Continuing our series of blog articles de-mystifying data subject access requests (DSARs), Sue Dowling and Aoife McGrath, in our Employment Law team, outline terminology relevant to DSARs and specifically explain what ‘Personal Data’ means in the workplace.
What is “Personal Data”?
The first thing to appreciate is that “Personal Data” is not limited to a person’s name and their personal information. ‘Personal Data’ means any information relating to an identified or identifiable natural person (also known as a ‘Data Subject’).
‘Personal Data’ typically processed in the employment context can be very broad – covering all sorts of information relating to an employee (or worker) including (but not restricted to):
- job application/CV information;
- contractual terms (including relating to the provision of benefits);
- appraisal/performance documents;
- grievances and disciplinary matters (e.g. minutes of meetings);
- health records;
- and will often include documents which include opinions and statements expressed by others (e.g. by Line Managers and/or HR professionals), relating to the employee/worker.
This definition covers so much more than the employee’s name, date of birth, next of kin, email address and other basic identifiers. Further, simply because a document containing personal information relating to an employee Data Subject is labelled “confidential” it does not mean that it would not still count as “Personal Data” for the purposes of access by the employee through a DSAR.
Is the Data Subject (making the request) an identifiable employee/worker?
The test is whether written documents/communications (e.g. emails and WhatsApp messages); videos; photographs etc, relate to an identifiable employee/worker (the Data Subject making the request) but this does not mean that the employee needs necessarily to be mentioned by name. If the employee Data Subject can still be identified, directly or indirectly, by reference to other matters, such as factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the employee, it will still comprise ‘Personal Data’. A chain of emails for example from which it is clear that they are referring to a particular employee but on a ‘no-names’ basis (and the employee makes a DSAR), would fall within the definition and be disclosable.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In the employment context it therefore covers the whole ‘journey’ of employment from start to finish (and for a period beyond).
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the employment context, a Controller will normally be the entity (e.g. the Company) employing the employee.
The above is a brief outline of some of the fundamental terms relevant to a DSAR. The next blog article in our series will delve into what an employer (as Controller) should do upon receipt of a DSAR.
Our Employment Law team can advise on all aspects of Employment Law, including in relation to Data Subject Access Requests (DSARs or SARs).
For further information or legal advice, please contact law@blandy.co.uk or call 0118 951 6800.
This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.
