Q&A – Two tricky subject access request points
20 June 2019
The Data Protection Act 2018 (DPA 2018) gave effect to the EU General Data Protection Regulation (GDPR). Many employers have already undertaken data audits, issued privacy notices and updated their data protection policies in light of GDPR, but may not be aware of some of the more tricky provisions under the new legislation. We consider a couple of these provisions in more detail below by answering some frequently asked questions:
An employee has requested a copy of a reference about them, are we obliged to disclose it?
The DPA 2018 gives individuals the right to make a subject access request (SAR) to a data controller relating to the processing of the individual’s personal data. For a summary of the SAR process, see our previous article here.
Under the old DPA 1998, an employer who had given a reference about an employee in confidence did not have to comply with a subject access request to disclose the reference. The employee could, however, obtain a copy of the reference from the person who received the reference (i.e. the new or prospective employer).
Under the DPA 2018, however, both the giver of the reference and the recipient of the reference can potentially rely on an exemption in the legislation and do not have to disclose the reference to the employee. (In order to rely on this exemption you would be well advised to ensure that references you give are clearly marked as ‘confidential’).
On the face of it, this means that it will be more difficult for employees to get hold of copies of confidential references about them, and in turn more difficult to show, for example, that a reference was discriminatory or negligent. However, you should still ensure you take care when writing references, as you may still be required to disclose the reference if there is subsequent litigation, and it is of course possible that a prospective employer may share the reference with the employee anyway, even though they are not required to under the legislation. As we have said before (see our article ‘References – useful guidance for employers’), the rule of thumb is that if you give a reference, it should be “fair, factual and not misleading.”
How do we deal with an employee’s request for personal data where the data also contains personal data relating to another employee?
When responding to a SAR in this situation, the data controller, i.e. the employer, has to balance the rights of the individual making the request against the rights of the other individual whose data is involved. If the other individual has consented to the disclosure of the information, or it is reasonable to disclose the information without their consent (having regard to all the relevant circumstances) then you should disclose the information.
However, if, taking into account all the circumstances, including “the type of information that would be disclosed” it would not be reasonable to disclose the information, then you do not have to disclose it. It may be possible to disclose a redacted version, or it may be justifiable not to disclose the information at all.
We are not aware of any cases having been brought on this point under the new legislation, but we can see that the types of situations covered could include where an employee requests information that could, for example, identify another employee who has made a complaint of sexual harassment, and whether it would be reasonable to disclose that data without the consent of the complainant. It is worth pointing out that there is an assumption that it will be reasonable to disclose information to a data subject in certain health, social work and educational contexts. We would always recommend taking specific advice if you are dealing with a SAR which could involve mixed personal data.
Are you dealing with a subject access request or a difficult reference? We can help – contact our team today for a free initial chat. Please call us on 01243 836840 for a no obligation chat, or email us at [email protected].