< Back

Share |

Discovery by a different name? Data Subject Access Requests from a post-employment perspective

July 2013

In the UK

Employers inevitably process personal data of their employees. Under the Data Protection Act 1998 (DPA), employees have the right to obtain, on valid request, a description of:

  • the personal data of which the employee is the subject;
  • the purposes for which the data is held; and
  • the recipients of it.

Subject Access Requests (SARs) are applications made by individuals to enforce this right and although the courts have ruled against SARs being used for 'fishing expeditions' for the purposes of litigation, employees are increasingly using them to obtain information for use in claims against their ex-employers.

Pen tip

SARs can be particularly useful where the information the employee requires is not available through traditional disclosure. This commonly arises where the employee either cannot demonstrate that the document in question is relevant to the ongoing litigation (a fairly narrow test), or does not want to go to the trouble of doing so.  SARs potentially give employees access to a wider range of documents and information in addition to or in conjunction with traditional disclosure.  Employees also use SARS (currently subject to a maximum fee of £10) as a simple and cost effective way to be difficult and to increase their ex-employers’ use of management resources and legal costs.

Employers are obliged to comply within 40 days of receiving a properly submitted SAR. Employers are not required to explain the scope of their search but are under a general duty to act fairly when processing data and it is seen as good practice to give a basic explanation of the approach taken. 

Employers should be aware of:

  • Vexatious requests: where employees have previously made similar SARs, employers are only obliged to respond if a reasonable period of time has lapsed since the previous SAR and the need for a further response will be determined by the circumstances. 
  • Onerous requests: compliance with onerous requests can be expensive and time-consuming but there are no provisions in the DPA allowing employers to refuse to comply on these grounds. If anything, employers dealing with an onerous SAR are obliged to act reasonably and expected to approach the search constructively, save that the Information Commissioner’s Office (ICO) will not enforce a SAR that involves a disproportionate effort on the employer’s behalf.  Justice
  • Scope: there is tension between the courts and the ICO regarding the extent of employers' obligations to search for personal data, with the courts acknowledging the difficulties of compliance and the ICO pushing for employers to conduct detailed searches. The courts have been keen to stress that employees are not entitled to all documents which simply refer to them, that searches should be reasonable and proportionate, and that employees are entitled to use SARs to access data rather than obtain disclosure of documents.  The ICO is equally keen to stress that employers are obliged to make extensive efforts to locate personal data following a SAR. 
  • Exempt data: employers are not required to provide certain personal data including data relating to management or business forecasting or data which is subject to legal access privilege. Confidential references given by employers and medical records where disclosure would be likely to cause serious harm to the physical or mental health of the employee or any other person, are also exempt.

The attraction of SARs for employees is obvious – a cheap and easy way to seek to obtain a broad range of information which may be useful in proceedings against ex-employers while causing their ex-employers headaches along the way. Employers need to be prepared. They should have an appropriate policy and procedure in place to deal with SARs as efficiently as possible and with as little disruption to their business as possible and to aid their defence of any relevant employment claims.

In Germany

Although, employees in Germany are entitled to be request information about what personal data employers hold and process under German employment and data protection law, access requests are not tactically used for 'fishing expeditions' by employees or ex-employees.

Under German law there are two legal grounds which an employee may rely on to access to the personal data held about them by an employer or ex-employer:

Section 83 Works Constitution Act
Files on a stackUsually the personal data of an employee is recorded in a personnel file. A personnel file is defined as storage of documents and information referring to the personal and official position of the employee in connection to the employment relationship and is usually recorded in paper. A personnel file may, if properly kept, contain every document relevant to the employment relationship.

Under section 83 Works Constitution Act, an employee may inspect his personnel files.  Until recently, this only applied in an ongoing employment relationship but a recent judgement of the Federal Labour Court held that an employee is also entitled to inspect personnel files kept on him after the employment contract is terminated.

The employer does not have the right to refuse a properly made request for access under this legislation.

Section 34 Federal Data Protection Act (BDSG):
If personal data of an employee is stored electronically, section 34 of the Federal Data Protection Act (BDSG) entitles employees to request information about:

  • recorded data referring to them, including information relating to the source of the data;
  • the recipients or categories of recipients to which the data is transferred and
  • the purpose for storing the data.

In order to exercise rights under s34 BDSG, the employee needs to demonstrate adequately that the employer does indeed store personal data. s34 BDSG continues to apply after the employment contract is terminated and the right to obtain information even applies to confidential information.

Book which spells NOThe employer may be entitled to reject the request of the employee if, for instance, the data is classified or due to the nature of the data, namely due to overriding legal interests of a third party.  In addition, the request can be turned down if disclosure of the personal data would seriously endanger the commercial interests of the employer, unless the notification of the employee outweighs this danger.

In conclusion, employees have the right to obtain information about their personal data held and disclosed to third parties by an (ex)employer under German employment and data protection law. Contrary to the situation in UK, these rights are not, on the whole, exploited by ex-employees for the purposes of litigation.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Handshake
Stephanie Creed

Stephanie
Creed      

Franziska Hügel

Franziska
Hügel
      





Stephanie looks at the tactical use of SARs and the problems they pose for employers, while Franziska looks at alternative approaches under German law.

"Employers…should have an appropriate policy and procedure in place to deal with SARs as efficiently as possible."