Data Access Requests to an employer

Hunchback

Just a very short question -

When an employee makes a data access request of an employer, the employer is required to produce literally everything they have in terms of information pertaining to that employee within forty days.

Let's say a person feels that they have been constructively dismissed (or something). They believe that email exchanges between superiors in the company would verify this if they were to come to light. So they make the data request.

Is there any way of knowing if any emails that would be potentially damaging to the employer have been held back or have been deleted?



This is completely as a matter of curiosity arising out of the topical nature of the issue of data protection at the moment.

Pat Mustard

EDIT: moved to the Information Security forum. Please note that their charter applies.

Joe Exotic

Hunchback wrote: »

Just a very short question -

When an employee makes a data access request of an employer, the employer is required to produce literally everything they have in terms of information pertaining to that employee within forty days.

Let's say a person feels that they have been constructively dismissed (or something). They believe that email exchanges between superiors in the company would verify this if they were to come to light. So they make the data request.

Is there any way of knowing if any emails that would be potentially damaging to the employer have been held back or have been deleted?



This is completely as a matter of curiosity arising out of the topical nature of the issue of data protection at the moment.

No this would not be covered under a data access request as it would not be that persons data, it is a private "conversation" between two other people.

The way to get this data would be to start constructive dismissal proceedings against the company and from there the company could be ordered to disclose all relevant data.

To do this the company would probably have to hire an E-discovery expert to ensure it is carried out correctly

Or a least thats my understanding - happy to be contradicted

liamo

Opinion 4/2007 of the EU Article 29 Working Party describers "Personal Data" as

"any information relating to an identified or identifiable natural person (“data subject”);"

and then goes on to discuss the "any information" element of that definition :

From the point of view of the nature of the information, the concept of personal data includes any sort of statements about a person. It covers "objective" information, such as the presence of a certain substance in one's blood. It also includes "subjective" information, opinions or assessments. This latter sort of statements make up a considerable share of personal data processing in sectors such as banking, for the assessment of the reliability of borrowers ("Titius is a reliable borrower"), in insurance ("Titius is not expected to die soon") or in employment ("Titius is a good worker and merits promotion").

So, it appears that some emails could be in scope under a data access request.

I'd be inclined to think that emails between company officers discussing a member of staff would be in scope.

Are those emails a private conversation (as Murphk proposed)? Or are they official company communications?

I'm afraid I don't have a definitive answer. I just like muddying the waters a bit.

Joe Exotic

liamo wrote: »

Opinion 4/2007 of the EU Article 29 Working Party describers "Personal Data" as and then goes on to discuss the "any information" element of that definition :



So, it appears that some emails could be in scope under a data access request.

I'd be inclined to think that emails between company officers discussing a member of staff would be in scope.

Are those emails a private conversation (as Murphk proposed)? Or are they official company communications?

I'm afraid I don't have a definitive answer. I just like muddying the waters a bit.

Great post some good points


I think in reality this whole area is muddy as hell an will continue to be until some precedents are set in cases like this to bring clarity !!

I think the expectation of privacy in that email conversation is key and also what exactly was said if for example a first name only was used then that may not be personal identifiable!!

I think at this stage we would have to have a made up email conversatin which we could discuss to make any progress, we would also probably have to defer to the legal forum as it may be more in their area of expertise


What i can say is that from experience this is a massive area and one where there will be a lot of litigation in the future

Hunchback

liamo wrote:

Are those emails a private conversation (as Murphk proposed)? Or are they official company communications?

The emails don't exist! It is a hypothetical scenario..

I did an online course in Data Protection with the Law Society and one of the speakers stated that emails, as described above, would come within the scope of a data access request. I was just wondering - what is to stop any emails being disposed of? How can you ensure the whole dayaaccess request doesnt become a pointless exersise?

I believe a Mod over at the Legal discussion forum moved the thread because those with IT expertise might be better positioned to answer this

ItHurtsWhenIP

Hunchback wrote: »

The emails don't exist! It is a hypothetical scenario..

I did an online course in Data Protection with the Law Society and one of the speakers stated that emails, as described above, would come within the scope of a data access request. I was just wondering - what is to stop any emails being disposed of? How can you ensure the whole dayaaccess request doesnt become a pointless exersise?

I believe a Mod over at the Legal discussion forum moved the thread because those with IT expertise might be better positioned to answer this

There may be nothing that could prevent those e-mails being disposed of in general circumstances. However if legal proceedings had commenced then a legal hold could be placed on the mail server and so any e-mails that were deleted after the hold was put in place would be in violation of the order.

Some business types (e.g. Insurance) may also have a legal requirement to have a complete archive of all correspondence for a period of years, such that they can prove they received instructions or not in regards to policies.

I personally would have thought that the data access request would only have been relevant to the employee's personnel file with the company as opposed to anything else, as other "conversations" may not be immediately discoverable by the person receiving the access request.

To throw a further spanner in the marmalade - what about instant message conversations:

Person A: "I don't like Titius' gender identity."

Person B: "Me neither"

Person A: "Lets make their life miserable so."

What can be done about those? Would they be logged in the same way as the e-mail flow - maybe not, but they have exactly the same effect as an e-mail conversation.

liamo

Hunchback wrote: »

The emails don't exist! It is a hypothetical scenario..

I know.

what is to stop any emails being disposed of?

Nothing (other than the threat of legal consequences, if caught).

How can you ensure the whole dayaaccess request doesnt become a pointless exersise?

If it's known that data has been deleted or modified, I suppose it could be possible to seize backups (if they exist) to test for that deletion or modification.

I believe a Mod over at the Legal discussion forum moved the thread because those with IT expertise might be better positioned to answer this

It probably needs input from both to establish statutory/regulatory obligations, entitlements, enforcement, etc; and what is technically possible.

starshine1234

The emails are personal information if they refer to you by name or by nickname or code.

If they are sent within a company and are normal company emails then there is no expectation of privacy and data protection does apply. If information has been requested and provided in confidence then that may be different but the existence of the disputed data must still be disclosed to the data subject in the data access response, as far as I know, even if the disputed data itself is not to be provided. The disputed data cannot be deleted.

A company is not supposed to delete any personal after they have received a Data Access Request. However, in practice a company could delete information and there is no easy way for the data subject to be aware of that. A company can also delete info and then claim to be stupid and to have made a genuine mistake. This is hard to disprove.

A company could also pretend that a valid Data Access Request was invalid for some reason and then delete the data before you were able to resubmit a corrected Data Access Request. Lots of companies don't publish infomation on how to make an access request so you have to ask them. Once you ask them they can legally delete your infomation before you can submit a formal data access request.


In general it is possible for companies to be dishonest and to lie about data.


You can make a Section 3 request for free. A company then has to respond and tell you what data they hold about you and the purpose for which they hold it. They can legally delete the data in this case and then truthfully respond that they have no data. In the case of Section 4 requests the data cannot be deleted and must be provided to the requester.


I myself have made section 4 requests where the data controller failed to provide all info. I had to ask the DP commissioner to assist me. Although the failure was serious and wilful the DP commissioner took no action againat the dodgy data controller. It was a large government department in my case, which was systematically failing to provide data in response to section 4 requests.

Hunchback

Thank you Starshine - appreciate the comprehensive answer