Karen Holden from A City Law Firm gives the low down on the Data Protection and DSAR and the implications for employers.
Did you know that a potential candidate can use GDPR to gain access to their interview notes? This is not a new entitlement, but more people are aware of their rights and less businesses are prepared.
The introduction of more and more technology into everyday life is going to see a huge increase in data subject access requests (DSARs). Gathering this data and responding to a DSAR can be a lengthy process – it’s important for businesses to know the law and have the necessary processes in place.
A person’s right to make a DSAR is a protection enshrined in the General Data Protection Regulation (GDPR). It is a fundamental right under the Charter of Fundamental Rights of the European Union (2012/C 326/02) enacted by the Council of Europe of which the UK is still currently a member. Article 8(2) says that “everyone has the right of access to data” which is collected about them.
Responding to a DSAR can be time-consuming. Therefore, it is advised that businesses have efficient internal procedures in place to deal with the requests mirroring their Privacy and Data Protection Policies. This policy should:
– be circulated to all staff
– include key contacts who can assist in dealing with the DSAR
– be concise and achievable.
Remember, the deadline for dealing with a DSAR is normally one month. You must act quick to ensure this deadline can be met.
It is important to understand the information that is being asked for. Do not be afraid to converse with those issuing the DSAR. What data they are entitled to should be considered as it’s not as easy as ‘everything’. The general consensus is that you should try to find as much information as possible in line with the request, but do not have to employ any unreasonable methods in your search.
It is paramount that the privacy of third-party data is protected when responding to a DSAR. Generally, such data should be redacted or removed unless the third party has provided their consent to disclose the data, or where the employer determines that it would be reasonable to disclose the data without consent. If you believe a breach has occurred, make a report to the ICO as soon as possible to aid in rectifying the breach and protecting yourself.
If the person issuing the DSAR does not believe you have complied with your obligation they can either apply to the court for a compliance order or make a complaint to the ICO. It is useful, if this happens, that you have a well-documented record of what you looked for and why you did this, including reasonings behind why you did not do something too.
Ultimately, it is advisable to destroy interview notes if you are not going to hire that person. You should do so in compliance with your policy – be it on a daily, weekly or monthly basis. Restricting how long you hold this data will help reduce your workload when requests are made. Also, retaining data too long may also in itself be a breach. So as a general rule of thumb, it’s always best to dispose of any unnecessary data earlier rather than later.
Data protection is an extremely important and vast area of the law that is updating regularly and may change more after Brexit – try to keep up to date with the latest and think ahead. Businesses should have clear policies and guidelines. If necessary, arrange training, monitor and have someone appointed to oversee data gathering, destruction and disclosure.