Employee privacy requests: challenges and best practicesby Josh Schwartz
One of the most vexing issues in privacy work is employee data protection. Many privacy laws (including the EU GDPR, UK GDPR, California CPRA, and Brazil’s LGPD) extend privacy rights not just to consumers, but to employees, but most privacy programs and technologies were built with consumers top of mind. When it comes to employee privacy, no issue is more challenging than responding to Subject Access Requests (SARs, for short), the right that employees have to request information their current, former, or prospective employer might have about them. Although most companies get vastly more SARs from consumers, the amount of data they have about each employee is vastly greater, so responding to an employee SAR can be a huge undertaking.
Over the past few months, we’ve gone deep into research on how companies are implementing their employee SAR programs, reading as much as we could and speaking with more than 20 privacy leaders about the state of employee SARs. We spoke with privacy leaders from governments, publicly traded companies, startups, law firms, and consulting firms. A few of our key learnings are below.
Employee SARs are on the rise, with quite a bit of geographic variation
While the rates of SARs varied quite a bit per company, in general we heard UK- and EU-based folks report a rate of SARs per year equal to 1-2% of employee headcount. So, companies with 10,000 employees are getting 100-200 SARs per year. US companies are getting fewer, though that number is on the rise from employees in California.
The most common types of data requested in a SAR varied significantly by country, according to those we spoke with:
- In Europe, the most common type of request was informational in nature, where folks reported employees being curious what type of data their employer kept about them
- In the UK, the most common type of request we heard about was requests from former employees asking for performance-related information.
- California, like the UK, reported more HR-related requests. Several folks mentioned questions from candidates about information during the hiring process being more prevalent than questions from former employees.
Organizations handling dozens of SARs per month are setting up dedicated teams for SAR responses, often living within the HR department since that team is best equipped to handle employee data.
Concerns about “weaponization” of SARs
Over and over in our research, folks we talked to used the phrase “weaponization” when referring to employee SARs. Many requests coming in feel like a request for information in advance of potential litigation, a way of gathering information before a traditional discovery process.
That tenor to the requests raises the potential stakes of a SAR response, since folks have to be concerned about how the data they share will be used. For many companies, this means that senior leadership is involved in each SAR response, and outside counsels are often pulled in as well. We talked to multiple companies where their Data Protection Officer / Chief Privacy Officer personally reviews each response. While this ensures accuracy in a high stakes and highly sensitive issue, it also means that employee SARs are incredibly expensive to handle.
Document volume is high, and there isn’t agreement on how to approach responses
Most employee SAR responses start with the use of an eDiscovery API to pull all documents related to an employee, but we’ve heard quite a bit of variation from there.
Most companies have some sort of scoping process, where rather than responding with every single document they have about an employee they work with the employee to understand the nature of their request. This process often involves quite a bit of 1:1 discussion and different companies have different ways of handling it. For example, one company mentioned sharing a large spreadsheet of email subject lines but requiring that an employee explicitly ask for an individual email body.
One thing that makes responding to an employee SAR so much more complex than a consumer SAR is that much of the information a company stores about an employee is in unstructured form and in documents that contain other information.
For example, a manager’s summary of their team’s overall performance might contain a paragraph that discusses an individual employee and several other paragraphs discussing other folks. For a company to respond appropriately they need to redact all irrelevant information from that document (so that they aren’t disclosing other people’s personal information to the requestor!) while retaining the information that is germane to the request.
Most teams we talked to framed this in terms of redaction — starting with the full document and removing irrelevant information. A few took the opposite approach, excerpting only the individual bits of information relevant to a subject out of each document.
This was another place where practices differed quite a bit. Many companies respond in stages, to avoid processing an overwhelming number of documents. Some companies respond with individual redacted documents (if this is you, just make sure that your redactions can’t be undone!), while others paste into a master spreadsheet.
While timing requirements vary by jurisdiction, most teams we talked to try to respond as quickly as possible to employee SARs — the most typical timeline we heard was 5 business days. Needless today, a timeline like this requires scalable processes — getting through scoping, document discovery, redaction, review, and response in a few short days simply requires automated tooling.
The scope and content of responses are an area where teams need to rely on legal advice tailored to the relevant requirements and the specifics of the request.
Working to improve your own responses to employee SARs?
At Phaselab, we’re committed to helping companies scale their privacy programs. Because employee data is particularly challenging to scale, we’ve built the first product specifically focused on helping companies respond to employee SARs. If you’d like to learn more or if you have questions about your process, reach out to me at firstname.lastname@example.org anytime or click the "Get in touch" button below.