Can you refuse a DSAR in favour of the disclosure process?
Last month the ICO published an enforcement notice against an employer who failed to respond to an employee’s data subject access request submitted during the course of tribunal proceedings. A data subject access request was issued on 7 May 2020. The employer refused to respond to the request on the basis that they would wait until such time as the Tribunal advised the parties to begin the disclosure process.
When being reminded of their obligations under data protection laws by the employee, the employer further stated that the employee was entitled only to those documents relevant to their claim in the Tribunal, nothing more. The employee therefore made a complaint to the ICO in respect of the employer’s failure to respond.
The ICO requested evidence from the employer that the Tribunal had advised them they were not required to respond to the DSAR however no evidence was forthcoming. The employee later disclosed to the ICO an email from the Tribunal confirming that it did not have powers to relieve employers of their duties under Data Protection Legislation. After communication between the ICO and the employer, an enforcement notice was issued by the ICO due to the employer’s infringement of data protection legislation and their act of wilfully misleading the ICO.
A link to the enforcement notice can be found here. If the employer fails to comply, the sanction is a penalty notice which can be up to £17,500,000 or 4% of their total annual worldwide turnover whichever is greater.
Whilst DSARs are used increasingly as a tactic in litigation, this notice confirms that the process of disclosure in respect of an employment tribunal claim, and the rights of a data subject to access their personal data are distinct.
There are limited circumstances in which a DSAR can be refused. Whilst the process of disclosure itself will not permit the employer to refuse to respond to a request, depending on the circumstances they may rely on one of the exemptions set out in data protection legislation. Such exemptions may allow employers to limit the information that must be made available under the request making them easier to manage.
An employer may also extend the time limit for responding to a DSAR due to operational constraints on the basis that it is also preparing disclosure.
Although not dealt with in the enforcement notice, employers should be mindful that the duty of disclosure in response to a DSAR is potentially broader than that under a tribunal process. Whilst parties to a claim are only required to disclose documents or materials that are relevant to that claim, a DSAR can be for all documents and materials that refer to or identify the data subject, regardless of their relevance to any proceedings.
If you’ve received a DSAR and would like assistance responding, please contact us.
(October 2021)