Dealing with Data Day-to-Day

All employers deal with employee data on a day-to-day basis and data management procedures are well-embedded in many larger organisations.  What you’ve done with some data, what you should do with other data and what to do with that data subject access request (DSAR) are questions that crop up time and time again.

So far this year, the big news was that the EU Commission adopted a decision confirming the “adequacy” of the UK’s post-Brexit data protection regime so that personal data could continue to flow from the EU to the UK.  But there have been other data protection developments affecting employee data too.

In February 2021, the Court of Appeal decided in Phones 4U Ltd v Deutsche Telekom AG and others that it was appropriate for the High Court to order defendants in a non-employment case to request voluntary disclosure of data held on the personal devices of both existing and former employees.  In this case, the employees had deliberately chosen to use their personal devices for work-related communications (as politicians in both the US and UK have done in recent times), possibly to conceal those communications from the official record.  As masters of their own procedure, I would expect employment tribunals to make similar orders in similar circumstances, albeit that (like the courts) ETs could also make orders for specific disclosure directly against third parties where the specified documents or information may well assist or adversely affect the case of any party.

The Information Commissioner’s Office (ICO) has also been busy this year, with a number of initiatives and decisions that touch directly on the employment relationship.

The current version of the Employment Practices Code was published in 2011 and its supplementary guidance dated back to June 2005, both based on the pre-GDPR Data Protection Act 1998.  In August 2021, the ICO opened a consultation exercise (closing on 21 October 2021) on updating its guidance “to make sure that our new guidance addresses the changes in data protection law, reflects the changes in the way employers use technology and interact with staff and meets the needs of the people who use our guidance products”.  The ICO’s response to the consultation exercise will be handled by the new commissioner who starts in the role on 1 November 2021.  Until any new Code or other guidance is issued, employers should still have regard to the current versions when processing employee data.

In the meantime, the ICO’s updated statutory data sharing code of practice came into force on 5 October 2021.  It emphasises that employers “should avoid relying on consent” as the lawful basis for processing on the basis that employees do not tend to have a genuine choice in how their employer processes their personal data.  However, if relying on the employment condition for processing, the Code reminds employers to have in place “a short document outlining your compliance measures and retention policies for special category data”.

Finally, the ICO issued an enforcement notice in March 2021 to a recruitment agency which had refused to respond to a DSAR from a claimant who was bringing employment tribunal (ET) proceedings against them.  The company falsely told the ICO that it had been instructed by the ET that it didn’t need to respond to the DSAR and that documents would only be provided at the time when it was required to exchange documents in the ET proceedings.  However, the claimant forwarded to the ICO a letter from the ET which stated “the Tribunal has no jurisdiction to deal with matters relating to data protection requests”.  As a result of wilfully misleading the ICO, failing to respond to the DSAR (for over eight months) and breaching the accountability principle by failing to demonstrate compliance with its data protection obligations, the ICO decided that it was appropriate to issue the notice and gave the company a deadline of one month in which to respond to the DSAR, failing which it might be liable for a penalty of “up to £17,500,000 or 4% of an undertaking's total annual worldwide turnover whichever is the higher”. 

All employers should remember that the requirement to respond to DSARs is wholly separate from the issue of disclosure in ET proceedings and DSARs should be dealt with in a timely manner irrespective of the existence or otherwise of such proceedings.

Please contact the team at Synchrony Law if you require any assistance with responding to DSARs or dealing with data protection issues generally.

11 October 2021

Written by Andrew Knorpel

This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.