The old saying went that “if you don’t want it on the front page of the newspaper, don’t put it in an email.” Well, if you don’t want to produce it as part of an employee’s Data Subject Access Request (DSAR), it shouldn’t be part of your employee files.
Employee DSARs are coming soon to a California employer near you. But the European Union, United Kingdom and Canada have been handling them for while.
Here are some things we can learn from their experiences.
1) Map out your HR related systems.
- This includes actual assets and systems.
- This includes unstructured data and things that go to die in send items and in “group mailboxes.”
- This includes things in employees’ devices like personal text messaging.
- This includes things in backup and filing cabinets.
- This definitely includes your service providers. Reach out to them, ask for a sample access request response, vet it, mark it up.
2) Review your processes and train.
- Train your HR stakeholders about the new requirements in the law.
- Train them to recognize the requests.
- Allocate responsibility for the responses.
- Review your processes, including those internal notes and scribbles. Should they be part of the formal record or is there another way to do this?
- Review your records retention policies (but be mindful of minimum retention periods e.g. in Canada).
3) Review the data that you are collecting.
- What is “personal information” of the individual and what isn’t?
- What are the problem points you would have an issue disclosing if needed? (Consult with counsel!)
- If the documents involve other people, can you produce a redacted version?
- Does any privilege (like attorney client privilege) apply?
4) Mind those special types of data.
- Call recordings? Are you able to produce/redact as necessary when producing the actual recording?
- AI/biometrics/inferences/olfactory/NLP analysis/CCTV to gauge productivity? Review the disclosures that you have produced about them. They might need revisiting (in view of the strong Federal Trade Commission push on algorithmic transparency.)
- Also – this may remind you – it’s high time to do a Data Protection Impact Assessment (DPIA) for these processes. (DPIA will also be required by CPRA.)
5) Just because it’s hard, doesn’t mean its optional
- If you have a lot of data, you need better processes (e.g. kiosk with options of what data the individuals wants).
- Try to communicate with the individual to gauge the scope of the request (but this may not always toll the time you have to produce the information).
- Produce the information as soon as you can. This isn’t a fancy restaurant; you send out the dishes as they are ready.