Data Subject Access Request

Back in March 2020 we reported here on some new guidance from the Information Commissioner’s Office concerning DSARs.  In particular, we looked at what it said about the employer’s rights not to comply with a DSAR to the extent that it was manifestly unfounded or manifestly excessive, and concluded that despite the superficially encouraging words of the guidance, The Law would take an altogether more restrictive view of those two exemptions, leaving them both basically neutered.

Three years, a pandemic and Brexit later, the ICO has published some more guidance last week which takes another look at those two possible get-outs for employers in receipt of DSARs.  Does this new version give them any greater joy?  How much EU-sourced red-tape has been consigned to the flames this time?

The “manifestly unfounded” section begins unpromisingly.  A request may fall into that exemption if “the worker clearly has no intention to exercise their right of access; or the request is malicious in intent . . . for example if the person explicitly states in the request itself or other communications that they intend to cause disruption“.  This is unchanged from the last version and since you would need to be a weapons-grade halfwit to say either of those things in your DSAR, we must look elsewhere for help.  For example, what about the request might suggest that it is made with “malicious intent“?  Where the requester is “making unsubstantiated accusations against you or specific employees which are clearly prompted by malice” says the guidance , again in the same terms as 2020 (or simplified, that malicious intent can be inferred from clear malice – I hope that helps).  And how far is it really necessary to state the obvious – that the requester knows that the DSAR will compel the employer to incur considerable time and cost, is lodging it often for that very reason and on that same basis is entirely willing to abandon the whole thing if paid off? Does this really need to be said expressly before it can be true?  There is one small pointer as to what does not decide the question – aggressive or abusive language in or around the DSAR “does not necessarily make a request manifestly unfounded“. 

There are a couple of examples given in the new guidance of how this might work in practice but the one which might have been most useful goes noticeably unanswered:  a dismissed worker submits a DSAR to his previous employer and states that it will be withdrawn if the employer agrees to an increased financial package.  The employer refuses to comply with the DSAR as it therefore considers the request manifestly unfounded — and there the example ends, with no indication at all from the ICO as to whether it would support that position. Why not? There is no guidance either as to whether it would make any difference if the offer to drop the DSAR is made only in without prejudice correspondence, though it would seem perverse to suggest that it would – you either have an intent to exercise your right of access or you don’t, and particularly having regard to the reference above to “other communications“, how you give away that you don’t should surely not be relevant.

In reality, however, the requester is likely to say that they were genuinely interested in seeing their personal data to help them in an actual or threatened claim, at least until that became unnecessary through your agreeing to pay them large sums of money.  As a result, they may portray their agreement to drop their DSAR on the reaching of a satisfactory settlement not as improper leverage, but instead as a thoughtful courtesy to the former employer, and that would be a tough argument for the employer to overcome. It would be interesting to know how many employee DSARs are proceeded with despite otherwise acceptable settlement terms having been reached – my assumption is very few indeed.

Employers may have good reason to doubt that an employee’s actual or prospective claims against them would possibly be assisted by a DSAR.  You may well also consider that in reality your employee is even less interested in reviewing thousands of bits of paper, almost all of which he has seen before anyway, than you are in producing them.  But in either case, the burden of proving the application of the exemption lies with the employer and the new guidance makes it clear that the word “manifestly” imposes a much higher threshold than just HR’s natural suspicion, scepticism or terminally-corroded faith in human nature. 

So the new guidance is not much help on the “unfounded” front.  What about requests which are “manifestly excessive”?  Again, the threshold is very much higher than compliance merely being a burden or the request being phrased in terms far wider than you believe are required to shed light on some current dispute with your employee.  However, there are some factors to be seen to consider which you might try to rely upon at least to seek to narrow the search:  how broad is the information requested, the nature of the relationship between you and the requester (the answer “on its knees” will not help you here – indeed, just the opposite, since that increases the requester’s likely interest in seeing that data), whether a refusal to provide the information may cause substantive damage to someone, and “your available resources“. 

Expanding on this, the guidance says that the employer should base its decision on the manifestly excessive question by considering whether the request is “clearly or obviously unreasonable“, and that this in turn depends on “whether the request is proportionate when balanced with the burden or costs involved” in dealing with it.  That sounds positive but whatever it says, however, the guidance does not actually mean that – in employers’ eyes, almost all employee DSARs impose a burden and costs totally unrelated to the realistic upside for the requester (hence their being so often dropped in negotiations), but that would not be good reason to dismiss them out of hand. 

That said, although on its face the manifestly excessive exemption covers the entire DSAR rather than just discrete parts of it, there may be a good case initially for providing what you can but declining to produce larger or less-accessible subsets of data which you reasonably believe add nothing to the employee’s understanding of his possible rights against you, or where your limited resources for handling DSARs require you to prioritise others.  The key will be an ability to defend your thinking.  If you rely on one of these exemptions you need to be able to explain why to both the employee and the ICO, and that will require specific reference to these factors if you are to have any chance of holding your line successfully.  So if this new guidance is a post-Brexit attempt to unshackle data rights from the dead hand of the GDPR, it is a bit of a flop.  It may be that the ICO and UK courts will be a little more flexible around the margins than hitherto, but it would be a brave employer which would bank on it.  In the end, the new guidance makes clear that the rights of access to one’s personal data are paramount and that if you decide to play fast and loose with them under these exemptions without the necessary strength of background evidence, it will still all end in tears very quickly.