The latest industry news and insights
Many organizations have suffered depleted staff levels through illness, furlough or redundancy and meeting statutory SAR deadlines during this time is onerous. Under these types of circumstances, it is common for Subject Access Requests to be submitted by aggrieved employees looking for information to support themselves as part of an employment tribunal claim. Nowadays, a vast amount of data concerning employees is accumulated during the course of employment, making the task of dealing with SARs laborious for HR departments. However, there are numerous ways that HR professionals can effectively deal with such requests.
eDiscovery is the procedure of identifying, collecting, and producing electronically stored information (such as emails and documents) in response to a request in a legal matter, such as litigation. eDiscovery document review technology is extremely useful when handling electronic information and the right software can help professionals discover valuable information regarding a matter whilst reducing costs, speeding up resolutions and mitigating risks. As such, it is perfect for managing Subject Access Requests.
HR Professionals are bracing for a wave of fresh SARs when the furlough scheme draws to a close in October 2020. If you’re dealing with employee SARs and need to sift through e-mails, then you should consider how eDiscovery technology can help. De-duplicating identical copies of e-mail, removing unnecessary e-mail threads, masking third party e-mail addresses and signatures and removing irrelevant attachments will streamline the overall process. Whilst you’ll still end up with documents to review and redact, eDiscovery tools will make that pile an awful lot smaller, save time, staff resource and make the data easier to review.
Disclosure of confidential, sensitive, or personal information that is not related to the subject access request is a key concern for HR departments. It is paramount that accurate redactions are applied in this regard. Automated redaction software is specifically designed to identify and safeguard private information and can be used to quickly find sensitive data with certain patterns such as names, emails, National Insurance and credit card numbers.
Give yourself enough time to respond to a subject access request. Under the GDPR the time limit for responding to a SAR is one month, past which you will be in breach of the regulations unless an extension is applied for.
Do not delay the process. Action the request as soon as feasibly possible and have clear procedures in place. Depending on the length of the employee(s) service and how extensive the SAR is, there could be hundreds, even thousands of documents that may need to be reviewed and redacted before being disclosed (this where the eDiscovery technology mentioned previously comes into play).
Confirm exactly what the individual wants from the process. Many employees will raise a SAR because they want information relating to a specific issue during their employment. If this is not stated in the original request, then it is good practice to ask if the information they are seeking relates to a specific time frame or type of file such as emails. Having this information can significantly narrow the scope of information you will need to review.
Be prepared to search across all systems. Employers are expected to make extensive efforts to acquire all relevant personal data, so ensure you have processes set up across your systems to do this efficiently. This will include searching beyond the employee’s HR file through all electronic systems such as emails and databases where employee data is held.
Only disclose what the subject is entitled to. Data subjects are only entitled to their personal data and not personal data about third parties or non-personal data. Automated redaction tools are useful in this scenario as they can remove any sensitive information from material that also contains subject data.
After submitting an enquiry, a member of our team will be in touch with you as soon as possible
Your information will only be used to contact you, and is lawfully in accordance with the General Data Protection Regulation (GDPR) act, 2018.