UK: GDPR – Data Subject Access Requests
In response to a DSAR from an individual who had also brought an employment tribunal claim, First Choice Selection Services Ltd, a Northern Ireland employment agency, informed the individual that they would only release the information requested when they were instructed to do so by the tribunal.
The individual then made a complaint to the ICO which found that, as well as failing to comply with the DSAR, First Choice was in breach of the accountability principle – demonstrating that their data processing activities comply with the data protection principles.
The ICO’s enforcement notice dated 2 March 2021 required First Choice by 1 April 2021 to properly respond to the DSAR and to make changes to their internal systems, procedures and policies to ensure that they identify and respond to future DSARs. Failure to comply with an enforcement notice could result in a large fine of up to £17,500,000 or 4% of global turnover (whichever is the higher) although there is no need to comply with the notice pending determination of any appeal.
Key Action Points for Human Resources and In-house Counsel
DSARs are frequently made in the context of a tribunal claim and are sometimes used by claimants as leverage in a dispute to achieve a settlement. The person making a DSAR is not required to explain the purpose of their request, although their motivation for making it could be relevant when considering whether or not it is excessive or disproportionate. Regardless of an employer’s suspicions about the claimant’s motive, the ICO’s notice serves as a reminder for employers that they must have processes in place to ensure they recognise and respond to DSARs, and that if a DSAR is made at the same time as a tribunal claim, the employer must comply in the normal way. Disclosure as part of a tribunal claim attracts different rules and procedure but they do not prevent claimants also making a DSAR under the data protection regime.
Authors: Nick Elwell-Sutton and Corinna Harris