Access all areas?
9 September 2002
29 August 2013
13 November 2013
8 November 2013
14 August 2013
Data protection: Information Commissioner's Office has published a code of practice for subject access requests
30 August 2013
These words probably ring true to a growing number of employers following a recent marked increase in the number of employees serving "subject access requests" under the DPA.
An individual's right to find out what information their employer holds on them and to require changes be made to that information where it is inaccurate goes to the very heart of data protection legislation. However, a growing number of disgruntled employees are using subject access requests as a nuisance tactic in litigation. These requests are a pain, not necessarily because embarrassing documents may have to be disclosed, but because an enormous amount of time and money can be involved in responding to them.
Previously, an employer could take comfort from the general rules of employment tribunal litigation - namely, that tribunals will usually only make directions ordering disclosure of documentation some weeks after an employee has issued proceedings, and even then only of documents that are relevant to the issues in dispute. By serving a subject access request, an employee can effectively embark on a legitimate fishing expedition before even issuing proceedings. Significantly, the request can also cover information relating to the employee that goes far beyond the issues in the case.
Subject access requests also extend to emails and other computer records and it is this area that has probably caused the most headaches for lawyers and HR professionals. It is widely known that employees now have the right to receive copies of information held on them in a paper-based "relevant filing system", which is information that has been structured by reference to an individual, or by criteria relating to individuals, in such a way that information on a particular individual is "readily accessible". This clearly covers personnel files. The reason emails are also caught is that they fall fairly and squarely within the other category of information that employees are entitled to receive copies of - namely, information processed by means of equipment operating automatically.
An employee can request copies of emails where the employee is the sender or recipient of the email, or where the employee's name appears in the subject heading. What is more controversial is whether an employee is entitled to receive a copy of an email in which their name only appears in the text. So, employers beware - it is arguable that an individual is still entitled to receive a copy of this type of email if it can be accessed simply by keying in that individual's name.
Due to the prolific nature of emails, the Information Commissioner has published guidance on handling requests to access them. This provides some assistance to employers, as it encourages employees to provide as much information as possible to narrow the request. However, the Commissioner also goes on to say that it might not be unreasonable for an employee to require archived or back-up emails to be searched. This would only be unreasonable if tracing copies of such emails would involve a "disproportionate effort", which is one of the exemptions under the DPA. Unhelpfully, there is little guidance on what amounts to disproportionate effort, but it will certainly be more difficult for a large employer to argue this successfully. A prudent employer should have a written policy in place confirming its approach to these types of requests, for example setting a maximum number of emails that the employer is prepared to copy.
But it is not all bad news. A subject access request is only valid if it satisfies certain requirements set out in the DPA. Even then, there are other exclusions, apart from the disproportionate effort exemption, that limit the extent of any disclosure an employer is obliged to make. Key exclusions to be aware of here include legally privileged documents and documents that would involve the disclosure of the names of third parties. But, overall, the deployment of subject access requests in employment litigation is an unwelcome development for most employers and not something that sits well with the spirit of data protection legislation.