Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Whatever the size of your business, you probably process significant amounts of personal data on clients and employees. The sensitive nature of this data means that you are bound by the legal rights of the data subjects, which includes their right of access to their personal data.

Sometimes referred to as SARs or DSARs, this guide explains your employees’ rights on making a Subject Access Request under GDPR, how they differ from the previous rules under the Data Protection Act 1998, and the processes required to effectively deal with them. The process is the same for requests received from other workers, or job applicants requesting personal data gathered during recruitment.

Key Changes Under GDPR

Subject access rights under GDPR are slightly different from those under the Data Protection Act 1998. For example:

  • Employers must provide additional information – envisaged data retention periods, and information about employees’ rights to have the data rectified, erased, or to object to the processing
  • Previously, SARs had to be in writing. Now, verbal requests are possible
  • Previously, you could charge a £10 fee for responding to a SAR. Now, you cannot charge unless the request is manifestly unfounded or excessive
  • Before, response time to a request was within 40 days of receipt. Now, you must respond without ‘undue delay’ and within one month of receipt (extended to three months for complex requests)
  • The maximum fine for non-compliance on responding to a SAR has increased significantly from £500,000 to €20 million, or 4% of the undertaking’s total worldwide annual turnover if greater. However, the Information Commissioner’s Office (ICO) has emphasised that it intends to continue to use its powers to impose fines “proportionately and judiciously” and regards issuing fines as “a last resort”

Subject Access Rights under GDPR

When responding to a SAR, you must provide the employee with the following information:

  • The purposes for processing the data
  • The categories of personal data you process
  • The recipients, or categories, to whom the data is disclosed (especially if outside the European Economic Area (EEA))
  • How long you will hold the data
  • The employee’s right to request rectification or erasure of data, and to restrict or object to processing
  • The employee’s right to complain to the ICO
  • The source of any data not provided by the employee
  • The existence of any automated decision-making (including profiling), the logic involved, and the envisaged consequences of such decision-making for the employee
  • The safeguards provided for the transfer of data outside the EEA (if relevant)

If a SAR is manifestly unfounded, excessive or repetitive, you can charge a reasonable fee for administrative costs or refuse to act on the request. But you must tell the employee, without undue delay and within one month of receipt, why you are not responding to the SAR and of their right to complain to the ICO and/or a court. If you are challenged, you will need to demonstrate your reasons.

Policies and Procedures

You should already have policies in place to guide both employees and managers on dealing with SARs; use the following to update them.

  1. On receipt of a SAR, assess whether the request is complex. With the volume and sensitivity of employee data typically held they may be complex, needing an extended three-month time limit. If so, notify the employee with the reasons why within one month of receipt of the request. Keep the employee informed throughout – regular communication helps reduce the risk of employees complaining to the ICO.
  2. Identify where the data is being stored, both electronically and manually. This may include the HR team, the line manager and the IT department. Your policy should specify the timescale for them to provide the data for review, including by legal advisers if necessary, before the SAR response is due.
  3. Employees responsible for dealing with SARs will need training.

Identifying SARs

Your data protection policy can specify how employees should submit SARs, which will help to identify them. However, an employee can still submit a SAR in some other way, including verbally or even via social media, which you should then confirm in writing; it’s important to regularly monitor all channels of communication.

Legally, there is no prescribed format for a valid SAR under GDPR. It simply needs to ask for copies of their personal information. For example, a request for “a copy of all information that you hold about me” or “all information relating to my recent grievance” will be a valid SAR.

You are not required to comply with a SAR if you cannot verify the identity of the individual making the request. It could be a previous job applicant, and you may need to check the individual’s identity before disclosing personal data – a copy of a utility bill should suffice.

Clarifying and Searching

Most SARs ask for “all information that you hold about me”. The ICO regards an individual’s right to access their personal data as fundamental. However, in some circumstances it may be possible to show that the employee’s request would require taking unreasonable steps.

Initially, discuss the scope of the request with your employee; you cannot ask them to limit the scope, but you can ask for further information to help locate the personal data. For example, if the employee is seeking personal information contained in emails, you could ask them to identify which email accounts should be searched, or parameter dates. Engaging with the employee about their request, even if they refuse to cooperate, may help your case should they later complain to the ICO.

The ICO’s Subject access code of practice may be of help.

Carrying out regular data audits to record where data is stored is beneficial, especially if third parties are involved, such as cloud based databases.

Searching email systems for personal data can be onerous. Ideally, set up your systems to simplify locating information. You may need to search local computer drives (such as the employee’s line manager) for personal data – your policy should set clear rules on the storage of employee data on personal devices.

Paper archives should also be searched. To save time, liaise with the employee to agree the search parameters.

Data Exemptions

If the employee’s personal data is mixed with that of other people, assess whether to disclose such third-party data. The Data Protection Act 2018 contains exemptions to some data types, including:

  • Confidential employment references
  • Personal data processed for management forecasting or planning if disclosure would prejudice the business (e.g. reorganisation plans)
  • Records of your intentions in relation to negotiations with the data subject if this would prejudice the negotiations
  • Information subject to legal professional privilege

Providing the Data to the Employee

The GDPR recommends that personal data should be provided via remote access to a secure system. Alternatively, provide the response electronically (unless otherwise requested) with password-protected documents, portable hard drive or USB device. This is a significant change from previous practice, as employers used to provide hard copy data.

Explain what searches you carried out and why searches may have been limited, either because they would require disproportionate effort or because the data is too intermingled with third-party data. Explanations reduce the risk of complaints to the ICO.

For further advice on SARs or any other staff issues, do call me on 0118 940 3032 or click here to email me.

How to Deal with an Employee’s Difficult Attitude

Sometimes, as a Manager, you might have to deliver some bad news to one of your employees. You may have to tell someone that their job is redundant, or discuss some poor performance or unacceptable behaviour. The topic under discussion may be a sensitive issue. Some employees could react negatively, by becoming upset, angry or verbally abusive. There are several things that you can do, as their manager, to ensure that the meeting remains productive.

Remain calm. It is your responsibility to achieve a successful outcome to the meeting and this can be done only if you remain calm and refrain from bringing your own feelings into play.

Let the employee ‘vent’. It is important that the employee calms down. However, allowing the employee some time to vent his or her anger or frustration, gives them space and a feeling of being listened to. They may also reveal information that may help in finding a resolution to the problem.

Remember the reason for the meeting. It is easy for the employee to veer into other topics if he or she feels uncomfortable, or is looking for excuses for his or her behaviour. To get back on track, you should remind them of the reason for the meeting and the ideal outcome.

Remember that the issue needs to be dealt with. When faced with a difficult attitude, you might be tempted to postpone the meeting in the hope that the employee will calm down. However, this can make both parties lose sight of the issue. Don’t postpone the meeting simply because the employee is not being receptive.

Inform the employee that his or her attitude does not assist the organisation as a whole. If the issue being discussed is the employee’s misconduct, you could explain to the employee that his or her difficult attitude in the meeting mirrors his or her behaviour in the workplace. This may help the employee to reflect on his or her behaviour and calm down.

Following the Meeting

After the conversation, you should keep the momentum going. Achieving a successful outcome is an ongoing, building process. Failing to keep on top of the issue may undo all the good work and may leave you having to deal with the issue from the beginning. To ensure momentum is not lost, there are several things that you can do:

  • Make sure that the employee feels supported. If the employee knows that a manager is there to support and help him or her, this will be invaluable in achieving a successful outcome to the conversation.
  • Have regular informal chats with the individual and less regular formal discussions, including a further meeting to review the outcomes or first step.
  • Ensure that what was said and agreed in the meeting is well documented. Both parties should agree that the contents of the document reflect what was agreed and thereafter refer to it if there is confusion or disagreement.
  • Monitor how the agreed actions are being implemented by the employee.
  • Comply with your obligations as to follow-up, for example providing agreed training.

Dealing with a difficult attitude or an angry or upset employee is not something that you have to handle every day, as a manager. However, if you’re prepared, if and when the situation does arrive, you’ll be in a better position to handle it. If you have a difficult conversation to have with a client and you’d like some help getting the best outcome for everyone, call me on 0118 940 3032 or email sueferguson@optionshr.co.uk and I can give you some advice and pointers.

Are You Ready for the Next Employment Law Changes in April 2017?

Reserve your place on our next workshop here.

What are the next changes that will be made to Employment Law and how will they affect your business and your staff?

On 30 March 2017 we will hold the next of our regular Employment Law Update workshops. We do this twice a year, when the changes are approaching, so the next one will be in October 2017.  If you’re a business owner or manager it’s important you understand how they affect you and your employees.

This workshop is your chance to ask your questions in a confidential, friendly session, which is always attended by people who, like you, are looking for ways to keep up to date. Share your issues and hear how other people deal with the issues you have to deal with in your business.

The workshop will be held at Hennerton Golf Club in Wargrave, Berkshire, at 9.30am for a 10am start, finishing at 1pm. The cost is just £20 +VAT and includes plenty of tea and coffee! Online booking is available now.

Someone who attended a previous workshop said:

“I thought the workshop would be full of other HR people who knew more than me – but it wasn’t like that at all. I learnt a great deal from the Employment Law update and it was really useful talking to other people to hear how they dealt with similar issues to me.”

Book your place online now and we look forward to seeing you on 30 March.

How Do You Handle Winter Staff Sickness?

After a few months of cold winter weather and numerous ‘bugs’ going around the office, you might be wondering how best to handle winter staff sickness issues and how to keep your business running at full capacity. This blog will give you some tips on how to do this, until the better spring weather arrives.

How are you and your staff coping with the winter weather and the cold and flu bugs that always do the rounds at this time of year? Many people will need a bit of time off at some point during the year, to recover from an illness, so what are the benefits of managing absence in a proactive way?

Both long and short term absences can cost a huge amount – both financially and in terms of manpower. It’s never an easy conversation to have with your employees and it can be difficult to keep up with what action you can take, to keep within the law. The bottom line is this – do nothing and the problem won’t go away, but it could get worse. Finding out early on what’s going on with an employee who is absent can make a significant difference to your relationship with them and to their absence levels in the future. Talking to them allows you to get to the root of the problem and to provide them with the support that they need. By focusing on the absence it may also deter casual absenteeism – too many days off here and there.

Dealing with Short Term Absence

You should have a procedure in place that requires your employees to talk to a named person, rather than leaving a message, when reporting their absence. There should also be guidance on how soon after the start of the working day an employee should contact that named person, if they are too ill to come into work. A standard form should then be completed recording the date, time, reason given and predicted time of absence, to make sure the relevant facts are gathered consistently for each absence. If an employee does not turn up for work and does not report in sick, you should contact them by phone as soon as you can, to find out where they are.

Discussing the problem is essential; especially if one of your employees keeps taking days off for sickness. Maybe there is a work issue which you can help them deal with and solve. Providing the support they need will result in an improved working relationship, better morale and less time off sick.

You should always speak to the member of staff when they return to work, irrespective of how long they’ve been away. It shows you’re taking the situation seriously and acts as a deterrent for people who shouldn’t really be taking time off. Asking how someone is feeling after they’ve been off for even one day also shows that you care about them. Keep the conversation informal but take it seriously. Ensure confidentiality, have a clear structure, record what is said and above all, remain positive and supportive. You can ask them if they visited their GP, how they are feeling now and if there anything you can do to support them. Just remember not to ask any intrusive medical questions!

Communicating with your employees improves productivity and decreases absence, so follow these simple guidelines when dealing with short term sick leave.

There is plenty more advice on the Acas website, with guidance as to what to do when any of your employees take time off for being ill this winter. You can find the information here.

Are You Up To Date with What You Can Ask an Employee?

Book you place on our next Employment Law Update workshop.

There are certain questions that you cannot ask an employee who has been off sick. What’s more, what you can ask and the rules on how to handle the situation change from time to time, as changes are made to Employment Law. You can search the internet and HR publications for news on all the latest changes, which will be happening on 1 April 2017, but do you really have the time?

Twice a year we run interactive workshops that bring you details of all the changes to the law that you need to know about. We do the research so that you don’t have to! Our next workshop will be from 10am – 1pm on 30 March 2017 at Hennerton Golf Club in Wargrave, Berkshire. Before the event we will do the digging to find out about all the important legal changes that might affect your business and your employees. Then we deliver them to you in simple sections throughout the workshop, helping you to understand what you need to do about particular changes.

The workshop costs just £20 +VAT, to include plenty of tea and coffee to keep you going through the morning. You can ask any questions you have in total confidentiality and talk to the other participants about how they will be handling the next round of changes.

Click here to reserve your place now.

The Difficult Issue of Dealing with Personal Hygiene Issues at Work

Dealing effectively with an employee who has a personal hygiene problem is one of the most difficult and sensitive situations that you’re likely to face, as a manager. The problem may be one of body odour, dirty or stale-smelling clothing, dirty hair or bad breath.

It is advisable not to ignore a problem of this nature as, the longer the matter is allowed to continue unresolved, the more difficult it will be to raise the issue with the employee. Unless the issue is raised with the employee, it is likely that the problem will continue and other employees may become hostile towards the problem employee and disillusioned by management’s lack of willingness to tackle the problem.

Whether a problem of this nature is brought to your attention informally by one or more of your employee’s colleagues, as a result of a formal complaint, as a result of comments overheard by chance, or by evidence that colleagues are avoiding the person, the issue needs to be tackled promptly and firmly.

Open communication

The only effective method of dealing with a problem of lack of personal hygiene is through honest, open, two-way communication with the employee in question. Plain language should be used to explain the problem. Dropping hints, for example making comments about bad smells, putting a bar of soap in the employee’s desk drawer or leaving a stick of deodorant in a prominent place, is unlikely to work, and may create further problems such as ill-feeling or upset.

It will be important for you to bear in mind that a problem of body odour or bad breath may be rooted in the employee’s health and may not always be due to a lack of personal hygiene. You therefore need to have an open mind and be careful not to be seen to accuse the employee of poor personal standards.

Discussion guidelines

To handle the matter, you should arrange to talk to your employee privately, bearing in mind that an interview of this nature is likely to be difficult and possibly embarrassing for the employee. You will therefore need to be sensitive, understanding and patient during the interview. Clearly, discussions with the employee should be held privately and kept confidential, and it will be important for the employee to be reassured that this is the case.

You should specify the problem factually and in plain language. For example, you might say: “I have noticed sometimes that you have quite a strong body odour and I feel that this is something that needs to be addressed” or “I have noticed on occasions that the clothing you wear to work has a stale smell and I feel that this is something that needs to be addressed.”

Depending on the response you get, you might ask your employee if he or she is aware of any reason for the problem, for example an underlying medical cause. If this is the case, you should not ask intrusive questions into the employee’s state of health, but move on to discuss what can be done to resolve the matter.

Make sure that you reassure the employee that the aim of the discussion is to help and encourage him or her to recognise and solve a problem. Do not tell the employee that other people have commented on the problem (even if they have), as this is likely to cause unnecessary embarrassment.

Action agreement

Having pointed out the problem and allowed the employee adequate time and opportunity to respond, you need to ask your employee what solution he or she thinks would be feasible. Depending on what explanation they give (if any), the solution may be one of the following:

  • See his or her own doctor to explain that the problem has been highlighted at work and ask for (further) medical intervention
  • Agree to be seen by a company-nominated doctor at the employer’s expense to discuss the matter and seek a solution
  • Undertake to bathe more frequently and/or to wash his or her hair more frequently and/or to launder his or her clothes more frequently
  • Undertake to brush his or her teeth and/or use a mouthwash more frequently.

If the problem is one of lack of personal hygiene, you should inform the employee clearly and firmly that an improvement is required so as to avoid further difficulties. This should, however, be put across to the employee in a supportive way, and not in a manner that implies criticism or threat. However, do not be afraid to stress the importance of improvement. You may be able to justify a requirement for improvement along the lines of “providing an acceptable working environment for all, given the close proximity in which colleagues have to work” or “creating a positive image on the part of the organisation when dealing with the public”. Do what you can to secure the employee’s agreed commitment to change and set a date for a review, perhaps in a month’s time.

Dealing with a personal hygiene problem in the workplace is certainly no easy matter, but the employee may, in the longer term, benefit from the sort of frank feedback that will be necessary in such a situation.

If you have a problem such as this at work and you’re still not sure how to handle it, call us for a confidential chat and we’ll help you through it. Call me now on 0118 940 3032 or click here to email me.

Source: XpertHR

Managing the Malingerer

Managing sickness absence is always difficult and dealing with someone who you suspect is not genuinely ill has always been trickier. You might have seen it happen and had your suspicions, but how to you prove that the sickness was not genuine? It’s not easy, so here are some suggestions to help you.

Step 1: Identify and assess potential evidence

The first step is to identify and record available evidence to support your suspicions.

If you have evidence that one of your employees is being dishonest by claiming to be off sick when he or she is not, you may be able to discipline them or even dismiss them for misconduct.

Mere suspicions and rumours will not be enough to show misconduct. However, social media has the potential to provide a good source of possible evidence. If you are presented with evidence from social media, perhaps from another employee, you can use it in the same way as you would any other anecdotal evidence or an employee tip-off.

The credibility of the evidence retrieved from social media will need to be tested in the usual way. Has the information been taken out of context and are the dates of posting accurate?

There is debate over whether social media posts are in the public domain or private, in which case, your employee could argue that this breaches their right to privacy. However, interference with the right to privacy can be objectively justified and might be permissible if you have reasonable grounds to believe that your employee is fraudulently claiming sick pay.

In general, as an employer, you should be able to rely on such evidence, but each case would need to be assessed on its own merits and ‘fishing’ exercises are never advisable.

Step 2: Review the evidence

If your evidence of malingering looks robust and credible then you should be able to start a disciplinary process for misconduct.

A lack of evidence of dishonesty does not mean that you cannot challenge an employee you suspect is not really as ill as they claim. People will often continue to take unwarranted time off where they believe their absences are passing unnoticed.

You can address this by ensuring that return-to-work interviews are carried out following each occasion of absence and encourage your line managers to probe further (or push for medical evidence) if faced with evasive or inadequate answers.

Step 3: Give evidence of misconduct

If you believe you have evidence of dishonest behaviour, it is important not to jump to conclusions. Remember that employees do not have to be bed-bound, or even at home, in order to be unfit for work.

An employee posting pictures of himself on holiday or doing sport or other leisure activities may still be genuinely unwell. Many health conditions do not improve as a result of lying in bed. It is still important to carry out an investigation, as you would for any other allegation of misconduct.

How do you spot malingerers?

Some of the signs include patterns of absence, such as the same day each week; triggers for absence, such as being invited to a disciplinary meeting; reluctance to provide medical evidence or attend appointments; posts on social media; tip-offs from colleagues and reports of activities that seem inconsistent with ill-health, such as undertaking other work or going on holiday.

Step 4: Remember to follow your procedures

Before disciplining or dismissing the malingering employee for misconduct, you must follow your own procedures and the Acas ‘Code on discipline and grievance’, as you would do in any other disciplinary scenario.

You will need to put the evidence to the individual, hear their explanation and consider if that explanation requires further investigation and medical evidence may be needed.

You must also consider the individual circumstances of the case and any mitigating points, such as length of service and previous disciplinary history, as well as how similar cases have been dealt with in the past.

Make sure you follow this process any time you are unsure of how ill an employee really is. If in doubt about how to handle such a situation, contact us by calling 0118 940 3032 or clicking here to email us and we’ll help you through it.

8 Things Every Employer Should Know about References

It is common practice for employers to provide references for employees and ex-employees, but there are risks involved. Here are eight things you need to know before you give anyone a reference.

  1. No legal duty to provide a reference. There is no obligation on you to provide a reference for an employee or ex-employee, unless there is a term in the contract which provides for this. This is irrespective of whether the request for the reference comes from the employee, a prospective employer or any other third party such as a bank or landlord.
  1. References must be true, accurate and fair. You have duties towards the subject and the recipient of the reference. You must take reasonable care to ensure that the information in the reference is true, accurate and fair, and does not give a misleading impression. If you fail to take such care, you could be sued for negligent misstatement and ordered to pay compensation. As an employer you must ensure that any reference you give, or any reason for refusing to give a reference, is not discriminatory and does not amount to victimisation. Employers can be liable for discrimination against a former employee even if it occurs after the employment has ended.
  1. Policy on giving references. It is good practice for employers to have a written policy on providing references. The policy should set out when a reference will be provided, who within the organisation may provide references and what information the reference should include. Many employers have a policy of providing a standard reference including only limited information, for example dates of employment and positions held. This limits exposure to claims.
  1. Settlement agreements. When you receive a reference request, you should check if there is a settlement agreement in place relating to the particular individual. Settlement agreements often contain the wording of an agreed reference, which the employer agrees to provide in respect of any reference requests made regarding the individual. There is more here on Settlement Agreements in one of our previous blogs.
  1. Employee consent to reference. In writing a reference, you are likely to have to process the employee’s or ex-employee’s personal data, as regulated by the Data Protection Act 1998. You need to check that the individual has consented to a reference being provided.
  1. Sickness absence. You must get explicit consent from the individual if you are providing sensitive personal data, such as physical or mental health information. Revealing the number of days an employee has been absent, but not the reasons for the absences, will not require explicit consent. However, this does run the risk of disability discrimination.
  1. Disclaimer of liability. Employers often include a disclaimer of liability arising from errors, omissions or inaccuracies in the information provided in a reference. The circumstances in which a disclaimer will be effective are limited. However, it is still worth you including one.
  1. Sending the reference. A written reference should be addressed to the named individual who has requested it and marked “Strictly private and confidential” and “To be opened by the addressee only”.

What’s the Safest Way to Withdraw a Job Offer?

I have been asked a lot of questions recently about withdrawing job offers based on poor references, so I thought that I would write about it in more detail here. 

Can you withdraw a job offer once it has been made? What risks do you face as an employer if you change your recruitment plans?

Sometimes you will need to withdraw an offer of a job. The hiring situation may change because of a general recruitment freeze, a restructure within your organisation or a change of management. The funding for the post might have been withdrawn or you may become aware that the selected candidate is not suitable after all.

Job offers can be withdrawn after they are made, but there are risks associated with doing this. Withdrawing an offer because circumstances have changed looks like bad planning and could affect your company’s reputation. The employee may be able to bring a tribunal claim for breach of contract.

When is the contract of employment formed?

An employment contract is formed once an unconditional job offer is made and accepted. If you withdraw an unconditional job offer once it has been accepted, you are effectively terminating the contract and could be liable for damages for the individual’s loss.

Even though the individual has not started working for you, there will be a notice period due – just as with other terminations. Damages could amount to what the individual would have received if you had given proper notice – including any pay and benefits due.

What if your recruitment plans change?

If your recruitment plans change due to business needs and you have to withdraw job offers, you should notify the recruits as soon as possible to try to limit the damage and enable them to mitigate their potential loss. The selected candidate might not have resigned from their current employer yet. If they have, they may still be able to ask for their old job back – the sooner this is done the better.

Pre-recruitment checks and job offers

Most job offers are conditional on the new recruit satisfying certain conditions. The selected candidate may need to provide references or evidence of qualifications, or they may need to demonstrate their right to work in the UK. If the individual does not satisfy one or all of those requirements, you can withdraw the job offer without being liable for damages.

If you don’t make it clear that the job offer is conditional, and then withdraw the offer because the recruit has not satisfied one of your requirements, this will amount to a breach of contract and you may be liable for damages. Offers of employment should make absolutely clear that they are conditional on certain requirements being met. Failure to do so can be costly.

If you’re considering making or withdrawing a job offer and you want to make sure that you’re doing it properly, contact us first for some advice. Call us on 0118 940 3032 or email sueferguson@optionshr.co.uk.