SAR request

[Frostylee103]

Are there any DPO on here? Or anyone familiar with handling subject data access requests / legal professionals that can help me? I understand the key principles of GDPR, however, looking for some specific advice.
On the back of a complex tribunal claim, I submitted a SARs request to my employer for many things but the main thing was emails containing my name(s)/initials in any emails sent, received, deleted or archived from a team of people. To collect the data, they got all the individuals on a call (who are mentioned within my legal case) and gave them the responsibility to retrieve the information prior to redacting and sending to me. I work for a large corporate organisation and my understanding is that where possible, IT should conduct the search to ensure they are compliant? Now, I’ve questioned that I’ve only been supplied single copies of conversations where there should be multiple copies as I’ve requested the documents from both parties(if that makes sense?). I believe some of what I’ve asked for may have been deleted and the individuals shouldn’t have had the opportunity to discard any documents/emails. Any people with experience with this I would be so grateful for advice! Thanks so much.

There is no specific requirement in law for IT to conduct the search, but it is good practice.

If you've requested information about emails sent/received by, say, A and B, and they had a conversation about you, they only have to provide one copy of the conversation. Providing multiple copies doesn't add anything.

Deleting data to prevent disclosure is an offence. If any individuals have done this, the employer is responsible.

Thanks for your response. So technically, there is no issue with them putting a group call in with a whole team of people of whom I’ve required the documents from and give them the responsibility of producing all emails / instant messages mentioning my name or initials? I’ve also asked for any policy they have relating to SARs and they have said they don’t have one. Thanks again.

Putting a group call in is not a problem. However, failing to make a full disclosure or deleting items to avoid disclosure is.

I’ve known it done both ways - last employer the information rights team would inform you of the SAR and that your email and Teams would be scraped. Previous one we had to retrieve the information ourselves and supply it to the relevant team.

Thank you. I just feel for such a large organisation which have an IT and governance department, it should have been dealt with more sensitively knowing there is a legal case or some clear policy on how to handle such a request.

Are SARs not covered in the Data Protection policy and any related sub-policies? They may not have a specific policy into how SARs are responded to, but should set out broadly what is required in relation to SARs. Maybe you need to ask a slightly different question? I.e. ask for copies of all the suite of Data Protection policies and protocols.

They have to provide the material. Theres no requirement to tell you how many copies of any particular item there are. It’s pretty standard in data requests to remove duplicates.

It’s also fine for people to delete things as part of their day to day data management. Anything that had already been properly deleted at the time of the request is fine. What shouldn’t happen is for things to be deleted after the request is made.

If the dispute has been running for a while you may well find that several people have had a good clear out of their emails well before the request was made.

There are no specific requirements about how the data retrieval is done. (Keep in mind it applies to all companies, and not everywhere has IT departments).

Once it became a legal issue, your name and initials may well have been left out of all correspondence. ‘The issue within the … team’ is a good way of communicating about a topic without it being attributed to the individual.