I am HR Manager in a medium sized Company and have recently received a letter from one of our employees requesting personal data under Section 7.1 of the Data Protection Act 1998.
The employee has asked for this personal data at the same time as lodging a grievance about her treatment by one of her managers. She has asked to see copies of all documents stored on our computers, our IT systems, copies of all emails and their attachments and all copies of any other documents such as memoranda, letters and file notes of which she is the data subject.
I have never had to deal with one of these requests before and feel a bit overwhelmed. She seems to have asked for a lot of documentation but not given any specifics. What amount of information do I have to disclose as a Company? Can I disclose documents which have personal information about other employees contained in them, i.e. salary reviews, and how quickly do I have to respond to this request?
Doubtful about data protection
Under Section 7.1 of the Data Protection Act 1998, an individual has the right of access to personal data (of which he/she is the data subject). The right of access applies to information held on computer or paper files as long as they are organised into a relevant filing system. You should provide this information to your employee by way of copy, except where the information cannot be disclosed in a permanent format or it would involve a disproportionate effort to do so.
So what is personal data?
The leading authority is Durant v The Financial Services Authority, which significantly limited the scope of what is personal data for the purposes of a subject access request. The Court of Appeal concluded that information would only be personal data if it affects a person’s privacy whether in his/her personal, family, business or professional capacity.
How does that work in practice?
Points to bear in mind are the following:
a) whether the information is biographical in a significant sense, for example, if a document deals with personal details about your employee such as their sickness absence, then they would be the data subject of that email. However, if that individual was merely copied in on the email that would mean that they were not the data subject of the email.
b) The Court of Appeal also identified that the information should have the individual as its focus rather than some other person with whom that individual may be involved. For example, if your employee was dealing with a client matter and was communicating with that client on a business issue, they would not be the focus of the email. However, if the email were about an increase in the employee’s salary, they would be the data subject of that email and that should be disclosed.
c) In addition, if the individual’s response is too wide ranging and vague, it is legitimate for you to ask for specifics/clarification about the documents she is asking for. It is likely to be disproportionate for you to have to disclose all documents which have ever mentioned this employee since she has worked for your organisation!
What is a relevant filing system?
The second key issue which was determined by Durant is what amounts to a relevant filing system. This is important in that only information which is held on a computer or held manually in a relevant filing system needs to be disclosed. Effectively, the manual information must be filed in a filing system which is broadly equivalent to a computerised system. An easy way of establishing whether or not information is held in a manual filing system is to do the “temp test”. Would a temporary secretary be able to find that information if asked to look for a document or is there no proper system in place to enable them to find it? If the answer is yes to the first question, it is likely the document is held in a relevant filing system. If the answer is no, it is likely that the document is not discloseable as, if a temp cannot find it, it is unlikely that any relevant filing system is in place.
Third party information
You asked whether you had to disclose documents which contained personal information about another individual. This is sometimes called “third party information”.
As you will understand, this gives rise to a conflict between the data subject’s right of access and the third party’s right to respect for their private life. Firstly, you should see whether or not it is possible to communicate the personal data sought without giving any information about the third party at the same time. One easy way of doing this would be to redact names or other identifying details. However, this will not work if it is obvious who the other individual is from the content of the email. In those circumstances, you should try to get the third party’s consent to disclosure of this information.
However, sometimes the third party will be reluctant to disclose this information particularly if it is a sensitive matter such as a salary review. However, in taking into account whether or not this document should be disclosed, the Data Commissioner will look at whether or not consent has been refused by the third party. It is unlikely that you would need to disclose this document if consent has been refused.
There are strict time limits for responding to a subject access request. You need to respond within 40 days of the request being received. The individual should also have enclosed a £10 fee. Failure to enclose that £10 fee means that the request has not been validly made. The time limit would only start to run from the time the £10 fee was received.
What happens if you don’t reply to the request?
If you do not comply with the subject access request, this may result in the Court ordering the Data Controller to make the necessary disclosure. Any individual who suffers damage or distress as a result of any contravention of the requirements of the Act is entitled to compensation where the Data Controller is unable to prove that he had taken such steps as is reasonable in the circumstances to comply with the relevant requirement. It can be quite difficult to prove exactly what the level of damages should be for this sort of claim, because it is often hard to quantify the damage a person has suffered. The information commissioner also has the power to "name and shame" companies which have not complied with their obligations under the data protection laws. So you may prefer not to get your wrist slapped and check exactly what your employee wants and get the information to them.