Get ready to health check your SAR process

The Government’s new Employment Rights Bill is expected to put further pressure on the employment tribunal system, and in turn, place additional pressure on an organisation’s subject access request (SAR) process. The Deputy Prime Minister has said that the proposed removal of the two-year qualifying period for unfair dismissal claims is expected to result in almost 9 million employees benefitting from protection from day one. SARs are often presented in relation to an employment dispute, and now is as good a time as any to health check your SAR process and ensure it is robust enough to handle a surge or increase in requests. 

A claim for unfair dismissal may begin with a grievance or a request for information or copies of personal data, even if the claim is unfounded or lacks merit. The motivations behind the SAR are not normally relevant, unless considered manifestly unfounded (and this can be a high bar to prove). Employers should expect to see some increase in SAR requests if the proposed changes come to fruition, although it remains to be seen whether, when and how and the changes would be implemented or phased in. Read more about the expected changes to employment rights here. 

In the meantime, taking steps to review and improve your SAR process will help your business to be more resilient and ‘ready’, which in turn will help to avoid unnecessary cost and risk. The turnaround time on subject access requests is short and organisations need to work fast to collate, review and redact the information requested, unless there are legitimate grounds to extend the time to respond. The ICO have put together a ‘self-audit’ checklist which contains helpful risk management benchmarks, but there are additional ways to make the process run smoothly.

Our top 10 tips to get your SAR process review off to a good start:

1. Data hygiene – keep on top of data retention and disposal procedures and ensure that personal data collected moving forward is kept to a minimum. Unnecessary retention and collection of data magnifies the burden on data controllers in terms of time and cost of processing SARs and highlights unlawful processing activity. Once a SAR is received, the Data Protection Act 2018 prevents deletion and exclusion of personal data in scope of the request, even if it has been retained beyond its original expected retention period.
2. SAR recognition – ensure SARs are recognised as early as possible. Training occurs periodically, although consider whether more frequent awareness raising initiatives are needed. A member of staff can make a SAR verbally, in writing, or on social media so it is important that that your employee facing colleagues can recognise a request and redirect it quickly. Good practice should also be feeding down to your data processors.
3. Records management – consider improvements to the records management system to ensure that you can locate data quickly and dispose of it when you should.
4. Communication channels – are your workforce using unofficial channels of communication for work purposes, or their own devices, such as Whatsapp accounts? Check the organisation’s acceptable use policies and raise awareness of how these should be followed. Personal instant chat accounts can inadvertently come into scope of a SAR resulting in complex considerations for employers and uncomfortable obligations for staff.
5. Be prepared – ensure that policy and process content is up to date, and that relevant staff are aware of what they need to do, when and how. A documented paper trail demonstrating that practice (what happens on the ground) reflects policy and process (what happens on paper) can be invaluable in the event of ICO scrutiny.
6. Manage expectations – employers cannot refuse to comply with a SAR, although you can signpost the requestor, before or at the time of the request, to the extent of your legal obligations. This can help to inform data subjects of what they are entitled to receive in response to a SAR and that they might only receive redacted copies of documents or extracts of information. Often organisations have secure portals or hubs where employees can readily access their own information, and this can help to provide some of the information that the requestor is seeking.
7. Privacy policy – ensure your privacy policy is easy to follow, accessible and up to date. Signposting to a good privacy policy can help to meet the additional SAR requirements of Article 15 UK GDPR, if it contains all the essential elements. Get in touch with us if you need advice or assistance with privacy notice reviews or drafting - we’re here to help!
8. Resources – consider whether you have enough resources within your organisation to manage a surge in SARs. For some organisations, managing just five SARs simultaneously could become untenable, whereas larger organisations may have dedicated, scale-able teams or outsourced support. Consider whether your organisation has the resources to cope with an increase in SARs, and whether budget forecasting is needed.
9. Plan B – the Data Protection Act and UK GDPR 2018 can be unforgiving when it comes to holiday cover, SAR backlog or surge management. Having Mills and Reeve on speed dial , including our advice and review and redactions service, could help you to plan around the unexpected – please do get in touch to discuss how we could set this up for you. 
10. Root cause analysis – if there is a track history of failing to recognise or respond to SARs on time, try to get down to the underlying reason why this is occurring. A systemic problem will be viewed less favourably by the ICO and just one complaint could trigger additional questions about the organisation’s overall process. The ‘root cause’ is often not immediately visible, and the time taken to investigate the true issues can mean the difference between fixing the problem or putting a plaster over it. 

Our content explained