Data Subject Access Requests

Last Updated: October 9th, 2023

DSAR’s – the ultimate employer red flag

Individuals have a right to ask for personal information held by others. In an employment context this might provide an employee a way of obtaining information at an early stage to support a grievance or an employment tribunal claim.

These Data Subject Access Requests (DSARs) require that the data subject (in this case, the employee) is provided with a copy of any personal data kept and processed by a controller (i.e. their employer). The personal data can include any and all information relating to the individual, from an employment contract to a text message on a company phone.

DSARs have existed in the UK in one form or another since 1984, embedded within data protection legislation. Much of this legislation was drawn up in an era before computers and mass data collection, and so a DSAR submitted now may be more time consuming and costly to deal with than the drafters of that legislation ever envisaged. But deal with it we must, as a failure to respond to a DSAR in a timely manner can have severe consequences for the data controller.

The development of data storage machines and technology over the last two decades has projected data protection into the forefront of the public’s eye. Despite being advantageous to Employers to store and process data, there can be major disadvantages if the information exposes unhelpful trends or secrets. Once a DSAR has been requested, a red flag should be triggered for an Employer.

Risks for employers

Under UK GDPR, Employees can request copies of documents which include their personal information, together with an explanation as to the purpose for which that data was held or processed. Once an Employee makes a DSAR, the Employer is legally required to comply with the request, and has a 30-day period to do so.

As an Employer, responding to a DSAR can put a huge strain on your workforce as vast amounts of data must be shifted through to meet the request, which can be an onerous and frustrating task. It might be tempting to simply provide everything that might be caught by a DSAR to the employee, shifting the burden of reviewing the material to the data subject who requested it. However, this approach has serious pitfalls – the last thing you want to do is provide a disgruntled employee with ammunition unnecessarily. The steps to be taken by an Employer in order to observe the request and avoid retribution by a tribunal or court are: to confirm and authorise the identity of the person requesting the information, review the relating data, and deliver the information in a digestible format to the requestor. In a large, or long-running company, this task can cause internal staffing issues, tension on resources and overall aggravation for the Employer.

How a DSAR can result in a claim

Despite admin issues, there are bigger concerns an Employer should have after a DSAR has been ordered. Employees who are pursuing grievances, attending disciplinary hearings or are aggrieved all have the right under law to make a DSAR, and the Employer must comply.

Often these DSARS are used as a “fishing expedition” ahead of  potential discrimination claims. This information and data can become the basis of a claim against the Employer themselves, the one providing the data and putting in all the work.

Legal help for employers

All Employers will of course what to avoid these claims from arising for the fear of reputational damage, wasted resources and costs. In order for Employers to protect themselves it is vital the data is processed in an ethical and fair manner as to not discriminate in any way, shape or form. Internal decisions by HR and the Employer should be based on performance data and this should be reflected in the processed data.

Employers and HR should also be attentive and triggered when receiving a DSAR from an Employee. This request should raise a red flag that an Employee may be trying to build a discrimination case against the company, by having the company disclose documents they wouldn’t want to be disclosed to anyone else, yet alone to an employment tribunal.

In this scenario and any DSAR request, offering said Employee a settlement agreement to quietly exit the company and waive the DSAR may be the most efficient way to deal with the request. It not only prevents exposure of potentially damaging documents, but is also commercially and financially beneficial rather than wasting resources and time on the request.

If your company has a DSAR ordered and you are unsure of how to handle it, do not hesitate to contact our firm, we will be more than happy to assist and have specialist lawyers on hand to create bespoke settlement agreements for any case. Please do call us- 020 7438 1060.




Let us take it from here

Call us on 020 7438 1060 or complete the form and one of our team will be in touch.