Data Subject Access Request during redundancy
Options
kratosthegreat
Posts: 130 Forumite
Under GDPR, employees are entitled to request from their employer any data it holds about them.
My understanding is that this can include emails sent between other colleagues/management and any other form of communication used within the company. So for an employee facing potential redundancy, this could be used to check, for example, emails in which their redundancy was discussed and potentially as a means to check whether or not it is actually a genuine and fair redundancy.
My question is, how do you ensure the employer is fair and honest with the request and actually provides all the relevant data? How do you ensure they don't potentially delete any relevant data that they know could incriminate them, if for example the actual reason they wanted an employee to leave was not for the reason given for the potential redundancy and they know this was communicated in an email?
At my place, it is an HR department that deals with these requests, the same department that is involved with redundancies - the problem with this from my perspective is, having already been offered a settlement offer, it seems HR are quite keen to stick with their reasons and make as little effort as possible in offering suitable alternatives. I get the feeling it is a little pre-determined. If that is actually the case then how could I ensure they do provide the data I ask for considering they would have a reason to hide any info which suggested the redundancy wasn't fair?
My understanding is that this can include emails sent between other colleagues/management and any other form of communication used within the company. So for an employee facing potential redundancy, this could be used to check, for example, emails in which their redundancy was discussed and potentially as a means to check whether or not it is actually a genuine and fair redundancy.
My question is, how do you ensure the employer is fair and honest with the request and actually provides all the relevant data? How do you ensure they don't potentially delete any relevant data that they know could incriminate them, if for example the actual reason they wanted an employee to leave was not for the reason given for the potential redundancy and they know this was communicated in an email?
At my place, it is an HR department that deals with these requests, the same department that is involved with redundancies - the problem with this from my perspective is, having already been offered a settlement offer, it seems HR are quite keen to stick with their reasons and make as little effort as possible in offering suitable alternatives. I get the feeling it is a little pre-determined. If that is actually the case then how could I ensure they do provide the data I ask for considering they would have a reason to hide any info which suggested the redundancy wasn't fair?
0
Comments
-
You don't.
But if you suspect they haven't complied, then you could raise a complaint with the ICO.0 -
Deleted_User wrote: »You don't.
But if you suspect they haven't complied, then you could raise a complaint with the ICO.
Okay. That could be very difficult to prove then.
I know you can ask them to provide the search terms they used in the request. I was just wondering if in addition there was a certain process you could follow to ensure you do get everything e.g. requesting they check servers/backups for deleted emails, requesting a copy/screenshot of the software they used for the search and the results etc. I'm sure there must be a way to ensure it is fair. Just not sure how.
Could a data subject access request potentially be made to the provider of the company email?0 -
You make it to whoever the DPO is.0
-
kratosthegreat wrote: »Under GDPR, employees are entitled to request from their employer any data it holds about them.
My understanding is that this can include emails sent between other colleagues/management and any other form of communication used within the company. So for an employee facing potential redundancy, this could be used to check, for example, emails in which their redundancy was discussed and potentially as a means to check whether or not it is actually a genuine and fair redundancy.
....
If an employee files a “subject access request” – an email, fax or letter asking for their personal data – their employer will have 30 days to collate a cache of all the information stored about that person. This includes any email that refers to the worker, as well as performance reviews, job interviews, payroll records, absence records, disciplinary records, computer access logs, CCTV footage, and recordings of phone calls to, from or about the person.....
....There are some exceptions to the data that companies must hand over, including information relating to trade secrets, anything relating to current management issues such as restructuring or redundancies, any confidential communications with lawyers, health records, or personal data that is processed for purposes relating to criminal justice and taxation.
https://www.theguardian.com/technology/2018/apr/23/europe-gdpr-data-law-employer-employee0 -
Deleted_User wrote: »You make it to whoever the DPO is.
Yeah I know I have already submitted it, but the DPO at our place only deals with customer accounts, that's why, as I said, it is HR that deals with employee requests, and that leaves the same issue in that it does not seem to be sufficiently independent from the Business.
That's why I'm wondering if a request could be made to third party comms providers for things such as email. It's a long shot and unlikely, but if it is possible it would possibly mitigate the potential risk of relevant things being omitted.
The process isn't particularly the issue, it's the general concept of Subject Access Requests and how they are fairly dealt with for employees, especially by smaller employers. There must be ways ensure people can receive all the relevant data about them... I'm just not sure how0 -
Or read this;
Exemptions
The DPA18, contains a number of statutory exemptions upon which controllers can rely to avoid compliance with a request (in addition to the manifestly unfounded or excessive exemption in the GDPR itself). Many of these are highly specific and relate to public functions, national security and the prevention and detection of crime. One of the more controversial relates to personal data processed for the purpose of immigration control.
Those exemptions more widely relevant in a commercial context include where the information:
....
Consists of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the subject access request would be likely to prejudice the negotiations.
https://globaldatahub.taylorwessing.com/article/sars-under-gdpr-ico-guidance-and-uk-exemptions0 -
Yes but the exception regarding redundancies is if other people are involved in the redundancy/restructuring. If it is just a single redundancy then an individual is entitled to see any data around thatIf an employee files a “subject access request” – an email, fax or letter asking for their personal data – their employer will have 30 days to collate a cache of all the information stored about that person. This includes any email that refers to the worker, as well as performance reviews, job interviews, payroll records, absence records, disciplinary records, computer access logs, CCTV footage, and recordings of phone calls to, from or about the person.....
....There are some exceptions to the data that companies must hand over, including information relating to trade secrets, anything relating to current management issues such as restructuring or redundancies, any confidential communications with lawyers, health records, or personal data that is processed for purposes relating to criminal justice and taxation.
https://www.theguardian.com/technology/2018/apr/23/europe-gdpr-data-law-employer-employee0 -
kratosthegreat wrote: »That's why I'm wondering if a request could be made to third party comms providers for things such as email. It's a long shot and unlikely, but if it is possible it would possibly mitigate the potential risk of relevant things being omitted.
If they're a controller, yes. If a processor, it would be done via the controller (your employer).
That's because there isn't a way. You're reliant not only on good intentions, but on system integrity. And any decent sized company not using a single customer view, will struggle to guarantee they have everything.kratosthegreat wrote: »There must be ways ensure people can receive all the relevant data about them... I'm just not sure how0 -
Those negotiations are referring to "protected" or "without prejudice" negotiations such as the negotiating of a settlement offer, an individual can still see conversations about them if it is an individual redundancy.Or read this;
Exemptions
The DPA18, contains a number of statutory exemptions upon which controllers can rely to avoid compliance with a request (in addition to the manifestly unfounded or excessive exemption in the GDPR itself). Many of these are highly specific and relate to public functions, national security and the prevention and detection of crime. One of the more controversial relates to personal data processed for the purpose of immigration control.
Those exemptions more widely relevant in a commercial context include where the information:
....
Consists of records of intentions in relation to negotiations between the employer and employee to the extent that compliance with the subject access request would be likely to prejudice the negotiations.
https://globaldatahub.taylorwessing.com/article/sars-under-gdpr-ico-guidance-and-uk-exemptions
Appreciate everyone's help but there are some instances where personal experience and real legal advice trumps Google.
The question isn't around what I am entitled to request and receive, it is around how I ensure it is complete and fair... that is the issue here.0 -
Deleted_User wrote: »If they're a controller, yes. If a processor, it would be done via the controller (your employer).
That's because there isn't a way. You're reliant not only on good intentions, but on system integrity. And any decent sized company not using a single customer view, will struggle to guarantee they have everything.
Of course there is... especially when a company holds all data for 5 or 7 years before deleting.
Again, it's more of a question of what questions to ask and what to make sure employer's check, how they do it etc. I don't know the answer, a specialist solicitor might, but I don't have the funds currently, so was just checking on here.
"Processor", "Controller", "DPO" are just semantics and every company has a different process, sometimes with interchangeable terms - how do you apply the above to a Plumber with 2 employees?
The point is: I know I am entitled to receive all relevant data relating to myself (with certain exceptions) and I know there is a way to ensure the employer does it fairly and completely (if they don't and can't show they have the capability to - that is a data protection breach)
My question then is still "how do i ensure my request is done fairly and completely"? It's more of a wording thing to ensure I cover all corners - do I request to see the system they have used, the search terms (already asked for), the items deleted and now on backup servers, items deleted within the last 5 months etc? Technology combined with Data Protection obligations means there is a way to ensure you do receive everything you ask for (as they say, once something is posted online, it is there forever).0
This discussion has been closed.
Categories
- All Categories
- 343.5K Banking & Borrowing
- 250.2K Reduce Debt & Boost Income
- 449.9K Spending & Discounts
- 235.6K Work, Benefits & Business
- 608.6K Mortgages, Homes & Bills
- 173.2K Life & Family
- 248.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards