It's not uncommon for employees to make a subject access request to their employer when in dispute with their employer, be it facing disciplinary proceedings or pursuing a claim. Whilst the primary purpose of a subject access request is for an individual to access their personal data, they're often used as a strategic tactic to gain early insight into an employer’s position.
Although subject access requests are often used tactically in the course of employment proceedings, it's important to note that they are a separate process governed by separate rules and it's crucial to ensure that they are dealt with properly. Failure to do so may result in potential sanctions from the Information Commissioner's Office. For further details on how to deal with a subject access request, see our useful guide here.
The focus of this article is to address some of the nuances specific to subject access requests, when made in the context of employment proceedings.
Employees often use subject access requests to gain access to potentially useful documentation prior to any formal employment proceedings being commenced. This may include HR records, disciplinary notes, investigations records, witness statements, emails and internal communications. Unlike disclosure in the employment tribunal, which takes place after proceedings have been commenced, subject access requests can be made at any time, potentially giving employees an advantage in initiating potential settlement discussions.
However, subject access requests are not a substitute for formal disclosure - they are limited to personal data only and cannot be used to access third party information. They can, however, be far wider in scope than disclosure in legal proceedings. As well as giving an employee early access to information, they can be extremely burdensome. Furthermore, disclosure still has to be carried out in the legal proceedings.
The primary purpose of a subject access request is to allow individuals to access information about what personal data is held by an organisation, how their data is processed and who their data might be shared with. Although subject access requests are 'purpose blind', the courts are increasingly looking at the context in which a subject access request is made.
In the Harrison v Cameron case decision, the court acknowledged that subject access requests have a 'specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides'.
There are some limited situations where an employer may be able to refuse to comply with a subject access request, such as where the request is ‘manifestly unfounded’ or ‘excessive’. This will usually only apply in certain circumstances, for example where the individual is making repeated requests on a regular basis to cause disruption, where the request is targeting a particular employee against whom they have a grudge, or where its purpose is to extract a higher settlement. You can find further information on refusing to respond to a vexatious subject access request here.
Employers will often hold individual’s personal data mixed with third party data, such as investigation notes or witness interviews with other employees. In such cases, employers will need to carefully reconcile the employee’s right of access against the third party’s rights in respect of their own personal data to ensure that the third party’s rights are not infringed.
The Harrison v Cameron case decision clarified how data controllers should balance the rights of third parties against the rights of the individual to access information on third party recipients to whom their personal data has been shared. Disclosure of certain personal data may be refused, or redacted, in cases where it would infringe on the rights of third parties, especially in circumstances where the third parties have not consented to the release of their personal data - the ‘rights of others’ exemption. This will be particularly relevant when carrying out internal investigations and conducting interviews with other employees.
The case also confirmed that individuals are entitled to know the actual entities of recipients of their personal data, not just categories. This includes internal recipients, such as other employees, unless a valid exemption applies. Although this appears to conflict with the ‘rights of others’ exemption, the court confirmed that ultimately data controllers have a wide margin of discretion and that they must carry out a careful balancing exercise between the two competing interests. In such cases, it's advisable to document any decisions made in this regard, along with the reasons for deciding to provide, or to refuse, certain data.
For more information on the Harrison v Cameron case decision, and the careful balancing exercise which should be undertaken, you can read our article here.
There are two types of legal professional privilege; litigation privilege and legal advice privilege. Personal data which is covered by one of these types of privilege will be exempt from disclosure under the subject access request.
Litigation privilege applies to documents created at a time when litigation is reasonably contemplated and the dominant purpose of the document is for the purposes of the litigation. Documents created as a result of internal investigations may be covered in these circumstances, but only where they are prepared for the dominant purpose of the litigation.
Whether or not the legal advice privilege exemption applies can be more difficult to assess. Legal advice privilege applies to communications between a client and professional legal adviser where the purpose is to seek or obtain legal advice. This exemption may be particularly relevant where an employer carries out an internal investigation or initiates disciplinary action against an employee, as legal advice is often sought at this stage.
However, purely factual investigations such as obtaining witness evidence, even if carried out by a legal advisor, would not constitute legal advice and therefore privilege would not apply. It's also important to note that communications with HR consultants or independent investigators will likely not be covered by legal advice privilege as they are not legal advisors – all correspondence and documents prepared as a part of such investigations would therefore be disclosable.
It's important that employers carefully assess the need to ensure that privilege applies to any investigation, failing which there is a real risk information could be disclosable.
Another potential exemption from disclosure is the ‘negotiations’ exemption. Under the UK General Data Protection Regulation, personal data that records an organisation’s intentions in negotiations with an individual may be exempt from disclosure, if providing it to the individual would prejudice those negotiations.
This is particularly relevant in the context of employment proceedings, where there may be ongoing settlement discussions with the individual, or redundancy planning.
However, this applicability of this exemption is narrow, it does not apply to all data in respect of negotiations, and it should be applied on a case-by-case basis. It's important to note that once negotiations have concluded, and there is therefore likely to be no prejudice caused, the exemption may cease to apply and the data may be disclosable. It's always advisable to seek legal advice on whether or not there may any applicable exemptions.
If you have any questions about responding to a subject access request in the course of employment proceedings, please do not hesitate to get in contact with our data protection team.