Anyone who’s been following the Post Office scandal will now know about the importance of disclosure in litigation – that is, the requirement for each party to a dispute to make sure that it discloses to the other side (and the court) ALL the documents it has that have a bearing on the case, whether they are helpful or harmful to that party’s case.
The disclosure exercise is carried out once a claim has been brought and the litigation is formally underway. But inhouse lawyers will also be familiar with another, earlier stage form of disclosure that employers may be forced to undergo by disgruntled employees, through the tactical use of data protection laws, and the “right of access”.
What is the right of access? The right of access gives people (including clients, customers, suppliers or employees) the right to get a copy of their personal data from the “controller” who holds it.
In the context of employment, this means from their employer. Employers will hold all sorts of data about their employees, so what does this mean?
We emphasise the words ‘relating to’, because the information should do more than just identify the individual – it should concern them in some way. Examples of personal data at work would be the individual’s HR files and their payroll detail, but also emails or WhatsApp messages about them that other employees have generated on the company’s IT systems and phones, and even CCTV footage.
Who can send in a data subject access request?
Anyone can send their current or past, or even potential future, employer an access request. It does not even have to be in any particular format.
Why might someone make an access request?
In the context of a live employee dispute – a grievance for example, or a disciplinary process, it can be hugely helpful for the employee to get sight of all the materials the employer has about them far ahead of an actual claim being brought and the subsequent disclosure exercise. A smoking gun email can help the employee secure a good settlement without even needing to bring a claim. Just as with disclosure, everything has to be disclosed no matter how unhelpful, embarrassing or even damaging.
What should you do if you receive an access request?
Step 1 Acknowledge receipt of the request. You should comply with the request within a month, unless it is unusually complicated and onerous, so it’s best to reply to the request straightaway and confirm when you received it, and when the clock started ticking.
Step 2 Appoint someone internally to deal with the request. Ideally this should not be the manager with whom the employee has the dispute; an unrelated manager will inspire more trust and confidence in the employee that his/her request is being taken seriously and that the law is being fully complied with.
Step 3 Scope out where within the company this data will be held. It could be in many different places; eg the HR department, the employee’s own department, payroll, security. Collect the data from all possible sources – emails, electronic systems, CCTV images, automated systems such as door entry systems.
Step 4 Resist the temptation to put all the data in a “data dump” of raw data! Recent caselaw makes it clear that it needs to be in an intelligible form – this may mean copies of emails or other documents.
Step 5 Check whether this data includes other employees’ personal data; this is quite possible if not likely. If it does, you should include it if that employee has expressly agreed or it’s reasonable for you to disclose even absent consent.
Step 6 Once you have collected all the data, you will also need a covering email to confirm certain key points to the employee – eg why you process their data, the categories of data you process, how long you store it for.
Step 7 Make sure you keep a copy of your response, and details of how you went about identifying the data and collecting it. This is really important if the employee does not believe that you have disclosed all their personal data, and makes a complaint to the Information Commissioner.
Our advice is to be practical in dealing with an access request. Ask someone who is not involved in the dispute to handle it. These requests are burdensome and time consuming to comply with, but compliance is a legal requirement, and if you don’t comply in full, or if the data subject doesn’t believe you have fully complied, you could be hearing from the Information Commissioner!
Written by Alice Darwall
Principal at My Inhouse Lawyer
One of our values (Growth) is, in many ways, all about cultivating a growth mindset. We are passionate about learning, improving and evolving. We learn from each other, use the best know-how tools in the market and constantly look for ways to simplify. Lawskool is our way of sharing with you. It isn’t intended to be legal advice, rather to enlighten you to make smart business decisions day to day with the benefit of some of our insight. We hope you enjoy the experience. There are some really good ideas and tips coming from some of the best inhouse lawyers. Easy to read and practical. If there’s something you’d like us to write about or some feedback you wish to share, feel free to drop us a note. Equally, if it’s legal advice you’re after, then just give us a call on 0207 939 3959.
How it works
It starts with a conversation about you. What you want and the experience you’re looking for
We design something that works for you whether it’s monthly, flex, solo, multi-team or includes legal tech
We use Workplans to map out the work to be done and when. We are responsive and transparent
Freedom to choose & change
A responsive inhouse experience delivered via a rolling monthly engagement that can be scaled up or down by you. Monthly Workplans capture scope, timings and budget for transparency and control
A more reactive yet still responsive inhouse experience for legal and compliance needs as they arise. Our Workplans capture scope, timings and budget putting you in control
For those one-off projects such as M&A or compliance yet delivered the My Inhouse Lawyer way. We agree scope, timings and budget before each piece of work begins