The end of May saw the anniversary of the introduction of the 2018 Data Protection Act. Although there haven’t been significant changes to the rights of employees, we’ve seen a definite increase in the use of data protection rights by employees, particularly where they are in dispute with their employer, most likely due to the increased awareness of GDPR and related issues. We thought that it would be worth sharing a few of our top tips.
Firstly, act promptly. The time for employers to respond to employee requests for access to the personal data held about them has been reduced to 30 days. In many cases, there are a huge number of documents to review and consider before disclosure can be made to an employee and so every day counts. It may be necessary to pool significant staff and resources in order to be able respond on time.
Secondly, be aware of the breadth of personal data you may be required to disclose in response to an individual’s request. Last month the High Court ruled that a law firm was required to search its paper files for personal data relating to the data subjects as well as the personal electronic storage spaces of its current employees. Data processors can argue that a search for personal data is disproportionate, but in this case the High Court made clear that the onus is on the data processor to produce evidence to that effect. This case reflects a trend for the courts making a wide interpretation about the breadth of the search.
Finally, be ready to notify the ICO of any breach. Breaches must be reported within 72 hours, unless the employer is confident that there is no risk of damage or harm to the individuals whose personal data is affected. Employers need to ensure that they know which members of staff will be involved in responding to the data breach, what information they need to gather to make the report and the need for compliance with the relevant timescales. In some cases, information about the breach can be provided in stages, but the initial notification should be made promptly.
We’re able to advise employers on the procedures for handling employee data protection issues and any exemptions and/or time extensions which may apply. Please get in touch with Tiggy or Emma to discuss in more detail.
Click here to download our Data Subject Access Request Factsheet