Back in March we posted here an explanation of why the “manifestly unfounded” exception to an employer’s DSAR obligations was perhaps less helpful than the ICO’s then guidance suggested.
Now there is some new ICO guidance out this week which probably does move the needle slightly more usefully in favour of the employer.
The guidance states than an employer can refuse to comply with the DSAR if it is manifestly unfounded (where the position is effectively unchanged from March) or manifestly excessive, where the guidance is expanded. In very broad terms, “unfounded” is a question of the motives of the requesting employee, while “excessive” turns mostly on the resources of the employer relative to the burden put on it by that request.
The guidance on “manifestly excessive” encourages the employer to reach a decision on whether the DSAR is “clearly or obviously unreasonable“, which is based in large part on “whether the request is proportionate when balanced with the burden or costs involved in dealing with the request“. Relevant considerations will include the nature of the information requested (how specific is it, is it limited by time or topic, etc?), the context of the request and the relationship between you and the individual, what harm would be caused to the employee by your refusal, your available resources and whether the request duplicates or overlaps with other requests for that data.
This all sounds quite promising – surely a number of those considerations could be applied to any extensive employee DSAR brought in the midst or aftermath of contested internal disciplinary or grievance or external Tribunal proceedings. You might argue, for example, that a DSAR would cover the same grounds as ordinary litigation disclosure obligations and so could fall within the “overlap” point, that no harm would be done because no data you hold is prejudicial to the employee, that the relationship between you and the individual is essentially over, and so on. However, it would generally be most unwise to put all your eggs in that particular basket.
First, the revised guidance and the ICO’s covering blog still stress the paramount importance of personal data transparency, so you are going to need something quite significant to justify denying your employee that right. That point is reinforced by use of “manifestly“, meaning that issues of proportionality at the margins simply won’t cut it. Third, it would have to be the entirety of the request that was disproportionate or excessive, since elsewhere in the guidance it is made clear that even where some of what is required is unreasonable, you still have to do a proper search for the rest. Last, the burden of proving that the DSAR is manifestly excessive in whole or part rests firmly on the employer.
In addition, do keep in mind that the overlap with disclosure litigation may be limited – that obligation requires you to produce the information which is relevant to the dispute, even if it is not about the employee, while the DSAR requires you to produce data about the employee even if it is not relevant to the dispute. On the “what harm done?” question, that is not really for you as employer to decide. You cannot know with certainty why the employee seeks his personal data or the associated processing information. It maybe to advance his complaints against you, but it may not. And while it is tempting to rely on the limited resources get-out, that will be of very limited value in practice since on public policy grounds it will only very rarely be permissible to allow an employer to default on important legal obligations for lack of manpower. That excuse might in practical terms justify a delay in responding (for example where your sole DPO is juggling several DSARs at once or has been trapped at home during the pandemic, etc) but it will be much less effective as a basis for refusing it outright.
“Stopping the clock”
Another potentially significant tweak is made to the guidance in relation to the impact on the 30 day deadline for a DSAR of an employer’s request for clarification of it. Hitherto the ICO has said that such requests do not stop time running, but now, in very limited circumstances, they might.
Those circumstances are where the DSAR covers “a large amount of information” and you ask the employee to “specify the information or processing activities there request relates to“. The guidance then suggests (but remember that this is not law) that if you have not heard back within a month, you could “consider the DSAR closed“. Again, this is helpful tactically to an employer desperate to buy itself more time, but in reality that revised guidance will still be subject to a number of important caveats:
- You should only make such a request where it is genuinely necessary to do so. If the reality is that you understand enough of what the employee wants to have a decent go at producing it, then your request for clarification is unlikely to stop time running.
- It is at the very least arguable that the clarification request only stops the clock in relation to the specific data asked about, leaving the 30 day limit alive and well in relation to the remainder.
- The request for clarification will need to be made as soon as reasonably practicable after receipt of the DSAR, not on Day 29.
- You cannot automatically equate “large” with complicated, difficult or disproportionate (or indeed, irritating or unnecessary). A request for “all my personal data” is clear – I want it all – even though that may be a great deal of work for you and I am not much interested in most of it. You can (probably should) ask me if there is anything specific I am after, but you cannot make me narrow down my request nor can you hold things up by seeking clarification of what is already clear.
- Consequently there is no definition of “large“. It is not just all about size, apparently, and that assessment will also cover questions of the employer’s administrative and technical resources, how difficult the data will be to marshal, whether it is held on the individual in more than one capacity (both employee and customer, for example), and so on.
Neither of these amendments changes the underlying law and they are both made in the context of guidance which repeatedly stresses the overriding importance of an individual’s right to his own personal data. They do not get close to material alteration of the balance of power between employer and employee in DSAR matters. Probably the most that can be said is that the ICO may be a little less interested in penalising an employer which has done its reasonable best to adopt the reasoning in the new guidance even if, as a matter of strict law, it was still in default.