Data Subject Access Request - Latest Developments
- Date: Tuesday 22nd January 2019
- PDF: Download
A few months ago we told you that the changes to Data Protection Law are likely to hit the courts in the future – low and behold, here comes an important update you need to be aware of:
This update relates to Data Subject Access Requests (SAR). Under GDPR, any individual is entitled to ask any data holder or processor for access to their data. This includes emails, electronic or hardcopy filing, reports relating to them, recordings etc.
Sometimes, email correspondence may contain unprofessional comments, remarks or ‘name calling’ and you may think that something written in the heat of the moment should be excluded. After all, an employment tribunal may interpret these comments as discriminatory, when in reality they are usually a normal human reaction to something that has happened.
The ICO and our solicitors advised us that:
The individual is entitled to receive all communication, without censorship.
The following exceptions apply:
- Where the content relates to another individual, this person may be anonymised.
- Where the content relates to confidential company information, such as details of a potential offer of settlement.
- Once it has been made clear by the data subject that they are likely to file a tribunal claim, any correspondence relating directly to potential litigation may be withheld. However, there needs to be a clear indication that a claim is imminent.
- Communication between legal professionals with their client is covert under legal privilege. So, if you receive advice from your solicitor regarding a pending case, the data subject can’t ask for access to this advice (exceptions apply – please check with your solicitor at the time).
- However, if you receive advice pre-litigation from a consultant, or simply copy your solicitor into an email sent to someone else, legal privilege does not apply.
In other words, SSG are obliged to submit all and any correspondence we have sent or received regarding the individual.
- Be careful what you put in writing! A general rule should be: if you wouldn’t be happy to send it to your employee, don’t put it in an email!
- Adhere to your data cleansing rules and delete outdated information regularly.
- Maintain a clean and tidy filing system. By doing so, Subject Access Requests can be more easily dealt with and you are not wasting time hunting for information.
If you have any further questions regarding data protection, please call your consultant.
Source: Manuela Grossmann, SSG