Guides employee DSAR handling under GDPR Art. 15: scopes HR records, emails, CCTV, performance data; applies third-party redaction, privilege exemptions, one-month timelines. For privacy compliance.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Employee Data Subject Access Requests (DSARs) are among the most complex and resource-intensive DSARs that organisations receive. Unlike customer DSARs, which typically involve a defined set of transactional data, employee DSARs can span the entire employment lifecycle and encompass data held across dozens of systems: HR records, emails (sent, received, and about the employee), CCTV footage, ac...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Employee Data Subject Access Requests (DSARs) are among the most complex and resource-intensive DSARs that organisations receive. Unlike customer DSARs, which typically involve a defined set of transactional data, employee DSARs can span the entire employment lifecycle and encompass data held across dozens of systems: HR records, emails (sent, received, and about the employee), CCTV footage, access control logs, telephone recordings, performance reviews, investigation files, grievance records, occupational health reports, training records, payroll data, expense claims, monitoring data, and informal notes and communications between managers. The scope, combined with the need to redact third-party personal data and assess legal privilege, makes employee DSARs a distinct operational and legal challenge.
This skill provides a structured response process, a comprehensive data source inventory, and decision frameworks for the exemptions and redactions most commonly encountered in employee DSARs.
Under Art. 15(1), the employee has the right to obtain from the controller:
| Information | Detail |
|---|---|
| Confirmation of processing | Whether personal data concerning the employee is being processed |
| Access to the data | A copy of the personal data undergoing processing |
| Purposes | The purposes of the processing |
| Categories | The categories of personal data concerned |
| Recipients | Recipients or categories of recipients to whom data has been or will be disclosed |
| Retention | The envisaged period of storage, or criteria used to determine the period |
| Rights | The right to rectification, erasure, restriction, and objection |
| Source | Where data was not collected from the employee, information about the source |
| Automated decisions | The existence of automated decision-making including profiling under Art. 22, with meaningful information about the logic, significance, and envisaged consequences |
| Transfer safeguards | Where data is transferred to a third country, the appropriate safeguards under Art. 46 |
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested, the controller may charge a reasonable fee based on administrative costs. Where the request is made by electronic means, the information shall be provided in a commonly used electronic form, unless otherwise requested.
"The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others."
This provision is the legal basis for redacting third-party personal data from DSAR disclosures.
The following data sources must be searched when processing an employee DSAR:
| Data Source | System/Location | Data Types |
|---|---|---|
| HR Information System | Workday, SAP SuccessFactors, BambooHR, etc. | Personal details, employment history, contract, salary, benefits, absence records, performance ratings |
| Email system | Microsoft 365, Google Workspace | Emails sent by the employee, received by the employee, and about the employee |
| CCTV system | On-premise recording system | Video footage where the employee is identifiable |
| Access control system | Badge/proximity card system | Entry/exit logs, access attempts to restricted areas |
| Time and attendance | Timekeeping system, biometric readers | Clock-in/out records, attendance patterns |
| Payroll system | SAP, ADP, Sage | Salary history, tax records, pension contributions, benefits |
| Performance management | Workday, Lattice, Culture Amp, etc. | Performance reviews, objectives, competency assessments, calibration data, 360 feedback |
| Learning management system | Cornerstone, SAP LMS, etc. | Training records, certifications, mandatory training completion |
| Recruitment system | Greenhouse, Lever, Workable | Application data, interview notes, assessment scores (for recent hires) |
| Disciplinary and grievance files | HR case management, paper files | Investigation notes, witness statements, outcome letters |
| Occupational health records | OH provider system | Fitness-for-work reports, referral correspondence |
| Monitoring systems | DLP, web proxy, MDM | Email monitoring alerts, internet usage logs, device management data |
| Expenses system | Concur, Expensify | Expense claims, receipts, approval records |
| Informal records | Line manager email, notes, instant messages | Notes about the employee, performance observations, management discussions |
| Telephone system | Call recording platform | Recorded calls where the employee is a participant |
| IT system logs | Active Directory, service desk | Account activity, password resets, service desk tickets |
| File servers and SharePoint | Shared drives, collaboration platforms | Documents authored by or concerning the employee |
Not every data source must be searched exhaustively for every DSAR. The search scope should be proportionate to:
Day 1: Receipt and Acknowledgment
Days 2-5: Scoping
Days 5-20: Collection
Days 15-25: Review and Redaction
Days 25-30: Quality Check and Dispatch
The right of access must not adversely affect the rights and freedoms of others. This requires redaction of third-party personal data unless:
Redaction decision matrix:
| Data Type | Redact? | Reasoning |
|---|---|---|
| Names of other employees mentioned in emails about the requesting employee | Generally yes, unless the third party's name is already known to the requestor (e.g., their line manager) | Balance third-party privacy against requestor's right |
| Witness statements in disciplinary investigations | Redact witness identity; disclose substance of allegations | Witness confidentiality vs. right to know allegations |
| 360 feedback with named reviewers | Redact reviewer names; disclose feedback content | Reviewers' reasonable expectation of anonymity |
| Email addresses in CC fields | Generally redact unless already known to requestor | Minimal privacy expectation but apply consistently |
| References provided by the employee's former employer | Disclose — this is the requestor's personal data | The employee has a right to see references about them |
| Performance calibration meeting notes naming other employees | Redact other employees' names and performance data | Other employees' performance data is their personal data |
Personal data is exempt from Art. 15 to the extent that disclosure would involve disclosing information in respect of which a claim to legal professional privilege (LPP) or confidentiality of communications could be maintained in legal proceedings.
| Privilege Type | Scope | Application |
|---|---|---|
| Legal advice privilege | Confidential communications between client and lawyer for the purpose of obtaining or giving legal advice | Employment law advice about the employee's situation, HR consulting legal counsel about a grievance |
| Litigation privilege | Communications created for the dominant purpose of litigation that is in progress or reasonably anticipated | Documents prepared in anticipation of an employment tribunal claim |
| Without prejudice privilege | Communications made in a genuine attempt to settle a dispute | Settlement negotiation correspondence |
Where disclosure would prejudice ongoing legal proceedings, disciplinary investigations, or regulatory investigations:
| Scenario | Exemption | Scope |
|---|---|---|
| Active disciplinary investigation | May withhold investigation materials that would prejudice the investigation | Temporary — must be disclosed once the investigation concludes |
| Pending employment tribunal claim | Litigation privilege applies to documents prepared for the dominant purpose of litigation | Duration of the legal proceedings |
| Regulatory investigation (e.g., FCA, HSE) | May withhold documents that would prejudice the regulatory investigation | Coordinate with the regulator |
Personal data processed for management forecasting or management planning is exempt from Art. 15 to the extent that disclosure would prejudice the planning or forecasting. This may cover:
Limitation: This exemption is narrow and temporary — it applies only while disclosure would genuinely prejudice the planning activity.
Personal data consisting of a record of the controller's intentions in relation to negotiations with the data subject is exempt to the extent that disclosure would prejudice those negotiations. This may cover:
| Pitfall | Risk | Resolution |
|---|---|---|
| Failing to search email for "about" data | Incomplete disclosure; ICO complaint | Search line manager and HR mailboxes for the employee's name |
| Over-redaction of manager names | Excessive withholding undermines the right of access | Manager names may be disclosed where the employment relationship means the employee already knows their identity |
| Missing the one-month deadline | Regulatory complaint; enforcement action | Implement automated deadline tracking; request extension early if needed |
| Disclosing third-party special category data | Breach of Art. 9 + third-party complaint | Review all disclosures for special category data of third parties |
| Ignoring informal records | Manager personal notes are personal data and must be searched | Include managers' informal notes in the search scope |
| Treating all DSAR as routine | Employee DSARs often indicate a grievance or impending legal claim | Alert legal counsel when a DSAR is received from an employee in a dispute |
Atlas received a DSAR from an employee who had recently been placed on a Performance Improvement Plan (PIP). The DSAR coordinator:
| Authority | Case | Fine/Outcome | Key Issue |
|---|---|---|---|
| ICO (UK) | Mermaids, 2023 | Enforcement notice | Failure to respond to employee DSARs within statutory timeframe |
| CNIL (France) | SAN-2022-009 | EUR 800,000 | Employer failed to provide employee with access to performance evaluation data within one month |
| AEPD (Spain) | PS/00231/2021 | EUR 70,000 | Employer refused employee DSAR claiming disproportionate effort without conducting proper search |
| Autoriteit Persoonsgegevens (NL) | 2022 Decision | EUR 525,000 | Employer provided incomplete DSAR response, omitting email data about the employee |
| Garante (Italy) | Provvedimento 2021-0234 | Corrective order | Employer over-redacted employee DSAR response, withholding non-privileged management communications |
| Datainspektionen (Sweden) | DI-2022-1456 | SEK 200,000 | Employer failed to search backup systems for former employee's DSAR |