Practical Law

The Data Protection Act 2018 (DPA 2018) contains three provisions that allow an employer to resist subject access requests (SARs) from employees.

Confidential references become more confidential

The Data Protection Act 1998, under the heading “Confidential references given by the data controller“, stated that personal data were exempt from the right of access:

“if they consist of a reference given or to be given in confidence by the data controller for the purposes of … employment, or prospective … employment, of the data subject” (emphasis added) (paragraph 1, Schedule 7).

This meant that the exemption from subject access relating to a confidential employment reference could only be applied by the person giving the reference and not the recipient. This is why in the Information Commissioner’s advice, the recipient of an employment reference was told: “We explained that organisations are generally required to release references they have received about individuals, even if they are marked as confidential”.

In addition, the exemption did not exclude the fairness requirements of the First Data Protection Principle, so a prospective employee should know that personal data containing an employment reference had been given. This provision kicks in when an employer uses a referee, unknown to the prospective employee.

This is not the case with the equivalent exemption in the DPA 2018, which omits the phrase “given by the data controller” and states:

“The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of … employment (or prospective … employment) of the data subject” (paragraph 24, Schedule 2).

As the “listed GDPR provisions” (in paragraph 18 of Schedule 2 to the DPA 2018) include the right to be informed (Articles 13 and 14 of the GDPR), the existence of any further confidential reference might not be transparent to the prospective employee.

In summary, the confidential reference exemption in the DPA 2018 now extends to:

• The controller who receives the reference, who can now argue that he or she has been “given a confidential reference” and refuse access.
• The right to be informed, so a prospective employee might be unaware of the fact that a confidential reference about him or her has been given or received.

Disciplinary investigations can be protected

One of the most difficult aspects in data protection occurs when an SAR is made in relation to personal data which contain personal information about another individual. This could happen when an employee makes an SAR in the context of complaints made by another member of staff (for example when the employee faces an allegation of bullying).

The DPA 2018 makes it easier to protect such personal data from the right of access because when deciding whether it is reasonable to release of the information concerning that other individual, account has to be taken of “the type of information that would be disclosed” (paragraph 16(3)(a), Part 3, Schedule 2). The inference is that information of a certain “type” should not be disclosed as part of an SAR.

We don’t know why this provision was introduced. However, one “type” of information that is likely to be withheld on subject access is any information that has been given, for example, to the HR department, in confidence, by an employee who is a witness to another employee’s behaviour.

Similarly, when HR is investigating a disciplinary matter, a “type” of information that could be withheld might be: “those personal data that would be premature to release until an investigation is complete”. This would protect an investigation until it had concluded.

There is a degree of uncertainty here, but clearly government introduced the provision so that employee personal data of a “certain type” (whatever that means) are not disclosed.

Manual interview notes are not subject to the right of access

Have you ever been to a meeting where someone has taken handwritten notes of what was said? Have the minutes of that meeting, subsequently circulated to attendees, been completely different to your recollections of the actual meeting?

The government has ensured there is no right of access to these handwritten notes if they comprise “manual unstructured personal data” as defined in the DPA 2018, where the content of the notes relate to employment matters.

In general, such manual unstructured processing of personal data is subject to the DPA 2018, but only if the controller is an “FOI public authority” and only for the right of access and correction. Thus, if a controller is a private body (that is, not an “FOI public authority”), then the processing of manual unstructured personal data is not subject to the DPA 2018 (section 21(2)).

However, this opened the prospect that public sector employees would have preferential subject access rights merely because their employer was an “FOI public authority”.

So, when constructing the DPA 2018, the government was faced with a political choice. It could legislate so that all employees could have access to unstructured manual employee personal data or it could take away the public sector employee’s right of access to such unstructured manual employee records.

Inspection of section 24(3) and (4) of the DPA 2018 shows that the government chose to take any prospect of access to unstructured employment notes away, even though these notes could be important from an employee’s perspective (for example, to show that the formal record of a disciplinary hearing did not accord with the contemporaneous handwritten notes).

On 18 December last year, the Prime Minister told the House of Commons that “we will maintain, and indeed enhance, workers’ rights”. However, when it comes to the data protection crunch, the evidence shows that the government is working in the opposite direction.