How far can employers search for personal data to answer an access request? Can they check personal mobiles or laptops - or personal emails on a work device? Here we look at invading staff privacy to respect someone else's data protection rights.
In this series we have already looked at taking control of data subject access requests (DSARs) through data protection by design, and understanding when you can refuse to comply with a DSAR. When it comes to handling a DSAR from a member of staff, it can be hard to understand just how far an employer needs to go.
A DSAR can be made by any person whose personal data is being processed by an organisation subject to the General Data Protection Regulation. Broadly, this will concern any UK or EEA employer: it doesn’t matter where the staff member is based. It may also cover non-European employers in some circumstances.
The sender of a DSAR commonly asks for disclosure of all personal data that an employer processes about them. In this case, the employer’s basic duty extends to personal data of which they are a data controller. The scope is clear enough when it comes to work carried out on work devices. But what happens about work done using a personal device, or when personal information is kept on a work device? Does an employer need to extend their search to cover this additional material?
Work on personal devices
Employees who have access to work personal data are neither controllers nor processors: they act under the direct authority of their employer, the controller (see Article 29 of the UK GDPR, clarified in European Guidance). The same can be true of personal data held for work purposes on a home device.
This kind of analysis is familiar in Freedom of Information Act (FOIA) requests. For example a recent FTT case found that messages which a government minister was sending on WhatsApp via a personal device were deemed to be held on behalf of the government department – and therefore disclosable.
According to guidance from the UK data protection regulator, the Information Commissioner’s Office (ICO), if an employer allows staff to hold personal data on a personal device or through a personal account for work purposes, the employer “may” be considered a controller of such personal data, depending on the purpose for which it holds the information, and its context. The relevant test for the ICO is a practical one: it does “not expect you to instruct staff to search their private emails, personal devices or private instant messaging applications […] unless you have a good reason to believe they are holding relevant personal data.”
Private use of work devices
For employers, the starting point is that their own IT systems will be under their control and potentially within the scope of a DSAR. However, even this is fraught with difficulty. The ICO notes in its guidance on workplace monitoring that it can be difficult to distinguish between “workplace” and “private” information. Employees may assume that using a hard drive on their work PC, or keeping an email folder for personal use “feels” private. And the ICO notes that employees have rights to privacy, for example under the Human Rights Act, and it may not therefore be reasonable to rely on blanket policies which prohibit employees from using work devices for personal matters.
Certainly, in Europe the picture is further complicated by national guidance giving employees autonomy over “personal” emails held on employer systems, which may require deletion after an employee has left.
Controllers may be left wondering whether personal data in this kind of “private” employee situation falls outside of scope of the GDPR entirely under Article 2, or whether it is in scope, but could benefit from a Data Protection Act exemption as mixed data.
What should employers do when it comes to private data in workplace DSARs?
Although legal positions can be difficult to navigate, there are some practical steps that employers can take to keep control of workplace DSARs.
Using home devices:
Prevention is better than cure - Where possible, all individuals providing services on an employer’s behalf (including, for example, non-executive directors and contractors) should be provided with company devices and email addresses.
Awareness - Where it is not possible to completely avoid the use of personal devices or accounts, then the relevant individuals should be explicitly informed through privacy notices and policies that the platforms may be searchable as part of future DSARs received.
BYOD policies - Putting in place a Bring Your Own Device policy to govern the use of personal devices, personal email and/or social media for work purposes will help focus minds on what is acceptable. Vintage ICO guidance is a good starting point when formulating a policy.
Finding the needle in the haystack - Maintaining an up-to-date inventory of potential data locations is key particularly where BYOD is permitted.
Using work devices:
Be reasonable – A pragmatic employer will allow reasonable use of work devices for personal use, but encourage staff to maintain strict separation, for example by keeping personal matters in separate files, and uploading personal content to a home device regularly. This will also help the DSAR search process.
Straight talking - A warning about the device remaining in the control of the employer and potentially subject to search for DSAR purposes will help discourage over-use of work devices for non-work purposes, and again make responses easier to manage.
Managing leavers
Whether home or work devices are involved, making sure a robust procedure kicks into action for departing personnel will substantially reduce the burden and risks that could arise from post-employment DSARs.
Work information should be retrieved then deleted from personal devices, as a matter of good commercial practice, as well as for data protection and security purposes. Leavers should be reminded in good time that their access to their private information on work devices will end when they leave and the information should be deleted when they depart, as there will likely be no lawful grounds for retention.
Getting help
In any of these situations, when it comes to searching private devices or private accounts, the scope must be carefully considered, and information reviewed and redacted to ensure only strictly disclosable material is released, after applying all applicable exemptions and balancing tests in respect of the privacy rights of others, especially of the device or account owner. These scoping and redaction exercises can be time consuming, difficult to resource, and require expert judgement calls to be made on edge cases.
Employers struggling with redaction, or indeed any part of the DSAR process, should consider the benefits of SmartSAR, an end-to-end DSAR solution provided by Shoosmiths.
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.