Did you know that in the UK an employee (or ex-employee) can legally request copies of all emails, text messages, WhatsApp Chats, Teams, Slack, and any other form of electronic record that mentions them, even if the person mentioned was not copied into the message? Often, a Subject Access Request (SAR) is submitted specifically to gain access to what has been said about them.
And the scary bit – you have a legal obligation to comply with this request!
What is a Subject Access Request?
A SAR is a request made by, or on behalf of, an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR. (ICO 2023).
This is a very complex piece of legislation; it is not immediately obvious what is captured as personal data, so it is important to read the ICO Guidance to fully understand this.
The following is a summary of some of the key issues that Line Managers should be aware of.
What is Personal Data?
Personal data only includes information relating to natural living persons who can be identified, or who are identifiable, directly from the information in question. Or who can be indirectly identified from that information in combination with other information.
According to the ICO - An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals. A name is perhaps the most common means of identifying someone. However, whether any potential identifier actually identifies an individual depends on the context.
A combination of identifiers may be needed to identify an individual. The UK GDPR provides a non-exhaustive list of identifiers, including:
location data; and
an online identifier (such as IP addresses and cookies)
The ICO has published a comprehensive guide on what is personal information, this can be accessed here.
As well as obvious examples of personal data held by the business for employment purposes (name, address, age, etc), Line Managers should be aware that other disclosable data under a SAR might include:
Emails (or other forms of ‘chat/conversation’) that mention the person or the person is the subject of the content in the email and can be identified as the person from a description.
Management notes in a notebook (or other forms of casual record keeping) that pertain to the person, their conduct, performance, or other operational or behavioural issues.
Recorded conversations using modern technology to assist with e.g. note-taking and then the notes themselves
The key to understanding what might be disclosable is to understand the term ‘unstructured manual data’. Generally, to fall within the scope of a SAR, data is processed wholly or partly by automated means or is intended to form part of a ‘filing system’.
What is a filing system and manual unstructured data?
A filing system should be interpreted broadly, which is how emails (and other chat) records become part of the scope. Emails can be ‘searched’ by date or to include certain words (e.g. a name or other identifier). It would be difficult to argue this is not a structured filing system. WhatsApp and other electronic conversation systems are generally treated the same way.
Unstructured manual records are generally exempt unless they are stored in a more structured way that would not be expected to take much effort to retrieve. It is important to note, under GDPR, unstructured manual data is considered to be personal data if the employer is a public authority. The rules for public authorities are much more stringent.
According to the ICO:
“The UK GDPR places a high expectation on you to provide information in response to a SAR. You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. To determine whether searches may be unreasonable or disproportionate, you must consider:
the circumstances of the request;
any difficulties involved in finding the information; and
the fundamental nature of the right of access.
The burden of proof is on you to be able to justify why a search is unreasonable or disproportionate.
Even where searching for certain information may be unreasonable or disproportionate […] you should also consider whether further information from the individual will help you find the information they have requested.
You should ensure that your information management systems are well-designed and maintained, so you can efficiently locate and extract requested information and, where necessary, redact third-party data”.
What do Subject Access Requests mean for Line Managers?
During normal day-to-day management of people, you are using and/or creating personal data about your staff (customers, etc). This means that the data you have in your possession may be ‘personal data’ within the meaning of the Data Protection Act 2018 and therefore may be disclosable under a Subject Access Request. You are lawfully obligated to supply all data under such a request.
When making notes about a member of staff, or discussing a member of staff with another employee over email, WhatsApp, etc, you should:
remain professional at all times
only ever disclose information that is necessary and that the person you are disclosing it to has a business need to receive that information
not use derogatory language
only ever use factual information and do not spread speculation, gossip, or unsubstantiated details
call out and stop others from doing any of the above
Can you delete records in case of or because of SAR?
Not if a request has already been made. It is important to understand that it is potentially a criminal offense if you do.
However, as part of your normal maintenance of records, if you have reflected after making a record, or discovered a record that you know to be inappropriate, these should be deleted/altered as part of normal housekeeping. E.g. you may have made a derogatory comment about somebody in your meeting notes, on reflection, you remove the derogatory comment and possibly replace it with something more factual before it is filed as a record. This is much more difficult to do if it is an email or other form of instant messaging as it is not wholly within your control and may be disclosed by another recipient leaving you vulnerable to challenge.
The best approach will always be to only ever communicate something that is appropriate, and you are confident you would not have a problem justifying if it was used as evidence against you in an Employment Tribunal.
Before you send or store anything, ask yourself the question – “Can I justify this to a judge?”
Employees and ex-employees can legally request copies of all electronic records that mention them, including emails, text messages, WhatsApp chats, Teams, and Slack conversations, even if they were not directly involved in those communications.
A Subject Access Request (SAR) is a request made by or on behalf of an individual to obtain information about themselves under Article 15 of the UK GDPR.
Personal data includes any information that directly or indirectly identifies an individual, such as names, identification numbers, location data, and online identifiers like IP addresses and cookies.
Line managers should be aware that unstructured manual data, like management notes in notebooks, may also fall under the scope of a SAR if it is stored in a structured way that can be easily retrieved.
Line managers have a legal obligation to comply with SARs, making reasonable efforts to find and retrieve the requested information while protecting third-party data as needed.
When making notes or discussing employees in emails or instant messages, line managers should be professional, use only necessary and factual information, avoid derogatory language, and prevent the spread of speculation or gossip.
Records should not be deleted once a SAR has been received, as doing so can potentially lead to criminal charges. However, regular maintenance and reflection on records are encouraged to ensure appropriateness and accuracy.