Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Whatever the size of your business, you probably process significant amounts of personal data on clients and employees. The sensitive nature of this data means that you are bound by the legal rights of the data subjects, which includes their right of access to their personal data.

Sometimes referred to as SARs or DSARs, this guide explains your employees’ rights on making a Subject Access Request under GDPR, how they differ from the previous rules under the Data Protection Act 1998, and the processes required to effectively deal with them. The process is the same for requests received from other workers, or job applicants requesting personal data gathered during recruitment.

Key Changes Under GDPR

Subject access rights under GDPR are slightly different from those under the Data Protection Act 1998. For example:

  • Employers must provide additional information – envisaged data retention periods, and information about employees’ rights to have the data rectified, erased, or to object to the processing
  • Previously, SARs had to be in writing. Now, verbal requests are possible
  • Previously, you could charge a £10 fee for responding to a SAR. Now, you cannot charge unless the request is manifestly unfounded or excessive
  • Before, response time to a request was within 40 days of receipt. Now, you must respond without ‘undue delay’ and within one month of receipt (extended to three months for complex requests)
  • The maximum fine for non-compliance on responding to a SAR has increased significantly from £500,000 to €20 million, or 4% of the undertaking’s total worldwide annual turnover if greater. However, the Information Commissioner’s Office (ICO) has emphasised that it intends to continue to use its powers to impose fines “proportionately and judiciously” and regards issuing fines as “a last resort”

Subject Access Rights under GDPR

When responding to a SAR, you must provide the employee with the following information:

  • The purposes for processing the data
  • The categories of personal data you process
  • The recipients, or categories, to whom the data is disclosed (especially if outside the European Economic Area (EEA))
  • How long you will hold the data
  • The employee’s right to request rectification or erasure of data, and to restrict or object to processing
  • The employee’s right to complain to the ICO
  • The source of any data not provided by the employee
  • The existence of any automated decision-making (including profiling), the logic involved, and the envisaged consequences of such decision-making for the employee
  • The safeguards provided for the transfer of data outside the EEA (if relevant)

If a SAR is manifestly unfounded, excessive or repetitive, you can charge a reasonable fee for administrative costs or refuse to act on the request. But you must tell the employee, without undue delay and within one month of receipt, why you are not responding to the SAR and of their right to complain to the ICO and/or a court. If you are challenged, you will need to demonstrate your reasons.

Policies and Procedures

You should already have policies in place to guide both employees and managers on dealing with SARs; use the following to update them.

  1. On receipt of a SAR, assess whether the request is complex. With the volume and sensitivity of employee data typically held they may be complex, needing an extended three-month time limit. If so, notify the employee with the reasons why within one month of receipt of the request. Keep the employee informed throughout – regular communication helps reduce the risk of employees complaining to the ICO.
  2. Identify where the data is being stored, both electronically and manually. This may include the HR team, the line manager and the IT department. Your policy should specify the timescale for them to provide the data for review, including by legal advisers if necessary, before the SAR response is due.
  3. Employees responsible for dealing with SARs will need training.

Identifying SARs

Your data protection policy can specify how employees should submit SARs, which will help to identify them. However, an employee can still submit a SAR in some other way, including verbally or even via social media, which you should then confirm in writing; it’s important to regularly monitor all channels of communication.

Legally, there is no prescribed format for a valid SAR under GDPR. It simply needs to ask for copies of their personal information. For example, a request for “a copy of all information that you hold about me” or “all information relating to my recent grievance” will be a valid SAR.

You are not required to comply with a SAR if you cannot verify the identity of the individual making the request. It could be a previous job applicant, and you may need to check the individual’s identity before disclosing personal data – a copy of a utility bill should suffice.

Clarifying and Searching

Most SARs ask for “all information that you hold about me”. The ICO regards an individual’s right to access their personal data as fundamental. However, in some circumstances it may be possible to show that the employee’s request would require taking unreasonable steps.

Initially, discuss the scope of the request with your employee; you cannot ask them to limit the scope, but you can ask for further information to help locate the personal data. For example, if the employee is seeking personal information contained in emails, you could ask them to identify which email accounts should be searched, or parameter dates. Engaging with the employee about their request, even if they refuse to cooperate, may help your case should they later complain to the ICO.

The ICO’s Subject access code of practice may be of help.

Carrying out regular data audits to record where data is stored is beneficial, especially if third parties are involved, such as cloud based databases.

Searching email systems for personal data can be onerous. Ideally, set up your systems to simplify locating information. You may need to search local computer drives (such as the employee’s line manager) for personal data – your policy should set clear rules on the storage of employee data on personal devices.

Paper archives should also be searched. To save time, liaise with the employee to agree the search parameters.

Data Exemptions

If the employee’s personal data is mixed with that of other people, assess whether to disclose such third-party data. The Data Protection Act 2018 contains exemptions to some data types, including:

  • Confidential employment references
  • Personal data processed for management forecasting or planning if disclosure would prejudice the business (e.g. reorganisation plans)
  • Records of your intentions in relation to negotiations with the data subject if this would prejudice the negotiations
  • Information subject to legal professional privilege

Providing the Data to the Employee

The GDPR recommends that personal data should be provided via remote access to a secure system. Alternatively, provide the response electronically (unless otherwise requested) with password-protected documents, portable hard drive or USB device. This is a significant change from previous practice, as employers used to provide hard copy data.

Explain what searches you carried out and why searches may have been limited, either because they would require disproportionate effort or because the data is too intermingled with third-party data. Explanations reduce the risk of complaints to the ICO.

For further advice on SARs or any other staff issues, do call me on 0118 940 3032 or click here to email me.

The Importance of Developing Recruitment Shortlisting Criteria

The Importance of Developing Recruitment Shortlisting Criteria

When you need to recruit, do you follow a specific procedure? Do you have effective shortlising criteria? If not, you may end up with problems, waste a lot of time and money or employ the wrong person.

It only takes some simple, common-sense steps to ensure a smooth recruitment process. Read on to find out more about how and why you should develop effective shortlising criteria for successful recruitment drives.

Why should you develop a process?

There are four key reasons why you should develop an effective shortlising process for each role, regardless of the size of your business:

  • Legal implications – to avoid a tribunal claim for discrimination
  • Ensuring a suitable quality of candidates for the role
  • Time and cost – criteria that’s not stringent enough could mean shortlising unsuitable candidates
  • Employer reputation – a fair recruitment and selection process can have a significant impact on your brand, as applicants will appreciate a positive experience even if they’re unsuccessful

Here’s how to do it. First, refer to your job description, person specification and competency profile for each role and list the essential shortlisting criteria, which could include: 

  • Educational qualification or equivalent – for example a graduate position requiring a 2:1 minimum degree
  • Experience – such as a secretarial role needing Minute taking experience
  • Skills – an HR role requiring experience using a specific software, for example
  • Knowledge – such as a social media role needing knowledge of a range of social media tools
  • Behavioural competencies – e.g. an accountancy role needing evidence of influencing at Board level.

When deciding on the ‘essential criteria’, you could also include ‘desirable criteria’. This helps to distinguish between candidates who meet only the essential criteria for the role, and those who offer additional relevant qualities. Asking others to help you develop the shortlisting criteria provides useful discussion to identify ‘essential’ versus ‘desirable’ criteria.

Next, assess applications against the shortlisting criteria to screen out unsuitable candidates.

Telephone Screening Interviews

One screening option is to conduct brief telephone interviews with applicants as a second screening stage, after establishing that candidates satisfy the basic qualifying criteria for the role.

Telephone interviews can be time consuming, but are useful for telephone-based roles, such as a call centre adviser, as you have an opportunity to assess applicants’ verbal communication skills. A script setting out what questions to ask will help to ensure consistency across all candidates. You may also want to use a telephone screening interview to establish or confirm any queries you may have on their application and to assess the verbal communication skills of the candidates.

At this early selection stage, a 20-minute telephone conversation should be sufficient.

The Shortlisting Process – Scoring, Ranking and Weighting

The next stage is to shortlist candidates. An assessment form will help the shortlisting panel to record the relevant evidence in support of its decision, and proves you carried out a systematic approach.

The categories listed should relate to the shortlisting criteria for the role; for example, qualifications, work experience, level of responsibility, competencies and salary level. Include a section for comments to highlight areas to probe at the next selection stage for shortlisted candidates.

A scoring and weighting system helps the shortlisting panel to rank candidates in an objective and consistent manner. Rate each candidate against each category of the criteria using the rating scale 1-5, with 5 indicating that the applicant ‘exceeds requirements’ and 1 indicating that he or she ‘just meets requirements’.

Next, apply weighting to your shortlisting criteria by attaching different levels of importance to certain criteria according to its level of relevance to the role. Use a simple 1-3 weighting framework where 3 indicates ‘very important’, 2 indicates ‘important’, and 1 means ‘quite important’.

Once candidates have been allocated a total score, they should be ranked in order of their scores.

Avoiding Bias and Discrimination in Shortlisting

Using appropriate shortlisting criteria helps to avoid bias and discrimination. Without criteria, your organisation may end up with an unsuitable pool of candidates, and claims of discrimination will be harder to defend. To help prevent this, ensure that only relevant information is considered by removing all personal information on CVs and application forms prior to shortlisting.

One potential challenge relating to discrimination is length of experience. Asking for a minimum number of years’ experience can lead to age discrimination, as a younger job applicant has not had the opportunity to accrue a specific number of years in a role. Further, shortlisting candidates based on years of experience could mean discriminating against women who took time out to raise children, or applicants who needed time away because of a disability. Therefore, consider what a candidate with the relevant experience should be able to do and define the job requirements in those terms when developing the shortlisting criteria.

And finally, to prevent bias and discrimination, avoid making assumptions! The shortlisting process should consider the evidence supplied by a candidate to demonstrate how they meet the shortlisting criteria – don’t make assumptions not based on factual evidence.

Register Now for the Autumn Employment Law Update Workshop!

If 25 October 2018 isn’t in your diary already, put it in now!

Not only will you be able to learn about the latest changes in Employment Law, but you will also benefit from hearing Jenny Collis, of Fit&Able, speak about keeping your employees healthy at work. Back and neck pain, and upper limb symptoms are the most reported musculoskeletal complaints in the workplace. As an Occupational Health Physiotherapist, Jenny will highlight the most common complaints, review your employer’s obligations and provide strategies and solutions for management in the workplace. This is one not to be missed.

Running from 9.30am to 1pm, the venue is The Meeting Room at Hennerton Golf Club in Wargrave, Berkshire, and the cost is just £20 plus VAT to include refreshments. For more information, click here, or to go direct to our Eventbrite page and book online there.