Before you press send on a management email about an employee, stop and think to yourself, would I be happy for the employee to read this?
Data subject access requests (known as DSARs or SARs) are frequently the first course of action for disgruntled employees contemplating grievances or employment tribunal proceedings.
As an employer, it is important to understand which documents it is necessary to disclose to the employee in response: Is that HR advice you received as confidential as you would like? And what about the comment that you added when you forwarded it to your FD?
What is a DSAR/SAR?
The right to make a SAR is a key element of data protection law1.
Any data subject (employee) has the right to make a request to a data controller (employer) for the delivery up of copies of all personal information held on them together with other certain specified information. The information must be provided free of charge (unless the request is manifestly unfounded or excessive) and within one month of the request (unless there are reasons for the time limit to be paused or extended).
The ICO has recently produced some new SAR Q&A information for employers, which can be read here.
What information can be requested?
Any information relating to the employee or from which the employee can be identified can be requested and should be disclosed (unless subject to an exemption – see below). This could include the following:
An employer must make “reasonable efforts” to disclose any such documents.
Do I have to disclose everything?
Maybe not. Consider the following:
Excessive requests – If the request is not limited to specific dates, times, subjects, etc potentially thousands of pieces of data could be included. You may argue that it is “manifestly unfounded or excessive” and seek to charge a fee or refuse to act on the request. The more focused and reasonable an employee is, the harder that argument will be.
Data relates to another employee – If the personal data is also information relating to another individual, unless that individual has consented, you must consider whether it is reasonable to disclose the information without consent or if it can be disclosed with appropriate redactions.
Data held on other systems – Unless you are a data controller in relation to data held on other systems, it falls outside the scope of a subject access request.
Deleted data – You are not expected to recreate this data. However, back-up data should be included in a search.
Exemptions – There is a specified list of exemptions. Those most likely to be applicable in the employment context are:
Do employers have to disclose confidential HR advice?
If the advice is provided by a law firm – Only the advice provided by lawyers (including supervised non-lawyers within a law firm such as paralegals and trainee solicitors) benefits from privilege. This means that if you instruct a law firm, you can rely on legal privilege as a reason not to disclose that advice and it can remain confidential.
What about advice given by non-lawyers (i.e. HR consultants)? – The current position is that information provided by non-lawyers is not subject to legal privilege and therefore should be disclosed, unless another exemption can be applied.
What does this mean for HR advice provided in the context of disciplinary and grievance procedures? – Advice provided by a lawyer will benefit from legal advice privilege and you can be confident that any documents do not need to be disclosed.
Advice provided by external HR advisors and consultants may be up for grabs2 unless that advice was provided with the dominant purpose of dealing with a litigious dispute (court or tribunal proceedings). Often, at the time advice is produced in relation to grievance and disciplinary proceedings, it is not known whether legal proceedings will result and therefore privilege does not apply.
Can advice from an HR consultant ever be privileged? – Possibly. Where the dominant purpose is to deal with court or tribunal proceedings, privilege may apply. However, the advice provided at any stage prior to the filing the claim (or perhaps the Acas Early Conciliation Notification Form) is vulnerable. Employers should be aware of this when considering an appropriate advisor. If confidential advice is something that you value, it is important that you chose your advisor carefully.
What about that email to the FD?
Before sending stop and apply the “would I be happy for the employee to read this one day?” test and perhaps pick up the phone instead.
If you would like to discuss any aspect of employment law, please contact Melanie Rowe or Luke Smith on 01872 226990 or email email@example.com.