Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Since GDPR, How Do You Respond to Subject Access Requests from Employees?

Whatever the size of your business, you probably process significant amounts of personal data on clients and employees. The sensitive nature of this data means that you are bound by the legal rights of the data subjects, which includes their right of access to their personal data.

Sometimes referred to as SARs or DSARs, this guide explains your employees’ rights on making a Subject Access Request under GDPR, how they differ from the previous rules under the Data Protection Act 1998, and the processes required to effectively deal with them. The process is the same for requests received from other workers, or job applicants requesting personal data gathered during recruitment.

Key Changes Under GDPR

Subject access rights under GDPR are slightly different from those under the Data Protection Act 1998. For example:

  • Employers must provide additional information – envisaged data retention periods, and information about employees’ rights to have the data rectified, erased, or to object to the processing
  • Previously, SARs had to be in writing. Now, verbal requests are possible
  • Previously, you could charge a £10 fee for responding to a SAR. Now, you cannot charge unless the request is manifestly unfounded or excessive
  • Before, response time to a request was within 40 days of receipt. Now, you must respond without ‘undue delay’ and within one month of receipt (extended to three months for complex requests)
  • The maximum fine for non-compliance on responding to a SAR has increased significantly from £500,000 to €20 million, or 4% of the undertaking’s total worldwide annual turnover if greater. However, the Information Commissioner’s Office (ICO) has emphasised that it intends to continue to use its powers to impose fines “proportionately and judiciously” and regards issuing fines as “a last resort”

Subject Access Rights under GDPR

When responding to a SAR, you must provide the employee with the following information:

  • The purposes for processing the data
  • The categories of personal data you process
  • The recipients, or categories, to whom the data is disclosed (especially if outside the European Economic Area (EEA))
  • How long you will hold the data
  • The employee’s right to request rectification or erasure of data, and to restrict or object to processing
  • The employee’s right to complain to the ICO
  • The source of any data not provided by the employee
  • The existence of any automated decision-making (including profiling), the logic involved, and the envisaged consequences of such decision-making for the employee
  • The safeguards provided for the transfer of data outside the EEA (if relevant)

If a SAR is manifestly unfounded, excessive or repetitive, you can charge a reasonable fee for administrative costs or refuse to act on the request. But you must tell the employee, without undue delay and within one month of receipt, why you are not responding to the SAR and of their right to complain to the ICO and/or a court. If you are challenged, you will need to demonstrate your reasons.

Policies and Procedures

You should already have policies in place to guide both employees and managers on dealing with SARs; use the following to update them.

  1. On receipt of a SAR, assess whether the request is complex. With the volume and sensitivity of employee data typically held they may be complex, needing an extended three-month time limit. If so, notify the employee with the reasons why within one month of receipt of the request. Keep the employee informed throughout – regular communication helps reduce the risk of employees complaining to the ICO.
  2. Identify where the data is being stored, both electronically and manually. This may include the HR team, the line manager and the IT department. Your policy should specify the timescale for them to provide the data for review, including by legal advisers if necessary, before the SAR response is due.
  3. Employees responsible for dealing with SARs will need training.

Identifying SARs

Your data protection policy can specify how employees should submit SARs, which will help to identify them. However, an employee can still submit a SAR in some other way, including verbally or even via social media, which you should then confirm in writing; it’s important to regularly monitor all channels of communication.

Legally, there is no prescribed format for a valid SAR under GDPR. It simply needs to ask for copies of their personal information. For example, a request for “a copy of all information that you hold about me” or “all information relating to my recent grievance” will be a valid SAR.

You are not required to comply with a SAR if you cannot verify the identity of the individual making the request. It could be a previous job applicant, and you may need to check the individual’s identity before disclosing personal data – a copy of a utility bill should suffice.

Clarifying and Searching

Most SARs ask for “all information that you hold about me”. The ICO regards an individual’s right to access their personal data as fundamental. However, in some circumstances it may be possible to show that the employee’s request would require taking unreasonable steps.

Initially, discuss the scope of the request with your employee; you cannot ask them to limit the scope, but you can ask for further information to help locate the personal data. For example, if the employee is seeking personal information contained in emails, you could ask them to identify which email accounts should be searched, or parameter dates. Engaging with the employee about their request, even if they refuse to cooperate, may help your case should they later complain to the ICO.

The ICO’s Subject access code of practice may be of help.

Carrying out regular data audits to record where data is stored is beneficial, especially if third parties are involved, such as cloud based databases.

Searching email systems for personal data can be onerous. Ideally, set up your systems to simplify locating information. You may need to search local computer drives (such as the employee’s line manager) for personal data – your policy should set clear rules on the storage of employee data on personal devices.

Paper archives should also be searched. To save time, liaise with the employee to agree the search parameters.

Data Exemptions

If the employee’s personal data is mixed with that of other people, assess whether to disclose such third-party data. The Data Protection Act 2018 contains exemptions to some data types, including:

  • Confidential employment references
  • Personal data processed for management forecasting or planning if disclosure would prejudice the business (e.g. reorganisation plans)
  • Records of your intentions in relation to negotiations with the data subject if this would prejudice the negotiations
  • Information subject to legal professional privilege

Providing the Data to the Employee

The GDPR recommends that personal data should be provided via remote access to a secure system. Alternatively, provide the response electronically (unless otherwise requested) with password-protected documents, portable hard drive or USB device. This is a significant change from previous practice, as employers used to provide hard copy data.

Explain what searches you carried out and why searches may have been limited, either because they would require disproportionate effort or because the data is too intermingled with third-party data. Explanations reduce the risk of complaints to the ICO.

For further advice on SARs or any other staff issues, do call me on 0118 940 3032 or click here to email me.

Is Your Staff Handbook Up To Date for 2019/20?

Is Your Staff Handbook Up To Date for 2019/20?

Every time Employment Law changes, your staff handbook will become more out of date. Changes are made to Employment Law at least twice a year – usually around April and October. If you haven’t checked your Staff Handbook in the last three years, it will be very out of date by now. This means that some of your employee policies could be very out of date and no longer legal.

Why do you need a Staff Handbook?

A Staff Handbook lets you tell your employees about your workplace rules in an efficient, uniform way. Your employees will know what is expected of them and what they can expect of you. A Staff Handbook can provide your company with valuable legal protections, when employees understand the rules of your organisation. It also gives you a good place to collect policies that must be in writing, such as policies on smoking, social media use, or family and medical leave.

How do you keep your Handbook up to date?

To help you bring your Handbook up to date and in line with current legislation, we can review it for you and make recommendations on what needs to be changed. Send us your Staff Handbook as a Word file and we will read through it – confidentially, of course. We will then send you a list of recommended changes that need to be made. The cost for this review is just £250 +VAT.

Once you have our recommendations, you can make the changes yourself. Or we can do them for you – just ask for a quote for bringing your Handbook fully up to date. Call 0118 940 3032 for more details or click here to email your Staff Handbook to us.

It’s Time to Bring Your Staff Handbook Up to Date

Many businesses experience a quiet time in July and August, when staff and customers are on holiday. If this happens in your business, you can use the extra time you have to make sure that you’re up to date with all things HR.

When did you last check that your Staff Handbook was in line with current Employment Law? Every time changes are made to Employment law – which is usually at least twice every year, in the Spring and again in the Autumn – your handbook will become a bit more out of date. So far this year we’ve seen a number of changes to maternity and paternity laws, including shared parental leave. Flexible working laws have changed, along with those relating to attending antenatal appointments.

So how do you keep up to date?

The Acas website at www.acas.org.uk is a good source of information. It lists all the recent Employment Law changes. You’ll need to look at all the changes that have been made and work out which apply to your business. Then you’ll need to find the relevant sections within your Staff Handbook and bring them up to date. You should do the same with any staff forms and processes that you use, to make sure that you’re fully legal.

Once you’ve updated your HR processes and policies, you need to think about how to introduce the changes to your existing members of staff. If you publish your Handbook in hard copy, you can reissue it – but don’t just print it out and leave it on a shelf next to the old one! Let your employees know which policies have been changed and that they should read the Handbook, so they can see how the changes could affect them.

If you have an Intranet within your business, put your new Handbook onto it and tell your staff about the sections and laws that have changed, so that they can read the relevant sections.

However you share your Handbook, you need to encourage your staff to read it. You could ask each employee to sign a form showing that they’ve read the new Handbook and have understood how the changes affect them. This also gives them the opportunity to ask you about anything they don’t understand.

If your handbook is more than three years old, it will be out of date and will need a bit of work; if it’s more than five years old it will be more of an antique and you might even need a brand new one!

Does updating your own Staff Handbook could sound like a rather daunting task? If so, do get in touch to talk to us about how we can do it for you. Call us on call us on 0118 940 3032 or email sueferguson@optionshr.co.uk.

 

 

Employment Law Changes for Spring 2015

Employment Law is constantly changing. To make sure you stay on the right side of the law, and do the right thing by your employees, here are some of the issues you need to know about.

Shared Parental Leave – this will allow eligible mothers, fathers, partners and adopters to choose how to share time off work after their child is born or placed for adoption. Employed mothers will still be entitled to 52 weeks of maternity leave and 39 weeks of statutory maternity pay or maternity allowance. If she chooses, an eligible mother can end her maternity leave early and, with her partner or the child’s father, opt for Shared Parental Leave instead of Maternity Leave. If they both meet the qualifying requirements, they will need to decide how they want to divide their Shared Parental Leave and Pay entitlement.

Antenatal Rights – from 1 October 2014, the partner of a pregnant woman has been allowed to take unpaid time off work to attend antenatal appointments with her. Partners are allowed time off for up to two antenatal appointments, capped at 6.5 hours per appointment. Confusion might arise because in some cases, the partner might not be the biological father of the child. They could be the mother’s spouse, civil partner, or partner in an enduring relationship. It could also be the parents of a child in a surrogacy arrangement.

Fit for Work – this service helps employees stay in, or return to work. It provides an occupational health assessment and general health and work advice to employees, employers and GPs. It will not replace, but will complement existing occupational health services provided by employers. There will be a phased roll out of the referral service taking place over a period of months during 2015.

Every time a change is made to Employment Law, your Staff Handbook will become out of date. You don’t need to update it every month, but you do need to be aware of the legal changes and how they affect your employees and your business. If your Handbook has not been updated for a couple of years, it’s best to get up to date information on any specific issue, before you take action.

To help keep your business up to date, book your place on our next Employment Law Update Workshop. On 21 May 2015 we’ll be spending the morning at Hennerton Golf Club in Wargrave, Berkshire, going through the changes. We’ll talk about how they will specifically impact on your business and what you need to be aware of, in order to stay on the right side of the law. Click here to book your place for just £15 +VAT.

Can Santa Get the Sack?

Santa

Can Santa get the sack?

Christmas is coming, the goose is getting fat … but so is Santa! He’s now too big to fit down the chimney; the elves think they have man flu; and Rudolf says the roads are blocked with snow so he can’t get to work!

You might think that Christmas runs smoothly at the North Pole – after all, they have all year to plan it. However, this year there are a few problems for the Head Reindeer (HR) department to sort out.

Father Christmas is too big to fit down the chimney. All year Santa has been relaxing at the North Pole and as a result, his girth has expanded somewhat. The Head Reindeer is worried that he won’t be able to do his job properly – after all, he is supposed to climb down chimneys in order to deliver presents. Can he get the sack for not being able to carry out the work in his job description? If Santa is morbidly obese and can’t carry out his daily tasks, he could be classed as disabled. This means that sacking him because of his girth may be discrimination – something the Head Reindeer would like to avoid!

The elves think they have ‘man flu’. They’re sneezing and coughing and their noses are running, so they’re really like to stay in bed – especially during December when work gets really busy. Are they allowed to take time off sick, when Father Christmas thinks they just have colds? Staff taking time off for sickness usually increases over the winter months, so the Head Reindeer will need to speak to each of the elves and find out what’s actually wrong with them and make sure they have the right evidence to support the reasons for their absence. Keeping in contact with sick staff is always a good idea. After all, how can Christmas carry on without the elves?

Rudolf says the roads are blocked with snow. He says he can’t get to the office because of the weather conditions. He can’t really work from home, although for some staff, it’s worth setting up remote access, so that they can still work, even if they’re not in the office. The Head Reindeer needs to make sure that the Staff Handbook is up to date, to cover issues like bad weather. And he needs to find out how else to get Rudolf to work, if there is snow on the road, or Christmas might have to be cancelled.

With a little bit of forward planning (and perhaps some advice from an expert) the Head Reindeer (HR) manager will be able to make sure that everything goes to plan for a great Christmas. At least he can let all the elves take time off together, once the festive period is over!