The DPO Centre, the UK’s leading experts on data protection and privacy management, have found that many organisations pass the role of data protection officer to individuals who hold conflicted positions within the organisation. On many occasions this role falls on the HR director or manager.
The Information Commissioners Office (ICO) has recently released its consultation document focused around right of access requests that are manifestly unfounded and excessive. This comes at a time when the number of Data Subject Access Requests (DSARs) being received by UK organisations has been steadily increasing. This increase is likely due to a number of factors from the redundancies we saw at the end of the furlough scheme, individuals having issues with how local governments and governmental organisations handled their complaints and data, to data subjects (i.e. individuals whose personal data is being processed by an organisation) just becoming increasingly aware of their rights and how to enforce them.
A DSAR is more commonly known as the right to access under UK GDPR/DPA 2018. DSARs enable data subjects to gain access to their personal data and to discover what information organisations are holding and allows them to obtain a copy from the organisation in question.
The ICO’s draft guidance looks at how to deal with requests involving the personal data of data subjects and the restrictions that are most likely to apply in practice when handling these sorts of requests. In their latest annual reports, it was revealed that nearly half of the complaints to the Office were related to subject access request. (1)
For HR managers and directors who are also the named data protection officer (DPO), there is a most likely a conflict of interest when a DSAR request is received from an employee. This is because the HR manager will likely oversee a lot of the employee’s data and files and if there was an issue that led to the employee requesting the data, the HR manager would likely have been the person to oversee the issue or conduct the internal investigation.
The ICO states that the role must be free from “conflict of interest and does not take any direct operational decisions about the manner and purposes of processing personal data within your organisation.” And yet DPOs in many companies find themselves with the dual role of also being directors of human resources.
HR directors should declare a conflict of interest if a situation arises where an employee submits a DSAR request and where the HR director would be responsible for overseeing the DSAR process. Appointing an independent DPO will ensure that organisations avoid the ‘conflict of interest’ criteria set by the ICO and the UK GDPR.
The ICO has drafted detailed guidance which explains in greater detail the rights that individuals have when they are accessing their personal data and the obligations competent authorities and organisations have when fulfilling this right. Companies need to be aware of their responsibilities and where a conflict in interest arises, they are open and transparent about it and take the necessary steps to correct or mitigate the conflict.
It is hard for a HR director to split their priorities; it is impossible for them to uphold the responsibilities of a HR director with the requirements and priorities of an independent DPO. First and foremost, HR directors, work for the benefit of the company and other employees, while the DPO must act independently, informing and advising the organisation on how to uphold the rights of the data subject. In reality, trying to do both simply does not work.”
The DPO Centre has also recognised that it is harder for HR directors to be able to fully understand what goes into DSARs and the processes behind them. Lenitha continues by pointing out that there are complexities around how long an organisation has to respond to a DSAR, when it is applicable to request the two-month extension, when they can outright refuse to respond a DSAR, and how to review the scope of the request.
DSARs, especially those that are employee related, can be complex and can take time away from an HR director’s core responsibilities. Time would be required to learn how to use redaction software and learn the many exemptions to DSARs. Depending on complexity and size of the request, complex employee DSARs can take a single individual several weeks to process, removing the ability for them to complete the many other tasks associated with their HR role.
The current consultation also highlights that many companies are struggling to understand when a request is manifestly excessive or unfounded and are looking to the ICO for further guidance.
At the same time, the ICO has also drafted updated guidance on the provisions in Part 3 on how authorities should deal with manifestly unfounded or excessive requests.
In particular, Lenitha continues, “More examples would be beneficial to help organisations understand when a subject access request is excessive or unfounded. For Freedom of Information requests there are vexatious decision notices and guidance to inform decision makers.
It would be useful for there to be some kind of guidance on how it would operate in certain situations, i.e. the disgruntled customer, the excessive complainer, the employee going through tribunal proceedings – this would also help reconcile contradictory case law and ensure a more consistent approach across sectors and organisation sizes.
Despite these examples, organisations will still have to be mindful of the fact that they need to mitigate conflicts of interests that arise, and that HR directors who are also DPOs, will need to be aware and understand the implications of the new ICO guidance.
To assist professionals, The DPO Centre recently launched a monthly, free, live webinar aimed at HR professionals who deal with DSAR requests. Covering the key aspects of this complex subject every second Wednesday of the month. Register to attend here
https://www.dpocentre.com/events
ICO consultation on the draft right of access for competent authorities guidance | ICO closed on the 11th of March 2022.
The ICO Annual report hc-354-information-commissioners-ara-2020-21.pdf (ico.org.uk)