The art of redacting – what employers need to do

What matters

What matters next

In the final part of our mini-series in dealing with DSARs, we look at the process of redacting when responding to a DSAR, and in particular, what information should be provided to an employee who has submitted a DSAR.

Employees are increasingly seeking to raise DSARs within an employment context and in particular ahead of instigating legal proceedings. Responding to a DSAR can be a challenging, costly, and often time-consuming process. This is especially the case during the course of the employment relationship, where data can often go back over a number of years and may contain data which belongs to other individuals. One of the biggest challenges relates to redacting and what should be disclosed to an employee in response to the DSAR.

The starting point is that an employee is entitled to a copy of their personal data held by their employer. This would cover any information held by the employer and which identifies the employee and could include information contained in the HR personnel files or internal communications and emails where the employee is identified. However, often information may contain third party personal data which does not relate to the employee who has made the DSAR or could include confidential information or legally privileged advice. In addition, employers have to determine if it is appropriate to only disclose the employee’s personal data, which is more time consuming or to take an approach of simply disclosing ‘business as usual’ communications such as unredacted emails which the employee has already received during the course of the relationship. Employers therefore need to ensure that when responding to the DSAR, they communicate as much of the personal data as possible without disclosing the third party’s identity. 

Responding to a DSAR without disclosing third party data can be achieved by redacting relevant documents. Under the Data Protection Act 2018 (DPA), there are no specific rules regarding the process of redacting data which is not the personal data of the data subject employee with employers adopting various approaches in different scenarios. The DPA 2018 explains that a data processor does not have to comply with a DSAR if doing so means disclosing information which identifies someone else, except where: 

  • they consent to the disclosure; or
  • it is reasonable to comply with the request without that person’s consent.

The ICO notes that this decision involves balancing the data subject’s right of access against the other individual’s rights relating to their own personal data. If the other person consents to the disclosure, it is unreasonable not to do so. However, if there is no such consent, the employer must decide whether to disclose the information anyway. In determining this, the employer should also consider the practicality and costs involved in obtaining consent and the third party’s level of seniority within the third party business. For example, it may be reasonable to disclose information where the other individual’s role includes line management responsibility of the data subject employee, and the information relates to their performance in that role. In contrast, if there is an allegation of sexual harassment, given the seriousness of the allegation, an employer will need to carefully weigh up the duty of confidentiality against the circumstances and potential consequences if the complainant could be identified.  

Responding to a DSAR

So what should employers be considering when preparing the response to a DSAR and the redaction exercise? 

Redaction will often be necessary to protect the privacy of third parties or to prevent the disclosure of sensitive information. There are a number of steps employers should consider when considering the redaction exercise: 

Identify non-relevant information

Identify any information that does not relate to the individual who made the request. This could include sensitive internal documents and personal information about other people.

Redact non-relevant information

Remove any information that does not relate to the individual. For example, an individual requests information relating to pay awards within their company. Any personal data belonging to other employees would need to be redacted and only information by the individual who submitted the DSAR should be disclosed. 

Use redaction tools

For physical records, you can cross out, or redact, the offending data with a black marker pen. For digital files, software programmes will often have an option to mark text for redaction. If the software does not have such a tool, the employer should create copies of the document and then manually remove non-relevant information.

Consider context

A key consideration is the context around the personal data which is being processed and which may subsequently need to be disclosed as part of the DSAR.  What needs redacting will vary depending on the situation. An important part of the DSAR process is communicating the context for which the personal data is being used. If there is supporting information that makes this clear, it might be advisable to retain it. 

Ensure compliance

Redaction should be performed and overseen by someone who is knowledgeable about the records and the statutory exemptions available, and who can determine what material should or should not be redacted.

 

One of the common themes in responding to a DSAR is whether the employer needs to disclose emails which the individual was copied into. The ICO’s guidance on subject access requests, highlights the complexity of handling personal data in emails. In particular, it notes that individuals are only entitled to their own personal information within an email or email chain. The fact that an email pertains to a business matter does not negate the presence of the requester’s personal information. Simply because the requester received the email does not mean all its content is their personal information. Whilst the guidance does not directly provide an answer on this, it underscores the need for a case-by-case review of emails containing the requester’s personal data, considering both the email’s content and the context of the information it contains.

The ICO appears to discourage employers from adopting a ‘blanket’ policy of disclosing or withholding all emails previously received by or copied to the data subject. Instead, a nuanced approach is recommended, tailored to the specifics of each case.

Employers will need to be able to justify and keep a record of their course of action and reasoning behind their decisions. As such, it is advisable to keep a record of each decision when responding to a DSAR. Employers should also consider that the obligations to provide personal data in response to a DSAR is separate from and differs from the duty of disclosure in the context of litigation proceedings. 

Disclaimer

This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.

 


Insights

Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.