If You Don’t Want It Released to an Employee, Don’t Put It in Your Employee Files

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

The old saying went that “if you don’t want it on the front page of the newspaper, don’t put it in an email.” Well, if you don’t want to produce it as part of an employee’s Data Subject Access Request (DSAR), it shouldn’t be part of your employee files.

Employee DSARs are coming soon to a California employer near you. But the European Union, United Kingdom and Canada have been handling them for while.

Here are some things we can learn from their experiences.

1) Map out your HR related systems.

  • This includes actual assets and systems.
  • This includes unstructured data and things that go to die in send items and in “group mailboxes.”
  • This includes things in employees’ devices like personal text messaging.
  • This includes things in backup and filing cabinets.
  • This definitely includes your service providers. Reach out to them, ask for a sample access request response, vet it, mark it up.

2) Review your processes and train.

  • Train your HR stakeholders about the new requirements in the law.
  • Train them to recognize the requests.
  • Allocate responsibility for the responses.
  • Review your processes, including those internal notes and scribbles. Should they be part of the formal record or is there another way to do this?
  • Review your records retention policies (but be mindful of minimum retention periods e.g. in Canada).

3) Review the data that you are collecting.

  • What is “personal information” of the individual and what isn’t?
  • What are the problem points you would have an issue disclosing if needed? (Consult with counsel!)
  • If the documents involve other people, can you produce a redacted version?
  • Does any privilege (like attorney client privilege) apply?

4) Mind those special types of data.

  • Call recordings? Are you able to produce/redact as necessary when producing the actual recording?
  • AI/biometrics/inferences/olfactory/NLP analysis/CCTV to gauge productivity? Review the disclosures that you have produced about them. They might need revisiting (in view of the strong Federal Trade Commission push on algorithmic transparency.)
  • Also – this may remind you – it’s high time to do a Data Protection Impact Assessment (DPIA) for these processes. (DPIA will also be required by CPRA.)

5) Just because it’s hard, doesn’t mean its optional

  • If you have a lot of data, you need better processes (e.g. kiosk with options of what data the individuals wants).
  • Try to communicate with the individual to gauge the scope of the request (but this may not always toll the time you have to produce the information).
  • Produce the information as soon as you can. This isn’t a fancy restaurant; you send out the dishes as they are ready.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide