Subject access requests – when can you exclude information

Those of you in HR who have been on the receiving end of a subject access request (SAR), will know that the resource required to comply with the 1 month time limit, can be all consuming. It is likely to involve interacting with multiple individuals across different departments, and with information searches spanning a variety of different mediums. In my experience, the time and effort put into the disclosure exercise by you, is often disproportionate in terms of the quality and value of the information disclosed to the employee.

Increasingly employees who are part way through a process such as performance or sickness absence management, facing disciplinary/grievance investigations or undergoing a workforce reorganisation, are now far more likely to make a tactical SAR’s, in an effort to find out if there is information that could help them, or call into question your motives for starting a process. An employee may be genuinely motivated by a wish to find out what data is being processed and to make sure that it is accurate. But the employee may also see the trouble and expense to which it puts you as offering useful leverage in a dispute and in achieving a settlement.

Too often the “knee-jerk” reaction is to go out to the business and ask for anything and everything, both manual and electronic, that remotely relates to the employee. The net result is that HR is landed with reams and reams of electronic and manual information, that they then have to sift through to determine what should and should not be disclosed. Worse still, once you have decided what can be disclosed, you will need to carry out a redaction exercise, to avoid identifying any third parties.

One way HR can make life easier for themselves and minimise the inconvenience to the business, is to have in place a clear understanding of what does and does not need to be disclosed when you receive a SAR from an employee who is undergoing an internal process.

In what circumstances can you decide not to reply to a SAR?

Before you go out to the business to request information, satisfy yourself first whether you even need to reply to the SAR. Remember the employees right to personal data is to receive a copy of their personal data, to understand how and why you are using their personal data, and to check that you are doing it lawfully.

If you believe that the primary purpose of the SAR is a fishing exercise, in an attempt to look for a “smoking gun” that the employee thinks you have hidden from them so far in the process and the production of information has no conceivable value, you may be able to argue that this is an abuse of rights and refuse to respond to the SAR or at the very least be able to narrow the scope of the request so that it is focussed on the employees data protection rights.

Further, what is increasingly evident is that employees who are under a process are likely to make specific requests for documents when they make a SAR – so for instance, an employee being investigated in relation to a bullying and harassment allegation, could make a request for documents such as witness statements that form part of the fact find prior to the conclusion of the investigation. Remember the employee’s right is to see personal data that relates to them, not the right to see documents and this may further call into question the employee’s motive.

Further, if the SAR is manifestly unfounded or excessive, you can charge a fee or refuse to respond. You will need to provide evidence as to how you reached that conclusion and must also tell the employee of the possibility of complaining to the ICO.

In the employment context it is not uncommon to receive a SAR along the lines of “any personal data that is processed about me.” There will be thousands (if not hundreds of thousands) of pieces of data processed about an employee – computer log-on files, records of web searches made, emails and associated meta data. If the SAR is not limited, then this gives you the opportunity to argue that it is manifestly unfounded or excessive and seek to charge a fee or refuse to act on the request.

What do you need to disclose?

Only information that relates to the employee and from which the employee can be identified. In the employment context this would cover, the contract of employment, letters addressed to the employee, medical records, appraisal records, training and development records, disciplinary warnings etc.

When can you exclude information?

In the employment context you can exclude information on the following grounds:

1)    Information that does not relate to the employee, even if they can be identified from the information. So for instance, the HR department may keep a central electronic spreadsheet or table, which tracks sickness absence/lateness/performance/productivity within a particular department. This is unlikely to amount to personal data, even if the employee can be identified, as the focus of the information in the spreadsheet or table relates primarily to the business not the employee.

2)    A reference given (or to be given) in confidence for employment, training or educational purposes. This covers the personal data within the reference whether processed by the reference giver or the recipient.

3)    Personal information processed for the purpose of management forecasting or management planning to the extent that complying with the SAR would prejudice the conduct of the business or activity. This gives you considerable flexibility to exclude personal information where an employee is under an internal process. A few HR related examples where you could legitimately exclude are as follows:

• Workforce restructure: it is likely to prejudice the conduct of a business if information on a workforce restructure programme is disclosed in advance of it being disclosed to the rest of the workforce;
• Covert investigation: for instance the accounts department could be looking into fraudulent expense claims in respect of a number of employees, which the employee is unaware of. Disclosing personal information to the employee prior to the conclusion of the covert internal investigation, is likely to prejudice the wider investigation.
• Complex grievance: a long drawn out complex grievance has not yet been concluded, again disclosure of personal information from which the employee can be identified such as witness statements and fact find/interview notes before the grievance is concluded, is likely to prejudice the ongoing grievance investigation.

4)    Anything relating to negotiations if disclosure would prejudice the negotiations. So for instance, discussions have taken place with an employee about leaving the business with an ex-gratia payment. There exists internal communication between HR, Finance and the employee’s line manager discussing the terms of the ex-gratia payment and the minimum/maximum that they are prepared to pay. Clearly the employee can be identified in such communications, but you can legitimately not disclose on the basis that to do so would prejudice the ongoing negotiations.

5)    Anything that is legally privileged. Often during an ongoing internal process you will take legal advice from which the employee can be identified. This can be legitimately excluded when responding to a SAR.

In summary

With a bit of careful thought and forward planning, you can legitimately exclude disclosing sensitive information that an employee who is subject to an internal process, believes or wants access to, to support their position or call into question the motives for commencing the process. Moreover, by doing so, you can drastically reduce the disruption and impact that SAR’s have on the wider business.

Fill in your details to get a FREE copy of our template letter responding to a SAR.