In May 2020, an employer refused to respond to a data subject access request (DSAR) made during the course of employment tribunal proceedings. Last week, this resulted in the Information Commissioner’s Office (ICO) issuing an enforcement notice to the employer. Why is this important? The sanctions for failing to comply with an enforcement notice are serious. They can result in a fine of up to £17.5 million or 4% of an employer’s annual worldwide turnover, whichever is higher.
The employer in this case, First Choice, had told the applicant that they would only produce the information requested in a DSAR when instructed to do so by the Employment Tribunal (ET). The applicant complained to the ICO who made four attempts to contact the employer, making it clear that it was in breach of its obligations under data protection law. In response to the fourth communication from the ICO, First Choice responded saying that the ET had instructed them not to release any further information at this stage. No evidence was produced by First Choice in support of this position and the applicant obtained an email from the ET confirming that “the Tribunal has no jurisdiction to deal with matters relating to data protection requests.”
In response, the ICO issued First Choice with an enforcement notice, requiring them to comply with the DSAR within one calendar month and to make changes to its internal systems, procedures and policies to ensure any future DSARs are properly identified and dealt with.
Enforcement notices issued by the ICO are not to be taken lightly. Employers must remember that an employee’s rights under data protection legislation are in addition to any rights of recourse to the ET. DSAR requests must be complied with regardless of any ongoing court or employment tribunal proceedings, albeit those proceedings may be taken into consideration when dealing with the request and applying any exemptions.
