The Rise of Internal SARs from Staff and How it Affects HR Processes

Sofa Sessions | Data Protection
Posted  2nd October 2024

This is a summary taken from Judicium’s Data Protection ‘Sofa Session’ from the 2nd of October, with our Data Protection Consultant Sam Hall and Employment Law and HR Advisory consultant Jenny Salero. This session covered common employment processes (such as grievance, disciplinary and absence management) and how subject access requests interlink and affect these, understanding data protection obligations when handling employee data in the course of the employment relationship, and tips to help protect staff data and establish underlying trust with your staff.

Poll 1

A Recap of Subject Access Requests Essentials

  • Recognising the request 
    • Request for personal data 
    • Do not need to say SAR (might say FOI, still valid) 
    • Can be written or verbal 
    • Can be submitted to anyone in the school (in practice, likely a staff member would submit to the office or data lead) 
    • Do not need to us a specific form (can ask them to for each but not require) 
    • Contact DPO for advice if needed 
  • Acknowledge the request: 
    • Confirm the deadline (one calendar month from receipt) 
    • Request clarification (more on this below) 
    • Request ID / consent (unlikely to be needed in employment context) 
    • Form of authority? (solicitors requests) 
    • If no clarification - reasonable searches 
    • Contact DPO for advice and template acknowledgment responses 
  • Final response: 
    • Explain any exemptions 
    • If complex, may be able to extend deadline up to additional 2 months, but only if it can be justified in accordance with guidance from the ICO.

Poll 2

Acknowledgement: Seeking Clarification 

  • It may be unclear what they are seeking. It is quite common for staff to have children at the school. If you receive a request from a member of staff and they have a child at the school, you may hold a lot of data on them as a parent and as a member of staff. If the member of staff makes a request for “all data” you hold, it may be difficult to know what they mean.  
  • If you do not hold a lot of data on them – e.g. because they are a new member of staff with a child at the school who had not been there for long – then you can request clarification. You should simply provide all records within one calendar month if no clarification is provided.  
  • If you hold a large amount of data – e.g. because both the member of staff and their child(ren) have been at the school for years – then you can seek clarification and ‘pause the clock’ while you are waiting for a response from the requestor. This is because searching through all records, without clarification, in these circumstances, would not fall within “reasonable searches”.  
    • The clock will only be paused from the date clarification is requested and for the number of days it takes the requestor to provide clarification. If clarification is provided on the same day it is requested, the deadline will not change.  
    • There may be other circumstances when it is reasonable to ‘pause the clock’ – this will depend on whether you hold a lot of data on the requestor and whether it is clear what they are seeking. Ask your DPO for advice whenever considering this.  

Early Considerations

  • Ongoing employment / HR grievances: 

    • Employment grievances or disciplinary procedures often lead to SARs from the individual concerned.  
    • A common question we are asked is “can we withhold data or delay the response until the hearing/process is over?” – the short answer is no. There are no special rules for SARs from staff members, including when there are ongoing grievances or HR processes. However, there may be some exemptions which are more likely to apply in these circumstances.  
    • “What about if the member of staff will get the information during the grievance procedure anyway?” There is no exemption stating information can be withheld on the basis that it will be provided later. However, if the requestor will be provided with the information within one calendar month of the request, it would be reasonable to refer them to this instead of providing duplicates. You must keep in mind a SAR may be broader than information provided in the employment process and disclosing to the requestor’s solicitor may not satisfy the requirement to provide them access to their data.  

  • Accessibility:

    • Various types of data the school holds on its employees may already be accessible to the requestor. If this is the case, you may not need to provide copies. Keep in mind if the member of staff is suspended, they may not have access. Also, if they request printed copies, confirming they have access to electronic copies may not be sufficient.  

  • NDA:

    • An NDA or settlement agreement cannot override an individual’s data rights. Any such clause is likely to be unenforceable.  

  • Confidentiality: 

    • It is important to consider whether there is a duty of confidentiality to the requestor. It may not be reasonable or appropriate to inform all staff about the SAR, particularly if it is for sensitive information or relates to a grievance or dismissal. It will usually be more appropriate to ask managers, heads of departments or IT support to conduct central searches or provide information on behalf of their departments, rather than asking all staff to search for data.  
    • If a request is made for “all documents relating to my case/grievance/dismissal” it will be important to consider what details can be provided to those collating the information. If necessary, it is best practice to discuss this with the data subject.  

  • Pseudonymisation and anonymisation: 

    • If you have used a pseudonym to refer to an employee or job applicant, such as a number or code, this does not prevent the information from being personal data and it will still need to be included in a SAR.  
    • It is only if you have anonymised the data, such that you can no longer link it to any identifiable living person, that you can exclude it as not personal data. This is unlikely to apply as you will usually need to be able to identify the employee/job applicant from your records.  

Poll 3

Poll 4

Possible Exemptions

Third Party Data: 

  • This is an exemption you will be familiar with if you regularly handle SARs within your school, so I will not go into too much detail.  
  • There are some things to consider when dealing with employee SARs: 
    • The school may hold a significant amount of data which the employee has generated in the course of their employment. This is likely to contain information about pupils or other staff.  
    • If the record is entirely about a third party, such as a CPOMS entry recording a disclosure that was made by a child, and the only part of the record that is within scope of the SAR is the requestor’s name, I would start by asking the requestor if these can be excluded as it is unlikely to be something they want or need.

 Legal Professional Privilege: 

  • Advice privilege or Litigation privilege;
  • Communications with solicitor or barrister or documents prepared for the purpose of legal proceedings may be privileged. 
  • Does not apply to advice received from Judicium’s data services team. 

Management forecasting: 

  • This applies to information processed by the school for the purpose of management forecasting or planning about a business or other activity. If disclosure is likely to prejudice the conduct of the business or activity, then this exemption may apply.  
  • Example from ICO: 
    • The senior management of an organisation is planning a re-organisation. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the plans are revealed to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest before the management’s plans are announced). 

Negotiations with the requestor: 

  • This exemption may be used if there is an ongoing HR or similar process and negotiations with the requestor are ongoing. It is necessary to demonstrate that disclosing personal information that is included in a record of your intentions in negotiations with the requestor could prejudice the investigation. It is very unlikely that this exemption can be used after negotiations have ended.  

Confidential references: 

  • An employee, or an unsuccessful job applicant, may submit a SAR for copies of employment references that have been sent or received by the school.  
  • Confidential employment references are exempt from disclosure. If in practice these references are not confidential, for example you have previously been happy to share references previously, then you may not be able to rely on this exemption. If you treat references as confidential, it is a good idea wo confirm this to staff, for example in a privacy notice or staff handbook.  

Crime: 

  • The school may hold information about a member of staff which relates to potential criminal offences. For example, there could have been an incident on site which is being investigated by the police for potential assault charges. This may have then led to the member of staff being dismissed and them submitted a SAR.  
  • If disclosing information about a criminal investigation would prejudice that investigation, then an exemption to disclosure applies.  
  • It may be difficult for you to know whether disclosure would prejudice an investigation. It would be reasonable to take a cautious approach in these circumstances. It is also a good idea to check with the investigating officer.  

Do we have to tell the requestor we are exempting? 

  • Usually, yes. For example, if you have withheld a witness statement because it is third-party data and redactions would not be sufficient to protect the third party’s data rights, then it will almost certainly be appropriate to confirm this. However, if explaining the exemption would undermine the purpose of the exemption then it should not be explained. For example, if you have information shared with the police and disclosure would prejudice their investigation, then it would not be appropriate to explain this.  

Manifestly unfounded: 

  • The circumstances in which you can refuse a request as manifestly unfounded will be extremely rare. Essentially, it is necessary to show that the requestor does not actually want the information that they are asking for. For example, if you received a request which stated that they are only making it to waste your time and have no intention to pick the information up from the school, this would be manifestly unfounded – this type of request is obviously unlikely to be worded in that way.  
  • If a person genuinely wants to exercise their rights, even if they have other motives, the request is unlikely to be manifestly unfounded.  
  • ICO examples: 
    • An ex-employee who is in the process of settlement negotiations with the school issues a SAR and states that they will withdraw the SAR if an improved settlement offer is provided. The school can refuse this request as manifestly unfounded.  
    • A group of ex-employees all submit SARs at the same time. The school is aware that they are all part of a Facebook group and believe that they have been encouraged to submit the SARs to cause disruption. On this basis the school refuses all the SARs as manifestly unfounded. The ICO’s guidance states that this would not be appropriate, because the school would have failed to demonstrate that the purpose of the SARs is to cause disruption.  

Manifestly excessive: 

  • If you consider a request to be manifestly excessive, you may be able to refuse it. However, a request is not manifestly excessive just because someone requests a large amount of data. They still have a right to all their personal data that is held by the school.  
  • If you consider a request to be manifestly excessive, contact your DPO.  
  • ICO examples:  
    • An initial search of emails returns 3,000 results containing the requestor’s personal information. Rather than refusing this as manifestly excessive, the ICO recommend considering approaches such as seeking clarification from the requestor to narrow the search or providing the details in summary form. For example, there may be 1,000 emails which are all sent by the requestor in relation to school business and only include the requestor’s name, email address and signature – this could be confirmed in summary form.  
    • The school complies with a SAR by email, as requested. The requestor then asks the school to send a further copy in printed format and organised chronologically. As long as it was reasonable to provide electronic copies first, these were in a clear and intelligible format, and no new personal information has been generated since the first disclosure was made, the school can refuse this request as manifestly excessive.  

Poll 5

Types of data to consider 

Witness statements: 

  • If you have statements from witnesses to an incident involving the requestor, they are almost certainly going to be the personal data of both the requestor and the maker of the statement. The statement may also be personal data of others involved in the incident.  
  • If you can redact details to protect the identity of any third parties, then you should do so and disclose the statement. However, redactions will often not be enough to protect the identity of the witness. In those circumstances, the statement should be withheld unless you have consent to disclose it.  
  • Depending on the circumstances, it may be appropriate to discuss with the witness potential disclosures at the point the statement is taken. Their view on this can then be recorded and relied upon should a SAR be received.  

CCTV: 

  • If your school uses CCTV, the system will contain a lot of staff data. If a staff member requests ‘all data’ this would include CCTV. However, the school is only required to complete ‘reasonable searches’ for data. We would not consider it reasonable for the school to provide a copy of all CCTV of the member of staff. However, if the requestor asks for CCTV footage of a specific incident, or from a specific time, then the school would need to consider disclosing this.  
  • CCTV will often contain significant amounts third-party data, including other staff, students and potentially parents or others. It is necessary for the school to protect this information while also complying with the SAR. The school’s CCTV system should have the capability to blur out third parties or edit the footage in some way that protects third-party data. If it does not, other options include inviting the requestor in to view the footage but not providing them with a copy (if they agree to this), or taking still images from the footage, blurring out third-party data and providing those instead of the footage.  

Emails that the staff member is copied into: 

  • The requestor only has a right to receive a copy of their personal data. Therefore, it is necessary to consider whether all of a document or email is the requestor’s personal data, or only part. This will depend on the content of the email and whether it is about the requestor.  
  • Just because the requestor received an email, does not mean it is their personal data. However, their name and email address are their personal data and this must be disclosed to them.  
  • In practice, if there are many emails which do not relate to the requestor but have been received by them, it is often easiest to set this out in a table explaining that there are X number of newsletters or business update emails for example which include only the requestor’s name and email address.  

Social Media: 

  • The school will be the Data Controller for this information. If the school shares, or holds, staff data on social media accounts, copies of this information should be disclosed.  
  • For example (from ICO): if the school has a Facebook page on which staff members can comment and communicate with each other, the school would need to provide copies of any comments which are by, or about, the requestor.  
  • Another example (adapted from ICO): a member of staff is sacked for posting inappropriate content on social media. The school became aware of this because a member of the public sent a copy of the post to the school and this was used as evidence in the disciplinary proceedings. The staff member then submits a SAR for the posts. Even though this information is not from a school account and the school was not the Data Controller when it was posted, the school will be required to disclose this in response to the SAR as the copy is held by the school for school related purposes.  

Whistleblowing reports: 

  • There is no explicit exemption for whistleblowing reports. However, exemptions such as crime or third-party data are likely to apply. It is also necessary to consider the whistleblower’s rights under the Public Interest Disclosure Act 1998, which provides a right to make a protected disclosure.  
  • This is unlikely to come up very often. If you do receive a request for a whistleblowing report, contact your DPO.  

Non-work-related personal data:  

  • Staff may have school issued devices on which they access personal accounts such as emails or WhatsApp. Therefore, some of this information may be held on school devices. However, your school should have a policy or procedure in place, such as a reasonable or acceptable use policy, which explains how staff can and cannot use devices for personal use. We recommend that this policy makes clear that personal accounts cannot be used for school/business purposes. If this is the case, then the school will not be the Data Controller of the information from personal accounts. Additionally, that information is likely to have been processed for personal and household use, meaning that it is not subject to data protection rules. Therefore, the school will not be required to provide this information, even if it contains the requestor’s personal data and is held on a school issued device.  

Top Tips

1. Retention Periods 

  • Reducing the amount of data the school holds is the best way to reduce time spent on all SARs. Deleting data you no longer need also ensures compliance with the ‘Data Minimisation’ and ‘Storage Limitation’ data protection principles.  
  • Emails are often one of the most time-consuming aspects of a SAR, particularly for employees. We recommend having emails automatically deleted after 2-3 years. This will significantly reduce the data held, particularly if the staff member has been employed at the school for a long time.  
  • Emails, or file storage systems, may also contain drafts of documents that have been circulated for approval or additions. These drafts are within scope of a SAR if they contain personal data. This can be difficult to deal with if the drafts contain information which did not end up being communicated to the requestor, such as a draft complaint outcome which takes a different view or approach to the one that was finally decided on. We recommend avoiding holding drafts like these, by having a central storage system (e.g. OneDrive) and sharing links to a shared document rather than creating new copies as an email attachment. However, if this is not possible you should ensure that draft documents are permanently deleted when no longer needed.  
  • NB: Emails or documents in the deleted folder or recycle bin are still held by the school and will be in scope for a SAR. To permanently delete them, clear out your deleted folder and recycle bin.

2. Reduce processing of personal data: 

  • The easiest way to reduce time spent on SARs is not to process personal data in the first place. Of course, you cannot avoid this completely. However, it is likely that the school processes more personal data than it needs to. 
  • For example, if discussing how to handle a complex complaint, is it necessary to refer to the specific complaint or employee? Or can you have a general discussion about handling these types of complaints without processing any of the individual’s personal data?
  • Does the information need to be communicated in writing, or would a call suffice? 

3. Keep it professional: 

  • It is very easy to treat emails and instant messaging systems such as Teams like a private conversation. However, it is important to remember that every message you send may be read by the person you are talking about. You cannot withhold an email or message just because disclosure would show unprofessional conduct or otherwise be damaging to the school. If you receive an unprofessional message, permanently delete it right away and ask the sender to do the same.  

4. Long email chains: 

  • There will be times where discussions between different members of staff or departments about a particular complaint or issue is necessary. You may not be able to avoid discussing personal details about the individual and this can lead to the school holding long email chains containing lots of personal data. When conducting searches, this will also lead to lots of duplicates which can be time consuming to remove. If this happens, it is worth considering whether the discussion and outcome can be summarised in a case note and then have everyone permanently delete the email chain.  

 5. Reasonable searches: 

  • As mentioned earlier regarding searches for CCTV, the school is required to complete reasonable, rather than exhaustive, searches. What is reasonable will depend on the circumstances.  
  • It may not be reasonable to search for an employee’s initials if it will generate an unreasonable amount of irrelevant results, such as employees with initials that are EG, IF or IS. You should still attempt the search and record your reasons why it was not reasonable to sort through the results, as it may be necessary to explain this to the ICO if a complaint is made to them.  
  • Be transparent to the requestor about the searches that you consider to be reasonable, and those you do no, so that they have the opportunity to refine or narrow their search. 

6. SARs should not have any impact whatsoever on any HR process that's ongoing.

  • Regardless of whether you're working through disciplinary, capability or sickness absence process, this should not be delayed or placed on hold pending the completion of a subject access request. 
  • A Subject access request is something that would and should run alongside any HR process that is ongoing. It doesn't mean that we need to deviate from any set process do anything differently to what we would ordinarily have been doing.

7. In order to run a fair HR process you need to be open and transparent.

  • In order for any HR process to be fair and in line with best practise (and presumably your policy) the employee should be in receipt of everything that they need in order to attend, fully understand and engage with the process and to ensure that their representative can support them as far as possible.
  • For example, ahead of any disciplinary hearing the employee should have received a copy of the full investigation pack or investigation report, which should include a copy of the report itself, the statements collated during the course of the investigation, any copies of relevant evidence however that has been shared and copies of the related employment policies. There should not be any information that an individual is seeking from a subject access request that they should need in order to be able to attend a fair disciplinary process. All of this information should be shared with them well in advance of the hearing, within a reasonable time frame and in line with any deadlines set within your policy.
  • For a formal capability hearing the employee should have in advance of the meeting a copy of the policy, notes of previous meetings and agreed follow up action, copies of the evidence or data and information or feedback that's been used to highlight that poor performance and where the individual is falling short. This is information should be shared in advance of that meeting and it should not be something that's needed or required through a subject access request, in order for the fair meeting to take place. 
  • The only exception to this could be a grievance meeting, where the individual has raised the complaint. In that instance the individual is coming to speak to you to tell us their concerns/complaints and you are hearing for them for the first time. In that instance there wouldn't be information sent in advance. 

8. Staff and unions will often use subject access requests as part of a fishing expedition to see if they can try to build a stronger or potentially successful case to bring a tribunal claim.

  •  Many staff or trade unions think that if they submit a subject access requests, they may uncover some sort of golden ticket e-mail or letter to provide them with a successful claim. For example, an e-mail saying ‘let's not promote this person because she's pregnant or because he's disabled.’ These types of emails are rare but there's nothing you can do prevent trade unions and staff seeking to ‘find’ these communications through subject access requests. 
    • Think carefully about what you put in writing, even in team chats or work-based Whatsapp groups or texts, where conversation or messages can be far more informal.

9. Tribunals

  •  If the employee seeks to submit a claim to the employment tribunal for whatever reason, all parties have a duty to disclose the tribunal any relevant documents.

    Additional Info

    Sofa Session Notes ‘A Guide to Subject Access Requests in 45 Minutes’

    Sofa Session Notes ‘Tricky Subject Access Requests’

    Sofa Session Notes ‘Data Implications of CCTV Usage’

    You can find information regarding our Data Protection Officer (DPO) service here.

    Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

    If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

    If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

     Follow us on Twitter: @DPOforSchools and @JudiciumEDU

    © This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.

    Tags

    Newsletter

    Sign up for our newsletter to get the latest updates.

    Sign up to our newsletter

    Related content

    Get your Data Protection Ready for Summer Holidays
      July 10 2024

    Sofa Sessions | Data Protection

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 10th July, with our Data Protection Consultant Lane Baker.

    Read more

    6 Years On: Why Your Data Protection Culture Matters
      June 05 2024

    Sofa Sessions | Data Protection

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 5th June, with our Data Protection Consultant Bethany Parker.

    Read more

    Data Protection: Demystifying Data Mapping
      May 08 2024

    Sofa Sessions | Data Protection

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 8th May, with our Data Protection Consultant Jessica Gant.

    Read more

    Data Protection: What is a Lawful Basis?
      March 20 2024

    Sofa Sessions | Data Protection

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 20th of March with Data Services Consultant Patrick Ballantine.

    Read more

    Tricky Subject Access Requests
      February 14 2024

    Sofa Sessions | Data Protection

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 14th of February with Data Services Consultant Sam Hall.

    Read more

    A Guide to Subject Access Requests in 45 minutes
      January 16 2024

    Sofa Sessions | Data Protection

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 17th of January with Data Services Consultant Laura Butler.

    Read more