning them at any time.
These guidelines are an example of the potentially somewhat naïve decisions that the Belgian DPA sometimes makes in employment matters, which can have undesirable consequences in HR matters. In an attempt to limit the amount of personal data processed, the DPA advises that evaluation data should be “objective, adequate and not excessive.” However, an employee evaluation is the work of humans and sometimes (especially at more senior levels) will relate to intangibles such as commitment, attitude, initiative, leadership, etc. Almost by definition, the comments will be at least partly subjective. Also, the requirement not to be excessive is less easy to comply with than it seems, knowing that the employer usually bears the burden of proof for a dismissal for performance reasons. And not just for that – in effect also for any other employment decision which might be alleged to be unfair or discriminatory (pay, bonus, promotion, retention, etc.). Even more difficult is the suggestion to work with a drop-down menu (read: fixed, predefined terms): what information value does an evaluation still have for the employee if his performance has to be described using predefined keywords? To describe an overall grade, perhaps, but to rehearse all the thinking and evidence that went into it, no chance.
No, these guidelines do not seem immediately amenable to adoption. However, it is advisable to arrange the information in the layout of the evaluation forms, possibly with the use of appropriate IT tools, in such a way that in the event of an access request you can quickly organise the information and filter out the personal data of third parties (appraisers and moderators, though it will hopefully be few employees who get all the way to the end of the appraisal process and still do not know their names anyway).
The last DPA tip is probably both the most obvious and the most useful — to remind managers on a regular basis that their opinions may later be the topic of an access request, and that unconsidered or snide comments may come back to haunt them (and the company) in the future. Or how, as is so often the case, less can really be more. What the DPA did not say and maybe should have added for requests by former employees, is that less can also be less – if the school in the case above had carried out a periodic review of its leavers’ email folders it would probably have discovered that with the possible exception of pay and tax information, it had no continuing need for run-of-the-mill email correspondence relation to someone who had gone half a decade ago. A regular and vigorous pruning of those folders will significantly reduce the burden of requests of this sort.