You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I submitted a request for all records of my name and correspondence concerning me to a former employer two weeks ago. They have not yet responded. In any way, shape, or form.
Has anyone on here got any experience of making such a request? What did you expect, and what sort of response did you get? I want to know about the sorts of records that have been kept on me, and who was involved in certain decision making. Is it possible for an institution to withold information, and/or hide it?
I made the request through the Information Commissioner's Office, and have read that an organisation has up to one month to comply, but that is based on them having to find and collate all the information, when I know for certain that what I am looking for should all be in a single file.
Anyway, I would appreciate knowing about others' experiences and/or knowledge of the process.
I think what you’ve asked for is a Subject Access Request, FOI’s are only applicable to public sector bodies such as Local Authorities. Have a read here;
And have a look at a number of templates available on the internet.
As above, dealt with FOI's in the past, and they tend to be around the department and can take weeks to arrive at the correct area for actioning!
Whoops. A Subject Access Request is what I meant. And I did so through the ICO's website having read all the guidance, so I believe I did it correctly.
Expect them to take the full 30days. My organisation doesn't send any kind of acknowledgement as that costs time and money. If your request is as vague as you presented it here they may decline it or come back to you for clarification
This organisation keeps meticulous record, and will no exactly what I mean - although I was crystal clear in my correspondence with them over what I required.
If it helps anyone comment, the parting between this organisation and me was unpleasant (to say the least), so I expect them to see my request as a hostile act. As for me, I don't intend it that way; I just want to have a full picture of a process they have gone through in my regard.
Over what period are you looking at. I would probably reject and ask for a specific time frame, we have employees for over 40 years and your request sounds very general. Manifestly excessive is the term. How long were you employed for?
Second point, is it possible for an organisation to withhold info, of course! Proving that might be very difficult/expensive.
They will take the full 30 days and more if they can. 1) its low priority for them and 2) they won't want to give the info and will probably be removing stuff from it so it will be being reviewed by someone senior
What are you hoping to achieve? Confirm a specific event or decision that affected you?
Also, dependant on the nature of the information and the way it's held, they may have to redact parts of the info (all references to any third parties, any information that does not belong to them that references you etc.)
From time to time I have to sign off redactions for SARs but for young people that have been in our care - it can take us up to nine months to get processed.
It sounds like you have been very specific which is good.
Having said that it will depend a lot on the data protection officer and how used they are to fielding these requests. The DPO role may be added to someone’s job spec or may be a role on it’s own, if so they should be geared up to service the requests and used to the process. If it’s the former then it’s likely to be some one working out the process on the fly (as well as the ‘day’ job) and also waiting for input from any legal department or company grown up to sign off the data collected and there is the potential for huge amounts but as you have been specific this shouldn’t be to tricky, this process of getting people to sign this bit of sucks much of the time.
There are timescales on the ICO website.
Hope you get what you’re after.
TroutWrestler
I am dealing with one from the other end just now. A nightmare.
Having dealt with SARs in the past, very much +1 this.
In some cases, any delay is just the sheer amount of work it is to put together an SAR. Potentially not so in the OP case from what they've said. I would say follow up the request and ask for an update, but in this case that might be counterproductive?
A footnote: I just re-read my post immediately above, and can't believe how bad it is!
This organisation keeps meticulous record, and will no exactly what I mean
Meant to say: This organisation keeps meticulous recordS, and will KnoW exactly what I mean.
Sorry. My standards have fallen. 🙁
ICO has now power to do anything if they ignore you I believe. So given your unpleasant parting of ways I might expect some combination of giving you a partial response while claiming it's everything, deleting stuff so they're not holding it anymore, redaction, delay, or flat out ignoring you.
I was crystal clear in my correspondence with them over what I required.
If it helps anyone comment, the parting between this organisation and me was unpleasant (to say the least)
Having been tangentially involved in responding to these bloody things: Nowadays everyone that argues with their employer is submitting DSARs.
Everyone thinks they are "crystal clear" in their requests - very few people actually are. If you requested every record with your name on it - that's quite easily thousands of documents, amd then they need to review that stuff to see if any of it needs to be redacted or is exempt from disclosure.
Two weeks is nothing. Calm down. And if you're doing this because you're angry at your old employer - don't expect this to fix anything.
GDPR and FOIA were supposed to be about preventing Stasi-like surveillance and preventing state abuses of power. Now it's a to get thousands of boring work emails so I can find out why Jenny got the desk closest to the kitchen.
</flame>
It can also depend on the volume of requests. I work in a GP practice and there must be 20 maybe more requests from solicitors/insurance/individuals/govt depts waiting for us to look at records or wanting specific information that requires us to trawl through records. Some folks we charge, so there's that ball ache as well. it's a huge workload.
My OH works in HR so I've seen this working from the other side.
If the subject is broad enough it becomes basically impossible to deliver. GDPR means that anyone elses information needs redacting from what they send you. So someone needs to go onto the outlook server, type in your details into the search bar. And then go through every e-mail in acrobat pro and redact every other name or identifying bit of information from it. Even if your request is specific, they still need to do that work reading everything as it's further trouble if it turns out that there was something relevant in the archive box at the back of the storage unit that they failed to disclose.
Legally they can't hide it, but from a practical perspective DSAR is basically a tactic to be used by employment lawyers as they know it's hideously expensive (typically an external company needs to be involved and a single request to HR can be £250,000 to deliver). And therefore almost always cheaper to settle whatever the grievance was.
The nub of it is that the threat a DSAR isn't intended really to help you as an ex employee, it's to discourage them from retaining information they don't need. I.e. make it easier for them to only keep what they need for HMRC etc than to just have everything about you still on file and to better organize it. I.e. if HR have done their job right there should be an archive folder labeled "why Saxon Rider no longer works here" ready to go, and it'll be marked for deletion just as soon as whatever statutory period has passed.
Thanks for that info, all.
One thing I’m wondering now is why an organisation would comply with a request at all, seeing as it’s such a PITA for them, yet there seems to be no real mechanism for enforcing compliance.
I mean, why doesn’t the organisation in this situation just ignore me completely? And what happens to non-public bodies when they do ignore requests?
£250,000 to deliver? Are they employing a KC to sift through it all? That is patent nonsense. And if that is the process as you have described it they are doing it very wrong.
In compliance with data protection law they can take a month, and apply an extension of a further two months if the request is complex. If an employment tribunal has been involved you are in "complex" territory straight away. If lawyers have been involved there will be an element of legal professional privilege to check for in the documents and make appropriate redactions. If other parties were involved redactions may be required for third party personal data. There are various other exemptions that could be applied - for example are you still in negotiations with them?
After two weeks it would be good practice to at least acknowledge the request, ask you to narrow it down if it is too broad, and give you a timescale. After a month you would be advised to chase them and offer to narrow the scope if that would help.
In compliance with data protection law they can take a month, and apply an extension of a further two months if the request is complex. If an employment tribunal has been involved you are in “complex” territory straight away. If lawyers have been involved there will be an element of legal professional privilege to check for in the documents and make appropriate redactions. If other parties were involved redactions may be required for third party personal data.
And therein lies the cost, it's months of fulltime work to deliver.
I accept that an ET can be expensive - but not a SAR - again, doing it wrong.
One thing I’m wondering now is why an organisation would comply with a request at all, seeing as it’s such a PITA for them, yet there seems to be no real mechanism for enforcing compliance.I mean, why doesn’t the organisation in this situation just ignore me completely? And what happens to non-public bodies when they do ignore requests?
Fines for ignoring SAR / FOI can be stratospheric. There are various appeal processes and levels to go through if the "authority" responds to your FOI and you don't feel it's sufficient, all of which are very time consuming and expensive so most authorities do actually comply because the total ballache and potential fines of not complying are too high to risk.
Even if only 50% of cases are successfully fined, it's still a massive deterrent to trying it on.
However...
I worked for a company where the HR Director had a process for any individuals going through a grievance system and that was to refer extremely obliquely to them in any email correspondence. Names were never used and that made it incredibly difficult to track down correspondence on who had said what which made it legally possible to say "we have run a SAR for all instances of your name in email correspondence and found nothing (other than the basics of day-to-day work)."
If its costing £250K its their own fault for not keeping records in a sensible way, or not deleting records when they no longer need them. If they design their information governance right they can make this easy - same applies to nickc's medical records (not for every practice to solve that one) but could be trivially easy if the owners wanted it to be!
@SaxonRider - the ICO does have some powers (they are just a bit shit at using them) and the courts can award compensation etc if they don't comply, that's why organisations usually do at the should (eventually). Half the problem is Data Subjects who know just enough to make stupid requests which I am afraid to say your's might be...
You say you have made the request through the ICO site (seems odd, first port of call would normally be to the Data Controller (ie. employer)) and it was very clear, but in your OP you called it an FOI request, for "a request for all records of my name and correspondence concerning me" yet also state "I know for certain that what I am looking for should all be in a single file." A sensible data protection officer of an organisation not subject to the FOI Act should treat an FOI Request which is clearly actually a SAR as a SAR, so that is not fatal but you may well have added confusion and delay to the process. Then you've asked for "all records" which it was your right to do, but then said they only actually need to send one file - if you wanted a copy of file X it would probably have been much more efficient to ask for X. They should now be trawling all their systems (Payroll records, HR files, Email servers, etc) for anything with your name on it, (and in theory stuff without your name but which contains your personal data).
5000 hours work at £ 50 an hour to do a SAR? Actually most of the work would be done by an admin assistant i bet.
Just because a person's name is on something, that does not make it their personal data. It has be about them. Conversely, it can be their personal data even if some clever clogs HR Director uses code names. If the information is about them it should be in scope for the response to the SAR. I am starting to think I need to open a side-hustle consultancy on this, if organisations are throwing £250k about for one request!
Hah - you and every law firm and ex-DPO in the frigging country!
I want to know about the sorts of records that have been kept on me, and who was involved in certain decision making.
Trying to be helpful (which is not my normal state): can you do them and yourself a favour by radically narrowing the scope of the request? You're obviously pissed off about a decision - so you can you reduce it to "any email to and from [decision maker] in the period [2 months before decision] to [2 months after decision]" that falls within the scope of previous request?
UPDATE: I received an email from them this afternoon telling me it would take an extra month for them to gather what I have requested. The organisation in question is required to keep meticulous records, and should have files on all its 'employees', so locating things should not pose a problem for them. Also, in terms of the documents I am seeking, other than the names of those who wrote the documents and those to whom they may have been addressed, it is highly unlikely there will be anyone else mentioned, so GDPR should not be a major concern.
I have asked for all correspondence between me and them (whicheven direction the correspondence went); all correspondence that was specifically about me; all minutes and other documents that contain references to me, such as emails and notes.
So far, it seems they are complying. Other than asking me what I wanted it for, they only asked what the best medium was for sending it to me.