A former employee has requested e-mail correspondence which contains information about her. Do we have to respond to a request from someone who is no longer an employee? If so, there are thousands of e-mails that might contain details which relate to her. Can we take the position that we will not respond to her request because it is too onerous or could we charge her for the work we need to do on responding to her?

Lindsay Gibson writes:

Firstly, any individual can make a Data Subject Access Request (a “DSAR”) to an organisation which processes their personal data. So despite the former employee no longer being employed by your organisation, she still has the right to make a DSAR.

The only fee that can be charged for complying with a DSAR is £10. The person making the DSAR is not obliged to make any other payment in respect of the time taken to put together the response to the DSAR, nor any other expense relating to such a response.

I would draw your attention to the strength of an individual’s rights in respect of DSAR’s, under the Data Protection Act 1998. In particular, it is expected by the Information Commissioner’s Office (the “ICO”) that organisations in receipt of a DSAR make extensive efforts to find and retrieve the requested information. The right of subject access to personal data is “fundamental” to data protection. It will never be reasonable to deny access to requested information merely because responding to a request may be labour intensive or inconvenient.

That said, if the DSAR is made on extremely broad and general terms, then it may be reasonable for you to revert back to the former employee and ask her to narrow the ambit of her request. You might want to point out to the ex-employee that the breadth of her request has meant that undertaking a search and identifying the personal data is particularly onerous and unreasonable, especially if you are a small organisation in terms of manpower.

Perhaps the former employee could provide additional search terms to be used to assist in this respect and/or narrow down potential recipients and senders? However, if the former employee refuses to narrow her request, you may well still need to comply with her original DSAR in full.

When you are undertaking your review of the e-mail correspondence, you should bear in mind what exactly constitutes “personal data”. This definition is not straightforward. However, examples of “personal data” in respect of e-mails sent in the employment context could include:

• Comments made in an e-mail about the former employee, or opinions expressed about her or her work;
• Performance reviews attached to e-mails;
• Internal discussions about the former employee’s salary; and
• Evidence that the former employee attended a meeting or had a discussion with a colleague.
  
  

Even if the former employee is not mentioned by name (e.g. her job title is used), if it is possible to identify her from the information in the e-mail, the information will constitute “personal data” for the purposes of her DSAR.

As a note of caution, if you can identify third parties from the e-mail correspondence, or if the e-mail correspondence contains confidential information, we recommend that you take specific legal advice on your obligations to disclose such information to the ex-employee.

If the former employee considers that there has been a failure by you to comply with her DSAR, she could make a complaint to the ICO. In this case, the ICO could instigate a compliance assessment to ascertain whether there were failures on your part to comply with your obligations in this respect. If failures are identified, then the ICO could order you to comply with the Data Protection Act 1998, provide the information requested and could also serve an enforcement notice on the company to that end.

Failure to comply with an enforcement notice is a criminal offence. The ICO can also impose a fine on an organisation for a serious breach of the Data Protection Act 1998, where such a breach is likely to cause substantial damage or distress.

In addition, if you fail to comply with a DSAR, the former employee could apply for a court order, ordering your organisation to so comply. In addition, if she suffered damage due to a breach of the Data Protection Act 1998, including by way of a failure to comply with a DSAR, then she could claim compensation for the damage suffered through the courts.