HR’s role in managing employee DSARs

If you haven’t heard of data subject access rights (or DSARs) before, you wouldn’t be the only HR professional to find themselves out of the loop.

Data privacy regulations are a relatively new phenomenon, and they aren’t written with the laymen in mind. Even if you were familiar with what DSARs are, you might be under the impression that they were handled by your organization’s legal counsel, compliance professionals, or maybe even the IT department.

That may be true for certain DSAR requests. But if an employee makes a DSAR request, odds are the buck is going to stop at HR.

Let’s break down all the information that HR needs to know about employee DSARs to ensure you keep your organization in compliance and away from penalties and fines.

What HR professionals need to know about employee DSARs

Typically, DSARs are about gaining access to the data subject’s (i.e., the requestor’s) data that you have on file. However, data subjects also have the right to object to certain types of data collection or processing, request corrections, request deletions, and more. While consumer DSARs are common to all data privacy regulations, employees are only able to request DSARs in the EU, UK, Canada, and California, thanks to the GDPR, PIPEDA, and CPRA regulations.

Since HR professionals tend to have the greatest insight into what employee data is being collected and where that data lives, the burden of completing an employee DSAR often falls in their lap. In order to respond effectively, HR professionals need to keep in mind the unique factors at play when executing an employee DSAR request.

When you’re most likely to encounter employee DSAR requests

While employees may make DSAR requests at any time, there are three events that have a high likelihood of triggering a DSAR request:

1. Disciplinary action
2. Termination
3. Promotions

If an employee is reprimanded or fired, they’ll obviously want to know why. If they’re not satisfied with the answer they receive, they may make a DSAR request in the hopes of uncovering additional information — possibly in support of legal action.

However, it might not be immediately obvious as to how a promotion could trigger a DSAR request. Typically, it isn’t the recipient of a promotion that makes a DSAR request, but rather somebody who feels as though they’ve been passed over for that promotion. This is likely a less common triggering event compared to disciplinary action or termination, but it’s still something that HR professionals should be cognizant of.

How to handle “fishing expeditions” and vexatious requests

As mentioned above, DSAR requests can be used as a method for gathering information to support a lawsuit. Sometimes, disgruntled employees and their legal counsel will go digging for something that they can use in a lawsuit, which is referred to as a “fishing expedition.”

Or, they might not even care whether their DSAR surfaces any legally actionable information; they might just want to throw a monkey wrench into the works and cause trouble.

This isn’t just guesswork, either. DSARs have been used in this way in the EU and UK. Although the CPRA’s employee DSAR component is new to the US, the GDPR has allowed for employee DSARs since its inception.

If you suspect a DSAR is being made in hopes of dredging up some legally actionable information, there isn’t much you can or should do. Your employees or former employees still have their rights, and you’ll have to provide them with the relevant information they request (though properly redacted to protect privileged information and others’ personal information).

Vexatious requests, however, are another matter. Like the GDPR, the CPRA allows businesses to refuse DSARs that are “manifestly unfounded or excessive.” For the moment, the CPRA doesn’t have much specificity around what makes a DSAR unfounded or excessive, and businesses bear the burden of proving that the request is unfounded or excessive.

However, since the GDPR has been around a lot longer and has been dealing with these sorts of requests, we can look at what the UK’s Information Commissioner's Office (ICO) has to say to get a sense of what might be considered illegitimate DSARs under the CPRA.

The ICO states that a request may be manifestly unfounded if:

• The data subject explicitly states that they merely want to cause a disruption
• Make unsubstantiated accusations that are clearly prompted by malice
• Offers to withdraw their request in exchange for some benefit from the organization

Regarding manifestly excessive requests, the ICO states that businesses need to assess whether the request is proportionate compared to the effort involved. Businesses can do this by taking into account:

• The nature of the requested information
• Whether the request largely repeats a prior request without a reasonable period of time passing in between
• Whether it overlaps with other requests

These aren’t exhaustive lists, but they should serve as an example of the kind of criteria that might be reasonable when refusing a DSAR request.

What’s essential to remember is that you can’t refuse a DSAR request simply because you don’t have a process in place to handle them. A lack of a process may very well make it difficult and vexatious to handle a DSAR, but that will be on you and your organization — your employee will still be within their rights to make their request.

What information to exclude

If an employee makes a DSAR request, you have to provide them with the information within the scope of their request. What to include within that scope can be a fine line to tread, especially given the sensitive nature of the information that HR handles.

For example, if other employees’ data is included in a document that you share with an employee making a DSAR request, you’ll need to redact or anonymize that information.

You’ll also want to keep an eye out for any privileged information. If you consulted with an attorney over an employee for whatever reason and then that same employee makes a DSAR request, you don’t have to hand over your conversations with your attorney — those are protected under attorney-client privilege. In fact, if you were to share that information, it would void your attorney-client privilege.

Why it’s essential to have a process in place

Handling DSARs on a one-off basis is a recipe for disaster. Not only does it make it more likely that you’ll deviate from best practices, make errors, or include information that you shouldn’t, it also increases your legal risk.

If you have a documented process in place, you’ll be better able to prove that you made a good-faith effort to handle DSAR requests in case an employee isn’t satisfied with the information you provided. You’ll be able to prove that any DSAR refusals you make aren’t due to a lack of a process. And you’ll be able to demonstrate that certain information falls outside of a reasonable DSAR scope. All in all, you’ll be better positioned to defend your organization’s process and results in the event of legal action.

How HR can support employee DSAR requests

Keeping the above factors in mind, HR professionals can lay the foundation for a proactive employee DSAR process. Here are three key steps HR professionals should take when getting their organization DSAR-ready.

1. Map where your data lives

You won’t be able to quickly respond to an employee’s DSAR request if you don’t know the different data stores in use at your organization. A data mapping exercise will enable you to track down the different systems in your organization and identify what data they contain.

This will include elements of the HR software stack, like payroll systems, people enablement platforms, and recruiting software, but it may also include other internal and external systems as well. You’ll want to consult with other departments to see if they own any systems that hold an appreciable amount of employee data, (especially the Operations department). Additionally, make sure you take into account any data transfers you make to third parties.

2. Categorize that data

Knowing where employee data lives is important, but it’s also important to know what kind of data you’re working with. Employee DSAR requests might ask for everything, but they might also ask for specific categories of information. An employee might say, “I want to see all the data you have on my performance” — performance-related data could span several systems, such as your people enablement platform, email, or payroll system. Thus, it’s important to note down the categories of data you collect in your different systems.

3. Develop an employee data privacy policy

Your organization probably already has a consumer-facing privacy policy, but you could benefit from drafting an employee data privacy policy as well. In order to be compliant with the CPRA, you’ll already need to provide disclosures to your employees regarding:

• Sensitive personal information
• Retention periods
• Whether personal information or sensitive personal information is sold or shared
• A notice at collection that includes which categories of personal information will be collected and for what purpose
• And more

Delivering these disclosures in a privacy policy will not only be a convenient format, but the act of creating an employee privacy policy will also help clarify what you need to do with employee data in order to be compliant.

Uncertain about what comes next?

You wouldn’t be alone. Even privacy professionals struggle to establish efficient consumer DSAR processes, let alone employee DSARs.

Our DSAR 101 webinar can serve as an excellent next step for HR professionals looking to gain a better grasp of the DSAR process. As the GDPR matures and as new privacy regulations like the CPRA come into effect, more and more businesses will be confronted with DSAR requests for the first time. Without a plan or process in place, those requests can represent a major compliance risk. To learn how to manage DSAR requests in a sustainable, scalable way, access the webinar here.