to this this is not true - SAR/GDPR etc

[Recavanometer]

My sister is under investigation for something work related. She has done an SAR, and specifically requested amongst other things, the correspondence between her employer and their insurance company.

She knows there is correspondence because it’s referred to in letters she was copied in on.

Her employer is refusing to supply the correspondence because they say it sits on the insurance company’s website and they can only access it with a password.

She has done an SAR to the insurer anyway, but surely the employer is mistaken in thinking that they don’t have to comply if it’s not their portal.

Any ideas?

Anyone?

Yes the insurer is bound by the same regulation, and the company would have had to confirm their compliance or alter contractual agreements to make sure they were compliant too. The company holds the duty of full disclosure including its authorised third parties.

Thank you.

The insurer appears to be complying with the request but it’s the employer who is saying that their correspondence with the insurer is held on the insurer’s server and therefore they don’t have responsibility for it.

My sis argues that her employer can and must access the correspondence, screen shot it and disclose it.

Is she right?

It's irrelevant that it is on the server, they can give her paper copies, paper data is still data.

Yes she’s right in that they have to have a process in place with the insurer in order to comply, if they are saying they don’t then they are in breach of GDPR regulation ...see below...the employer is the controller and the processor is the insurer...your sister can point that out to them...

Responsibility for complying with a subject access request lies with you as the controller. You need to ensure that you have contractual arrangements in place to guarantee that subject access requests are dealt with properly, irrespective of whether they are sent to you or to the processor. More information about contracts and liabilities between controllers and processors can be found here.

You are not able to extend the one month time limit on the basis that you have to rely on a processor to provide the information that you need to respond. As mentioned above, you can only extend the time limit by two months if the request is complex or you have received a number of requests from the individual.

Brilliant. Should she write back to the data controller, or to the HR director, who told her he couldn’t share the data on the insurer’s portal?
Or go straight to the ICO?

Yes irrespective of ‘how’ the data is held they are processing it on behalf of the employer. So the employer HAS to have means to retrieve that data when required and it must be presented in a way that the ‘subject’ can understand it, no codes or anything just simple English. But like I say, sounds like they are not compliant and she should complain and report then to the ico if it’s important enough.

I’d go to hr director and if there is one (which there should be) the data protection officer. See what response she gets, then she could go to ico.

If the employer holds information about your sister then yes, they should be considering disclosing it under a subject access request. However there are exemptions from disclosure of personal data and it may be that the employer is seeking to rely on one of those to withhold from your sister. You say she is under investigation - so if the employer is looking to negotiate a settlement with her, and looking to their insurer to get an idea of payouts then at this stage the contents of their correspondence may well be exempt from disclosure.
Also the insurer is in this context unlikely to be the employers processor but a joint data controller. As such they should also be responding to SARs.

But she should definitely go to the employers DPO who should at least be capable of providing a proper response and explaining why, if they continue to withhold, the correct statutory basis for doing so.

And should the clock counting down any timeframes applicable at this stage, be put on pause whilst this is resolved?

They’re already at 6 weeks against a 30 day timeline.

Have they acknowledged the SAR? The 30 day time limit is to respond, not to provide, so if there are extenuating circumstances they may not be in breach.

Also, this correspondence - does it include data on other people? I believe it may be a grey area, as a SAR relates to data held, not necessarily specific correspondence, and if the correspondence also includes data on another individual they are not obliged to share that with you.

Info on what a SAR request must provide can be found here: ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

I guess your sister has, but proper legal advice should be sought.

Hello, yes they’ve acknowledged it, sent a few bits but then said that they won’t send anything that sits on the portal of their insurer. She said it looks like they’ve just sent what she knew would be in her personnel file, rather than done a proper search. And are clearly not keen to send info on the insurer discussions.

There shouldn’t really be very much if anything that needs redacting because it is all about her.

OK - GDPR (and DPA) focus on Data Protection and the data held on an individual. This is usually in relation to personal data, what is held (address, birthday, gender etc.), where it is held, why it is held, how it is held etc.

I do not believe 'correspondence' falls under GDPR as it doesn't necessarily constitute 'personal data' but would recommend legal advice on this as correspondence isn't typically 'data held' in the eyes of the legislation; one good lawyer could argue it is, one could argue it isn't.

I thought it firmly fell under data. For example you can request a copy of your references from your previous employer.

As I say, legal advice is best if there is a true concern. Data in correspondence may well be subjective and not privvy to all the legislation. GDPR is concerned with what data is kept and where and how. For example, if I told you in this message that my mum was meeting Doreen for dinner, that isn't personal data under GDPR so this may be why they're withholding.

The advice on the thread so far is probably incorrect. Your sister’s employer may well be right - it sounds like the insurance company are controller of the data and, as such, the DSAR obligation is on the insurance company, not the employer to disclose.

Your sister just needs to wait for the insurance company to provide.

I work in a big company investigating internal issues like staff fraud. People do a SARS thinking they are entitled to everything a company holds on them. There are exclusions such as ongoing investigations and correspondence held around same, legally privileged documents and anything that basically is not your personal data i.e name address DOB.

@pumpkin ose is correct im an information security manager so deal with this alot, if the information reuested was between the insurer and your sister (personal or work) then the conpany may not have access to the information. Also the extending one month response time is alot more flexible than what is being said. If the information requested is on the insurers data servers then that would certainly cause the request to be more complicated and the company would have every right to extend the time.

The question of wether correspondence counts as personal data is again complicated but the general view is yes, but that also means if the person who was being corresponded also would have to give expressive consent otherwise you are breaching GDPR. Essentially personal data = anything that could identify a specific individual. I would recommend visitong the ICO website if you havent already.