This month, I’ve been dealing with a data subject access request (DSAR) from an employee of one of my clients. For us, it’s nothing to worry about, just part of doing business (particularly given what we do). But the process of responding HAS highlighted some key points for us on how HR by Tara processes the data of individuals who work for our clients - whether as employees or self-employed

contractors. So, I thought I’d share some of those key points through this month’s article.

Right to access - be careful what you write

A living individual has the right to access any personal data that you hold about them. This is a right given to them under current data protection legislation. If they formally make a request to you for such access, then this is a DSAR.

So, knowing that individuals have this right... Erring on the side of caution, we recommend that clients don’t create files, emails or other messages that contain things they wouldn’t want an employee to see. Always think before you write - how would you feel if this message was seen by the employee?

Or as someone once told me “Dance like no one’s watching - write emails like they’re being read out in court”.

As an aside, responding to a DSAR only shares personal data of the individual (with a specific definition), but if you ever find yourself having to defend your company against an employment tribunal claim, then a lot more information will be disclosed to the employee. We aren’t lawyers, so nothing you write to us is covered by legal privilege - everything would have to be disclosed.

So, if you need to discuss something that you wouldn’t be comfortable with the employee seeing written down, then we recommend that you speak to us on the phone or a video call. This is particularly important if there’s a chance the employee could bring a claim against you.

Minimising what you hold and where you hold it

To make your life easier when you have a DSAR, you ideally want to be storing minimal personal data and have it all in just a few places.

Don’t ask people for personal data you don’t actually need and delete files containing personal data when you don’t need them anymore.

If you know that almost all personal data is safely stored within a HR system, that makes a DSAR easier to deal with. If you don’t have one then saving all files within one secure folder is a good idea.

But if you use email or any messaging apps within your business, you’re bound to still have personal data lurking within messages you’ve sent or received. This is one of the reasons we ask you not to send emails to us that contain personal data. We would very much prefer that it isn’t held within our email system - for reasons I explain below.

For example, we ask clients to:

• Send the information we need for starters, changes and leavers to us by completing a GoogleForm - just contact Stacy if you need the link

• Send any files containing personal data via SendSafely (see below for more information) or save them into a secure shared online folder

  
  

Please respect our wishes on this. It costs us a LOT more time when a DSAR comes in if we have loads of emails from you or your team that contain personal data.

Also, email is not the most secure method of sending confidential information. In particular, please never send copies of ID documents (e.g. a passport) to us via email.

Personal data within messages

Responding to a DSAR involves us searching for ALL messages we have within our email and internal chat systems that refer to a particular individual (i.e. your employee). We then have to review all those messages to identify whether they contain the personal data of the individual. We also need to review whether they contain the personal data of anyone else - if so, then we’ll need to redact that

(obscure it so it’s not visible, as the individual isn’t entitled to see it).

As I’m sure you’ll have worked out, this can take a LOT of time. The fewer messages there are, the easier the process is.

SendSafely

HR by Tara has now adopted SendSafely as a way to share information securely between our team and our clients. Look out for SendSafely links to download files we've sent you, or use the links in our email signatures to send us anything sensitive.

SendSafely lets you easily send or receive files and information with anyone on any device. Files are encrypted on the sender's device and only decrypted on the recipient's device, and even the platform provider cannot access your sensitive data. Downloads are authenticated and transfers automatically expire further protecting your data - you can even revoke access if you ever make any mistakes.

You can find out more about the system on their website or speak to our Process & Technology Manager by emailing technology@hrbytara.com.