Employee requests their 'personal data' under GDPR

[MisterMann]

Hi there. Bit of an interesting one. An employee who is leaving us has by email requested a copy of their "personal data" which is their right under the new GDPR, they tell me.

Fair enough, I have no argument with that. However, the request is not very specific. Unless they get specific I will have to take this as a request for everything.

This person has been employed by me for about 7 years. Under the GDPR what is classed as their "personal data" literally runs through thousands of documents and electronic records where the work they undertook has been logged, and thousands of emails. Now, all of this could be retrieved and redacted to remove confidential references, but it would take one administrator a very long time. I would consider this to be manifestly excessive and most of what they would get would be of no interest to them.

My initial response has been to acknowledge their request and ask if they wish to be more specific, pointing out that such a non-specific request would likely lead to them being charged the reasonable costs of carrying out the data collection exercise. I suggested to them that typically employees request copies of their personnel file, or sickness/absence records, or other such things. I invite them to be specific about what personal data they would like a copy of (surely no one is seriously asking for a copy of literally every record, redacted as necessary, with their name on it?).

The employee responded with concern that they did not expect to be charged a fee, and asked me what personal data would cost and what personal data would incur a fee.

Suddenly it becomes clear... the employee really has no idea what they are asking for, or the implications of being non-specific, under GDPR. They don't even know what data they want. They just want a copy of their "personal data". If they have some idea what they think that means they are not letting on.

So I respond by explaining that generally there would be no charge for responding to a data request, but that under GDPR a non-specific request for their "personal data" could include every job record they have ever worked on and every email they have ever sent. I explained it is likely that we would consider this manifestly excessive (too right, we'd have to redact most of it manually too). I again invited them to be specific giving examples of what employees typically find useful.

So... does this seem a reasonable approach that I am taking? What would you do?

 

[Awinner2]

I think (but I am no expert) that you have taken the right action so far. Wait and see if they can think what data they are entitled to. Then calculate the hours it will take one of your senior team to collate this and offer to provide it at £60 per hour, payable in advance?

 

[mattk]

You cannot charge a fee unless the request is "manifestly unfounded or excessive".

I think you'd struggle to argue that an employee who is leaving your company requesting a copy of the personal data you hold about them is "manifestly unfounded or excessive".

The only areas where I think you could argue that the request is excessive is if they asked for all emails or all CCTV which they were included in. All other personal data should be held in a format which is easily retrievable for a single employee.

It is your responsibility under GDPR to ensure you have processes in place to ensure that you respond to a subject access request without undue delay and within one month of receipt.

 

[SteveHa]

Job sheets and work related data are not personal data. Their personnel record is.

 

[Awinner2]

You cannot charge a fee unless the request is "manifestly unfounded or excessive".

I think you'd struggle to argue that an employee who is leaving your company requesting a copy of the personal data you hold about them is "manifestly unfounded or excessive".

The only areas where I think you could argue that the request is excessive is if they asked for all emails or all CCTV which they were included in. All other personal data should be held in a format which is easily retrievable for a single employee.

It is your responsibility under GDPR to ensure you have processes in place to ensure that you respond to a subject access request without undue delay and within one month of receipt.

But the first response is only to acknowledge receipt of the request, not that you have to provide the information within a month. but of course do not delay unreasonably. So it all depends on what data the employee decides they are actually requesting.

 

[NickGrogan]

No, you have to provide the data within 1 month, not just acknowledge the request.

Without undue delay and at latest within 1 month of receiving the
request.
The period may be extended by 2 months taking into account the complexity and number of the
requests.
You must inform the individual of any extension within 1 month of receiving the request, together with the reasons for the delay.

You can only charge where requests are manifestly unfounded or excessive, a reasonable fee is allowed taking into account the administrative costs involved.

An employee asking for information about themselves are unlikely to pass that test.

 

[MisterMann]

That would be common sense.

But my understanding is that under GDPR any data we hold that contains personally identifiable data, i.e. where the data is logged against a specific individual who can be identified, falls under the definition of "personal data". Hence me asking them to be more specific. Without being specific the scope covers everything we hold and would then be "manifestly excessive". Perhaps it depends on what the job sheet holds?

Job sheets and work related data are not personal data. Their personnel record is.

 

[MisterMann]

This is why I am asking. Personal data under GDPR could include every email they ever sent. But since we don't have to provide them with confidential business information then each email would need to be manually checked... and in doing that becomes "manifestly excessive". No?

You can only charge where requests are manifestly unfounded or excessive, a reasonable fee is allowed taking into account the administrative costs involved.

An employee asking for information about themselves are unlikely to pass that test.

 

[MisterMann]

And if the request is limited to their personnel file, statement of earnings, etc. then I would agree with you completely and in fact it is easily done and can be responded to well within one month. But we do hold a lot more data than is found in those files, for instance our job records hold data on performance and work completed, our email server holds every email they have ever sent, at which point I think it becomes "manifestly excessive".

You cannot charge a fee unless the request is "manifestly unfounded or excessive".

I think you'd struggle to argue that an employee who is leaving your company requesting a copy of the personal data you hold about them is "manifestly unfounded or excessive".

The only areas where I think you could argue that the request is excessive is if they asked for all emails or all CCTV which they were included in. All other personal data should be held in a format which is easily retrievable for a single employee.

It is your responsibility under GDPR to ensure you have processes in place to ensure that you respond to a subject access request without undue delay and within one month of receipt.

 

[MisterMann]

I suppose I am asking the question because where a non-specific request meets GDPR the scope is potentially huge, and in that hugeness I believe it becomes "manifestly excessive".

What constitutes personal data?
The GDPR’s definition of personal data is now also much broader than under the DPA. Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. It adds that:

an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.​

(Luke Irwin, IT Governance blog)
​

Under such a broad definition I don't see how I can limit, on the requester's behalf, the scope to their 'personnel file', if they are asking for their "personal data". Their personnel file doesn't even cover a fraction of it under the definition above. Hence "excessive", unless they can be more specific about what data they want.

 

[DocsWizard]

This is currently many HR professionals' worst fear.

Yes they can ask and yes you need to provide. BUT it is totally reasonable to ask for specifics and we'd recommend that.

It is possible that someone is just asking because they can and not because they need or want it all or even half of it for any good reason. It happens!

I suggest you start by sending what is easy to send, such as the basic HR file info and ask if this is what they wanted to see. That might be the end of it.

 

[NickGrogan]

ICO says

"
The DPA 2018 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:

• the other individual has consented to the disclosure; or
• it is reasonable to comply with the request without that individual’s consent.

In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:

• the type of information that you would disclose;
• any duty of confidentiality you owe to the other individual;
• any steps you have taken to seek consent from the other individual;
• whether the other individual is capable of giving consent; and
• any express refusal of consent by the other individual."

https://ico.org.uk/for-organisation...ation-gdpr/individual-rights/right-of-access/

So this is likely to cover all emails that are sent/received from any other company, as well as most inter-company emails.

Realistically this probably leaves emails between the person and HR that are about the person and don't mention anyone else, and possible between the person and their manager - if the manager agrees, which they may not.

Improved privacy works both ways.

 

[Kerry Tombs]

I have a similar question, an ex employee has submitted a subject access request and specifically asked to see emails between member of staff that reference him (specifically the reasons for him being let go). Surely this is not his personal data just because his name would have been used inthe emails?

Any advice much appreciated.

 

[NickGrogan]

See my post above..

or

"
Zadeh explains that it’s true that you can request access to your ‘personal data’ which your company keeps on you, that’s any data which relates to an identified or identifiable living individual. However, European case law clearly states that data such as emails your boss has sent about you is exempt from this.

“The reason behind this exemption is that those internal messages contain the personal thoughts of your boss. The right of access does not extend to all the personal messages, thoughts and ideas people have about you. So, based on the GDPR, you will not be able to access them,” says Zadeh."

https://thenextweb.com/eu/2018/05/03/no-gdpr-wont-let-you-read-your-bosss-emails-about-you/

in short, no its not personal data and he has no right to it.

 

[Kerry Tombs]

See my post above..

or

"
Zadeh explains that it’s true that you can request access to your ‘personal data’ which your company keeps on you, that’s any data which relates to an identified or identifiable living individual. However, European case law clearly states that data such as emails your boss has sent about you is exempt from this.

“The reason behind this exemption is that those internal messages contain the personal thoughts of your boss. The right of access does not extend to all the personal messages, thoughts and ideas people have about you. So, based on the GDPR, you will not be able to access them,” says Zadeh."


in short, no its not personal data and he has no right to it.[/QUOTE]

Hi Nick,

That's really useful thank you so much. Obviously pretty scary for a small company trying to do the right thing to have such a specific request.

Many Thanks for your help.
Kerry

 

[Kerry Tombs]

Nick, Sorry to ask but do you know if there is somewhere in the regulations or that the ICO states the above? Would be useful for a response to him. I'll keep searching and let you know if I find it.

Thanks,
Kerry

 

[NickGrogan]

Its in my post.

https://ico.org.uk/for-organisation...on-gdpr/individual-rights/right-of-access/#15

 

[Inva]

I'm not a legal expert, but i do not believe for example that an email sent with their name regarding a job on behalf of the company would qualify as "personal data".

"Hello X, we will start work on Monday,
John"
...this is not personal data