What is the difference between a FOI and DSAR request from an employee?

Navigating requests for employee data and information can be complex and time consuming. In this article we provide an overview of the differences between a Freedom of Information (FOI) request and/or Data Subject Access Request (DSAR). The two are often mistaken given their similarities in the request for information that an organisation holds that could be useful for the person requesting it. Employers can benefit from learning about the differences to ensure legal and management time and costs are reduced in responding to requests for information effectively.

What are the differences between a FOI request and DSAR?

Employers should familiarise themselves with the following key differences to ensure requests are properly dealt with.

DSAR: The Data Protection Act 1998 gives any individual (data subject) the right to request access to all the information held about them.

A DSAR allows individuals to request data held by organisations such as employers, about themselves as a data subject. A request for information should not be made on behalf of someone else, except where an organisation is satisfied that a third party is entitled to act on behalf of the individual. This differs to a FOI request because it relates to data held about the individual making the request.  Such as internal email correspondence written about them by colleagues, management or those who report to them.

Employers often receive DSARs from employees in connection with data held about them and created during their employment. For example, an employee may request data to support a claim in the Employment Tribunal, by collective evidence that could help their claim. Information requested will inevitably include internal email correspondence and so employers should be alive to the possibility that any emails sent about employees internally maybe in some way critical or disrespectful and could be disclosable to an employee under a DSAR.

Information which is subject to litigation or legal privilege may be excepted from disclosure under a DSAR. Litigation privilege is information prepared for or in contemplation of litigation. Legal privilege is information given to or received from legal advisers for the purposes of obtaining or receiving legal advice.

FOI Request: A FOI request is a means by which a member of the public can access information held by public authorities under the Freedom Information Act 2000.

Examples of public authorities include councils, schools and colleges and publicly owned companies. Employees can make FOI requests to their own employer, however, the information requested must relate to general workplace policies, meeting minutes or information and documents about the organisation rather than concerning the individual employee to fall under the scope of a FOI request.

The individual requesting the information does not need to state why they are making the FOI request.

It is not uncommon for an information request to mistakenly state that it is being made as a FOI request, especially if a company carries out a public function. Employers should note that if the request itself relates to a request for an individual’s personal data, it must be treated as a DSAR and responded to accordingly. The individual does not need to make a new request and so employers should ensure they respond to the request in time.

How can information be requested?

Whilst a FOI request must be submitted in writing, there are no formal requirements for a valid DSAR.

A DSAR can be made via any means such as verbally, in writing or via social media. Employers should take note that a request for personal information under a DSAR does not necessarily need to be made formally by employees. Effective monitoring of social media platforms will assist in the prompt receipt of and responses to any requests made by such means.

When does a response need to be given?

A FOI request must be responded to ‘promptly’ and no later than 20 working days following the date of receipt of the request. Employers should carry out searches to locate the information requested and respond to an individual, confirming whether the information is held by the organisation. If the information is not held by an organisation, this must also be communicated to the individual making the request.

In some circumstances, a FOI request may be refused and this must be communicated to the individual in writing, within the usual 20 working day time limit. Generally, the rationale for refusing a FOI request is such that the public interest in maintaining the exclusion of the duty to confirm or deny, outweighs the public interest in disclosing whether the authority holds the information.

A DSAR must be responded to within one month of receiving the request. If the request is particularly complex, or if an individual has made multiple requests, this can be extended by a further two months. For further details about extending the time limit to respond to a DSAR, read our previous article here.

Employers should communicate the need to extend any time limit for responding to the DSAR in writing and provide reasons explaining why. Effective monitoring of deadlines will assist employers to ensure a response is provided in time.

If a DSAR requests a large amount of information, employers may request that the individual provides further details, so that the search may be refined to obtain the relevant information.  Employers may hold vast amounts of information about employees, particularly individuals with a lengthy period of service – so it may be difficult to locate and collate all of the requested information without performing a concise search of workplace documents and systems.

What are the costs involved?

A DSAR response must be provided free of charge, unless the request is deemed manifestly unfounded or excessive, in which case administrative costs of complying with the request can be charged. For further details, you can read our previous article here.

An organisation can charge for dealing and responding to a FOI request. This includes dealing with any redactions to any exempt information. Notice must be given to the applicant that a fee of a specified reasonable amount will be charged for dealing with the request. A fee may only be charged for costs incurred in disclosing the information if the information is held by the organisation and the request is not refused.

How can we assist?

Employers should take steps to consider how its IT systems work and put effective measures in place such that information may be promptly recovered and accessed if a FOI request or DSAR is made. Employees in relevant administrative roles should be trained to use the systems and identify whether an information request is a FOI request or DSAR. This will help to ensure that any requests are received and allocated to the correct team to deal with, so that any deadlines may be complied with.

We can assist employers by helping to simplify the process and take away some of the administrative stresses involved in responding to information requests and collating disclosable documents and data. We have experience in effectively dealing with DSARs and assist employers, with the benefit of our AI driven review and redaction systems in handling these types of request, by:

• helping you to identify whether a request for information is a FOI request or DSAR and the next steps required to respond appropriately;
• assessing whether the data request has been made in the correct manner and if not, how to reject requests for information;
• considering what information needs to be disclosed to employees and whether any exceptions apply such as litigation or legal privilege;
• consulting the Information Commissioner’s Office (ICO) guidance and advising you on the next steps to ensure compliance with your obligations as a data controller; and
• using our AI driven software to carry out searches, collate and redact information to be disclosed to effectively and promptly deal with a DSAR or FOI request.

If you would like to find out more information about how our DSAR software can assist you, check out our latest video here. If you require employment law advice or have any queries regarding the FOI requests or DSARs, please contact a member of our team.