Why Employers should destroy Interview notes: low down on Data Protection and DSAR
By Karen Holden founder of A City Law Firm
Did you know that a potential candidate can use GDPR to gain access to their interview notes? This is not a new entitlement, but more people are aware of their rights and less businesses prepared.
The introduction of more and more technology into everyday life is going to see a huge increase in data subject access requests (DSARs). Gathering this data and responding to a DSAR can be a lengthy process and it’s important for businesses to have the necessary processes in place.
Data protection is an extremely important and vast area of the law that is updating regularly, so it can be hard to keep up. Mistakes can often be made around this and even those practising the law have accidentally revealed sensitive information about third parties when complying with requests. This serves as a stark reminder for all employers or potential employers, to ensure they know the law around DSARs.
The Laws behind DSARs
A person’s right to make a DSAR is a protection enshrined in the General Data Protection Regulation (GDPR). It is also a fundamental right under the Charter of Fundamental Rights of the European Union (2012/C 326/02). Article 8(2) says that "everyone has the right of access to data" which is collected about them. However, what data they are entitled to should be considered as it’s not as easy as ‘everything’.
What employers should do when they receive a request?
It can be a difficult and time-consuming task to effectively respond to a DSAR. Therefore, it is advised that businesses have an internal procedure in place to deal with the requests as efficiently as possible, which must mirror their Privacy and Data Protection Policies. This policy should:
- be circulated to all staff
- include key contacts who can assist in dealing with the DSAR
- be concise and achievable
- Should be regularly monitored and updated, as applicable.
Remember, the deadline under the GDPR for dealing with a DSAR is normally one month. You must act quick to ensure this deadline can be met.
Is the data they are asking for within reason?
It is important to understand the information that is being asked for. Do not be afraid to ask questions and converse with the individual issuing the DSAR – you are allowed to consider redacting or refusing data that they are not legally entitled to.
Although Article 15 contains no limit on the personal data that an individual can ask for the EU law provides some good guidance. First, the principle of proportionality requires that measures adopted should not exceed the limits of what is appropriate and necessary to achieve the objectives pursued by the legislation in question. The Subject Access Code also confirms that an employer is not required to do things that would be unreasonable or disproportionate to the importance of providing subject access.
The general consensus is that you should try to find as much information as possible in line with the request but do not have to employ any unreasonable methods in your search.
Be wary of data breaches
It is paramount that the privacy of third-party data is protected when responding to a DSAR. Generally, such data should be redacted or removed.
However, if the third party has provided their consent to disclose the data, or where the employer determines that it would be reasonable to disclose the data without consent, it is possible to provide the data. If you believe a breach has occurred, make a report to the ICO as soon as possible to aid in rectifying the breach and protecting yourself.
Document the process
If the person issuing the DSAR does not believe you have complied with your obligations they can either apply to the court for a compliance order or make a complaint to the ICO. It is useful, if this happens, that you have a well-documented record of what you looked for and why you did this, including reasonings behind why you did not do something too.
Retention of interview notes
Ultimately it is advised to destroy interview notes especially if you are not going to hire that person. You should do so in compliance with your policy - be it on a daily, weekly or monthly basis. Restricting how long you hold this data will aid you in such requests by reducing your workload. Also, retaining data too long may also in itself be a breach. For instance if you do not hire a candidate , unless they consent otherwise, holding their data say for 6 months or a year would be seen as unreasonable. As a general rule of thumb, it’s always best to dispose of any unnecessary data earlier rather than later – don’t be a data hoarder.
Policy and Process
It is important to always keep up to date with the latest and think ahead. Businesses should have explicit policies and guidelines that are clear to all its employees. If necessary, arrange training, monitor and have someone appointed to oversee data gathering, destruction and disclosure. It is always advised that, when in doubt, you contact a legal professional.
Add your comment
- Administration 1
- Building Design, Planning, Development 1
- Catering 2
- Construction 4
- Contracts, Projects, Bids 2
- Energy Management 1
- Engineering, Maintenance 16
- Estates, Property 5
- Facilities Management (main) 20
- Hard Services 12
- Health & Safety 1
- Management 5
- M&E 3
- Operations 6
- Sales & Marketing 3
- Soft Services 5
- Sustainability 1
- ICT, Technical 5
- Workplace 2