Under the Data Protection Act 2018, individuals have the right to access personal data which organisations hold about them. The right entitles an individual to:
- Confirmation that the organisation is processing their personal data
- A copy of their personal data
- Other supplementary information similar to that which should be found in a privacy notice, including information about the purposes for which their data is being processed, the recipients their data is disclosed to, the source of the data (if it was not them) and so on.
Where a request is received from an individual, the organisation must respond without undue delay and at the latest within one month of receipt.
Statistics indicate that there has been an increase in this type of request since the introduction of the GDPR in May 2018. One particular area in which there has been an increase is employment. Employees are increasingly making subject access requests to their employers to obtain the data that they hold about them. This is often done in the context of a pre-existing dispute.
There are exemptions which apply to certain data, but if there is no exemption and an employer fails or refuses to comply with a subject access request, the employee has the right to make a complaint to the Information Commissioner (ICO), who can take enforcement action.
An employment tribunal case from 2016 illustrates the wider consequences non-compliance can have in the employment context. McWilliams v Citibank NA related to a foreign exchange trader who was dismissed for disclosure of confidential information. The Claimant, Ms McWilliams, used an online trading chat facility to communicate with traders at other banks, during which communications she, along with others, disclosed confidential information.
Citibank had started investigations into the practice of sharing confidential information in chat rooms and alleged manipulating of exchange rates. As a result of these investigations, Ms McWilliams was suspended and her line manager was dismissed.
During the disciplinary process, Ms McWilliams made a Subject Access Request seeking all data held about her by 25 individuals. This was refused on the grounds that it was too wide and was disproportionate. She then narrowed the scope of the request to information she could not access whilst suspended and made it clear that this information was necessary in respect of her defence in the disciplinary proceedings, but the request was again refused.
Ms McWilliams was dismissed for gross misconduct due to her disclosures through the online trading chat rooms. Ms McWilliams argued that disclosing information was standard practice at the time. She said that Citibank has a relaxed attitude to compliance and that it was custom and practice to share information.
Ms McWilliams brought an employment tribunal claim for unfair dismissal, which was successful, although the tribunal made a finding of contributory conduct because she had in fact shared confidential information. The Tribunal found that the bank had failed to carry out a reasonable investigation, and particularly had failed to investigate the defence put forward that that the disclosures were common practice and condoned by senior management. But, importantly for the purposes of this blog, the tribunal also found that Citibank’s refusal to respond to the Subject Access Request was unfair and materially affected Ms McWilliams’ ability to defend the allegations against her.
Although this was a first instance employment tribunal decision, and therefore not binding precedent, it is a useful illustration of the potential wider consequences which could flow from data protection issues. Any decision of the tribunal will always depend on the circumstances of an individual case: one of the key points here being that Ms McWilliams specifically emphasised that the information was essential to her defence, which impacted on the reasonableness of the investigation and her ability to present her defence. However, the case is a warning for employers that they do need to carefully consider any Subject Access Request made by an employee during the course of any internal proceedings (be they disciplinary or otherwise) to ensure that process is not prejudiced. If a legitimate request is made and the employer does not respond to it, where that failure impacts on any decisions taken by the employer, this can affect the fairness of any subsequent dismissal.
It should be remembered that the view of an employment tribunal will potentially differ from the ICO, given their differing purposes. In the context of disciplinary proceedings which are argued to be unfair, an employment tribunal is unlikely to consider a refusal to respond to a request if it is a clear ‘fishing expedition’ rather than a request for specific data which it is acknowledged is necessary or has a purpose. It would not be reasonable to require the employer to trawl through all their records if it is actually one specific, known document that is sought. However, ultimately individuals do have the right to access their data and in terms of data protection legislation there is no provision for refusing a subject access request based on the purpose for which it is made (unless responding to the request would be onerous and/ or disproportionate). Therefore, even if refusing the request would not be considered unfair in the context of an employment tribunal claim, it may still be considered a breach of data protection rules by the ICO.
Contact our expert GDPR Solicitors, Glasgow today
For more information and guidance on this or any other employment law issues, please get in touch with a member of our Employment team today.
This is not legal advice; it is intended to provide information of general interest about current legal issues.