Just when you thought your inbox was safe, along comes the DSAR. Few phrases send a chill down an employer’s spine quite like “DSAR”. Whether it’s from a disgruntled current or ex-employee, or someone you’ve barely thought about since the Christmas party of 2021, a DSAR can feel like being asked to find Rebecca Vardy’s phone!

This article explores when it might be possible to limit a DSAR response, as well as considering other legal principles in this area.

Let’s face it, submitting a DSAR is a great way for an employee to let their employer know they feel they have been wronged! It’s unlikely a DSAR will come from an employee who doesn’t have a grievance, even if a formal grievance has not been submitted. From an employee relations perspective, the importance of considering the circumstances of the DSAR ties in closely with the employer ensuring they carefully manage the situation and employment breakdown risk. Even if an employer suspects an employee has made a request maliciously, failure to fairly and reasonably consider the overall context and/or clearly communicate the reasons for not responding to a DSAR, if that is the decision, could cause a further deterioration in employee relations. This could, in turn, exacerbate the risk of grievances or tribunal claims.

Responding to a DSAR is often painful, expensive and time-consuming. Optional? Definitely not. But understanding what’s required (and what’s not) can make the process a little more manageable. From a data protection perspective, an employer also wants to ensure their data governance complies with the data protection principles: data adequacy; data accuracy and the like. Sifting through emails, meeting notes, instant message platforms, and more, all to hand over their data, neatly packaged and on time, takes some doing, especially if an employer’s data management systems are in the dark ages.

It should be noted the employee’s right to make a DSAR does not give them the right to demand copies of any documentation or records that they fancy. It gives them a right to access their own personal data that their employer holds on them and to understand the legal bases for the employer holding and processing that information.

‍

DSAR Déjà Vu: Didn’t We Already Hand This Over?

When responding to a DSAR during or following employment or civil litigation, employers must carefully balance their obligations under the DPA with the procedural context of legal proceedings.

A common and often contentious issue is whether an employer can resist a DSAR, or limit the scope of its response, where the information sought has already been disclosed during litigation.

Unfortunately, litigation disclosure is not a substitute for DSAR compliance. The two have different purposes:

• ‍Disclosure (under Employment Tribunal or Civil Procedure Rules) is about sharing relevant evidence.‍
• DSARs give an employee access to their personal data, regardless of whether it’s relevant to the dispute. Therefore, employers must respond to DSARs even if the information has already been disclosed in a tribunal.

‍

Can Employers Push Back?

An employer cannot automatically refuse to respond to a DSAR simply because litigation is ongoing or concluded, but there are circumstances where an employer can limit their response.

‍

1. Overlap with Disclosed Documents

If the DSAR is effectively a “repeat order” for information already provided, an employer may argue it is manifestly excessive or duplicative under Article 12(5) of the DPA by referencing the previous disclosure—if it’s reasonable to do so and doesn’t obstruct an employee’s data rights.

This allows employers to:

• Refuse the request outright, if they can do so without breaching an employee’s data rights.
• Charge an employee a reasonable fee for administrative costs to provide the information—although be warned, charging an employee for reams of printouts is unlikely to be compliant with the Data Protection Act (DPA) if the employee has made the DSAR electronically. Data protection principles dictate the response to an electronic request should not be to produce excessive tangible copies of data.

The Catch?

You’ll need to prove it’s genuinely excessive—a high bar to clear. And perhaps it’s easier to provide the information (or give precise details about previous disclosures of the information) in order to comply with an employee’s data rights—especially if the employer wishes to manage the relationship with a disgruntled employee.

‍

2. Legal Professional Privilege

Some documents are untouchable. This includes:

• Confidential communications between employer and legal advisers
• Documents created in contemplation of legal proceedings

These are protected by legal professional privilege and can be withheld under Schedule 2, Paragraph 19 of the DPA.

‍

3. Litigation Exemptions under the DPA

The DPA also includes a broader "legal proceedings" exemption, which applies where disclosing the data would prejudice the conduct of legal proceedings. This can be invoked to withhold personal data if responding to the DSAR would undermine an employer’s position in current or future litigation.

This is not a get-out-of-jail-free card. The employer will need a solid, documented reason for withholding data under this exemption.

‍

4. Other Information That May Be Excluded Under the DPA or Otherwise

• Personal data concerning other employees
• Employer’s confidential information, such as trade secrets and commercially sensitive information

‍

5. Request Clarification or Narrowing Scope

If the DSAR is broad or unclear, particularly if it covers extensive material that has already been dealt with in litigation employers can seek clarification from an employee to understand the scope of the request and locate the relevant data by asking the employee to give:

• Specific keywords used in emails or documents
• Relevant date ranges
• Specific projects or events the data relates to
• Specific data types requested (e.g. emails, documents, etc.)

This pauses the one-month deadline for responding until clarification is received. But please note: an employee does not need to explain why they want the information, and if they refuse to do so, the clock will have to be restarted. An employer may extend a DSAR by up to two more months if the DSAR is not standard, for example, if there’s a grievance, tribunal case, or if there’s more than one DSAR. While this does not exempt an employer from responding, it is a legitimate way to manage excessive or overlapping requests.

Given that there are various exemptions that can be applied when considering what to include in response to a DSAR, in many cases a disgruntled employee who has made a DSAR in vexatious circumstances will be disappointed at the level of information they are entitled to receive in response.

‍

Strategic Considerations

Employers are often tempted to treat DSARs as a nuisance, especially when they’re clearly tactical. But the ICO and tribunals don’t care about motive: a DSAR is valid regardless of why it’s made.

That said, an employer isn’t powerless. To stay in control, an employer team handling the DSAR should:

• Ensure they check the back story with the relevant line manager and/or data protection officer to understand how to respond to the DSAR from a data protection perspective
• Check if the employee already has the data (i.e. previous disclosures to the employee)
• Assess whether the request is excessive or repetitive
• Apply exemptions where appropriate (e.g. privilege, third-party data, ongoing investigations)
• Keep detailed records of how the employer has handled the DSAR and any reasoning for any exemptions or reasons for not providing the requested data
• Be prepared to give the employee anything that makes the employer look bad (i.e. a line manager’s unfortunate choice of words about the employee in an email or giving a disgruntled employee who has failed probation raw notes about their ability to fulfil their role). While painful to read, it is still data.

‍

Conclusion

An organisation that treats data protection as a business value will have robust technical and organisational measures that should make handling DSARs a breeze. Bottom line: a well-handled DSAR can save you time, stress, regulatory headaches, and even a claim in tribunal if the matter can be resolved via a well-handled DSAR response. A badly handled one. Cue the ICO knocking on your door, litigation, and a few bad company reviews.

‍