Employers can be forgiven for groaning every time an employee data subject access request (DSAR) lands on their desk. The administrative burden involved in responding to a DSAR means that they are an unpopular aspect of the UK’s data protection regime from the perspective of employers.
However, most employers respond to a DSAR in a timely and comprehensive way, not least because of the negative consequences of a breach of the UK’s General Data Protection Regulation (GDPR) such as being reported to and investigated by the Information Commissioner’s Office (ICO) , receiving a penalty notice, or a compensation claim.
That said, responding to a DSAR may not be straightforward. One of the key questions encountered by our clients is how broad the search for personal data needs to be.
Should the search be limited to personal data held on an employer’s internal databases and employer-owned devices eg mobiles and laptops? Or is it also necessary to search employees’ personal devices and if so, in what circumstances and how should this be approached?
We consider these questions below and suggest some practical tips for staying on the right side of data protection law.
Employees’ personal devices – when are they relevant to a DSAR?
Many employers use one or more of the numerous online collaboration tools that are now available, such as Slack, Teams and WhatsApp, for the purposes of internal communication with colleagues. The increase in hybrid working has meant that such tools are increasingly downloaded onto employees’ personal mobiles and laptops, either in addition to, or instead of, employer-owned devices. As well as contacting colleagues and business contacts on personal devices, employees may also carry out work-related tasks and store work documents in various formats.
Aside from the business confidentiality challenges this creates, from a data protection perspective employees may therefore be processing personal data about their colleagues on devices to which the employer ultimately has no access. This poses a dilemma for employers when faced with a DSAR. A standard search for personal data on the employer’s systems (eg Outlook, cloud storage etc) may not produce the expected results. Where this is the case, an individual is likely to argue that the employer’s search has been too narrow and in breach of the GDPR.
It is important for employers to assess the extent to which personal devices are used for work purposes. If employees use What’s App on their personal mobiles solely for social arrangements with colleagues, for example, then the processing of any personal data in this context may fall outside the scope of a DSAR received by the employer. If the exchanges are unrelated to work and outside of the employer’s control, then it is less likely that any personal data is being processed by the employees on the employer’s behalf.
However, a gray area arises where employees make regular use of their personal mobiles and laptops for work purposes, perhaps carrying out their normal duties, such as the supervision and performance management of junior colleagues. The ICO is much more likely to conclude that such personal devices were within the employer’s control and that the processing of personal data was done on the employer’s behalf, in such a scenario
The Information Commissioner’s Office (ICO) has published helpful guidance on the Right of Access for employers. In particular, it states:
“If you do allow staff to hold personal data on their own devices, they may be processing that data on your behalf, in which case it is within scope if you receive a SAR. The purpose for which you hold the information, and its context, is likely to be relevant.
We do not expect you to instruct staff to search their private emails, personal devices or private instant messaging applications in response to a SAR, unless you have a good reason to believe they are holding relevant personal data.”
An assessment of whether employees are likely to be holding relevant personal data for the purpose of replying to a DSAR will generally involve several factors, such as:
- the employer’s overall approach to the use of personal devices for work purposes
- whether a formal policy is in place which prohibits, or limits, the use of personal devices
- the nature and purpose of the personal data employees are likely to have on their personal devices
- the scope of the individual DSAR and
- relevant context of the DSAR eg a redundancy, or allegations of discrimination involving specific colleagues.
Any specific guidance issued by the ICO in relation to the particular DSAR (for example, if it has been the subject of a previous complaint to the ICO) should also be taken into account and complied with as far as possible.
Practical tips: searching employees’ personal devices
Employers facing the issues outlined in this article should consider the following key points.
- Avoid the issue in the first place
The simplest solution to the issue of personal devices being used for work purposes is to manage employee behavior up front. Hybrid working is now an established practice and the difficulties associated with short-notice lockdowns and lack of access to IT equipment are (hopefully) in the past. If the intention is that only employer-owned mobiles and laptops should be used for work purposes, then guidance to that effect should be issued to employees when they receive the equipment.
“Because of the DSAR requirement and for other reasons (such as in the case of litigation) it is generally not a good idea for employees to use personal messaging apps for work purposes, and especially in regulated environments where a regulator may require access. Therefore, best practice would be to have a policy to prohibit this.”
- Implement and enforce a policy
The best way to communicate expectations is by publishing an internal policy that addresses the use of personal devices, commonly known as a Bring Your Own Device to work (BYOD) policy. The BYOD policy should cover acceptable use levels, the importance of information security, privacy expectations, and the extent of the employer’s right of access. The BYOD policy should be followed at all levels of the business, with potential breaches investigated and followed up with disciplinary action if necessary.
Similarly, an employer’s data protection policy and privacy notice should also reflect any limitations on an employees’ expectation of privacy. This will assist employers to meet the requirements of the data protection regime and also adhere to any regulatory and/or commercial obligations relating to data security and confidentiality, while minimizing the risk of future disputes with employees.
- Provide comprehensive employee guidance
The avoidance approach outlined above may not work for all employers. Certain industries may have a well-established culture of using personal devices, which would be difficult for an employer to reverse. If this applies, the ICO guidance confirms that employers should consider whether employees are processing data on their employer’s behalf. If it is common practice, an employer would certainly struggle to argue that there was no good reason to believe that employees were processing personal data.
In such cases, it may still be relatively straightforward to access an individual’s personal data. For example, if an online group chat included some employer-owned mobiles as well as personal mobiles, then a standard search would produce results. However, it is trickier if all parties to the group chat have used their personal phones. In this situation, employers will need to carefully consider the likely extent of their search obligations and seek guidance as necessary.
Rather than requesting that employees hand in their personal devices (which would no doubt face considerable push back), we would suggest that employers consider using a third-party IT expert to conduct the searches, or asking the relevant employees to carry out their own reasonable searches.
If the latter approach is taken, the request should ideally include clear instructions for the employees, explaining:
- the data protection obligations that apply;
- the date range for the search;
- key search terms and how to use eg an iPhone search function;
- the best way to record search results; and
- a date for completion of the search (keeping in mind the overall statutory timescale for responding to the DSAR).
It should be noted that DSARs are often submitted as part of an employment dispute, so employers need to be mindful that if they don’t deal with the DSAR properly it is likely to form part of any Employment Tribunal dispute – possibly an alleged act of victimization or other unfavorable treatment.
Also if the employer is going to liaise with employees and search for devices that is a good opportunity to explain to employees that they must not delete anything potentially relevant to the dispute.
What lies ahead for DSARs?
The current draft of the Data Reform Bill (which had its first reading in Parliament, before the new Government pulled it for further consideration) included a proposed change to the threshold for employers to refuse a DSAR or charge a fee to respond.
At present, the ground of refusal covers DSARs which are “manifestly unfounded or excessive”, which the draft legislation amends to “vexatious or excessive”. One of the interpretations of “vexatious” provided by the Government in its reply to the data reform consultation was an employee who leaves their employment on bad terms and uses a DSAR to disrupt their former employer.
It remains to be seen whether the current draft of the Bill will eventually become law, or whether the ICO or the Courts will in any event agree that a DSAR can be rejected if it is viewed as a vexatious “fishing expedition” following an employee’s acrimonious departure. In the meantime, employers should ensure they have a strategy for managing DSARs in an efficient and legally compliant manner.