Knowledge

The Law

In the context of an employment relationship within the Channel Islands, the applicable data protection laws are the Data Protection (Jersey) Law 2018 and Data Protection (Bailiwick of Guernsey) Law, 2017 (the "Law").

Under the Law, employees are considered data subjects, employers are data controllers, and all data subjects have a statutory right of access to (and rectification, erasure and/or restriction of) their personal data. Data subjects also have the right for their personal data to be excluded from automated decision-making.

"Access" under the Law means the data subject may obtain a copy of their personal data held across any data repository. Such repository will include both hard and soft copy sources. To gain access, a data subject must make a Data Subject Access Request (a "DSAR"). A DSAR may be made in writing or orally and requires a response under the Law within prescriptive timeframes. The Law also prescribes how the data controller must respond to a DSAR. The data provided in response to a DSAR comprises information only (generally, documents do not need to be disclosed).

Frivolous, vexatious, unnecessarily repetitive and/or otherwise excessive DSARs

If a data controller suspects that a DSAR could be manifestly vexatious, unfounded, excessive and/or repetitive, they must first take steps to obtain further information from the data subject. Then, upon receipt of that further information, if the data controller can prove and support their suspicion, they may then utilise this exemption to either:

• exclude or limit a data subject's right of access to their personal data; or
• charge a reasonable fee towards review and production costs.

Given that the onus is on the data controller to prove some form of malintent on the part of the data subject who issued the DSAR, this exemption cannot be used as an automatic exemption to comply with the Law. Also, the data controller must prove that a decision to prevent or limit a data subject's access to their personal data is reasonable, fair and proportionate. Because of this burden, it is not possible to adopt a one size fits all approach – a DSAR must be determined on its individual circumstances alone.

Information required before considering an exemption

A data controller should obtain the following information:

Background

• What circumstances lead to the DSAR?
• What is the possible purpose and potential value of the personal data to the data subject?
• Is there an alternative means for the data subject to obtain that information (through court ordered discovery, for example)?
• Have previous DSARs been made, and a response provided, for the same personal data?
• Does the DSAR come within the data subject's statutory entitlements under the Law?

Motive

• Has the data subject communicated their intentions to a fellow employee before issuing the DSAR?
• Has an employment claim and/or other claim been issued? On its own, this may not trigger the exemption.
• Does it appear that the DSAR was made to cause a disproportionate or unjustified level of disruption, irritation or distress to the data controller, their business or other employees of the business?
• Is the DSAR formulated to extract a specific action, i.e. will the DSAR be withdrawn upon payment of a specific sum or upon conduct of a specific action?

Personal data

• What is the volume of responsive personal data?
• What are the costs of reviewing, formulating a response, and providing access to the personal data?
• Is such a review and response workable from both a staffing and cost analysis?
• Is the data subject willing to refine or collate their DSAR(s) to enable a single response?
• Is the personal data intertwined with another data subject's such that redaction and or permission to share their personal data is required?

Considerations to take when using an exemption

Upon receipt of all relevant information and upon making the determination that a DSAR is frivolous and vexatious, the data controller should:

• determine whether the data subject may be granted access to some but not all their personal data;
• provide a response to the data subject that communicates the decision and thought making process within the timeframes stated in the Law; and
• inform the data subject of their right to issue a complaint to either the Jersey Office of the Information Commissioner or the Office of the Data Protection Authority, as applicable.

Proactive steps to take before receipt of a frivolous, vexatious, unnecessarily repetitive and/or otherwise excessive DSAR

• Prepare in advance - DSARs will happen, so it is imperative that all data controllers have a plan in place for how to deal with these requests. 
• Start as you mean to go on - ensure that all employment, service and third-party contracts and/or policies are up to date with relevant and applicable references to the applicable Law.
• Invest in staff training – make sure all staff are aware of how they should handle personal data, can recognise a DSAR and know what to do if they receive one, and make policies available to all employees by way of a central hub or staff handbook.
• Use a retention policy – take the time to create a retention policy to determine how long personal data is held for, but more importantly, ensure that the retention policy is rigorously applied.
• Monitor culture – the reality is that happy employees do not issue DSARs. It is therefore commercially sound to create a culture of open communication and collective responsibility amongst all employees, no matter their role or level of seniority.

Most importantly - if you don't need the personal data delete it.

If you would like any further information, please get in touch with your usual Bedell Cristin contact or one of the contacts listed.