Hello, if an ex-employee submits a SAR requesting data relating to a grievance that involved the DPO/Caldicott Guardian and Access to information Lead, how would it not be a conflict of interest that the parties involved were responsible for redaction and submission? Is there anything in DPA2018/GDPR?
Yorkie82
If you have a two-step internal review process in place that should be easily avoidable that the same person is involved in the disclosure process that has been involved in the grievance procedure. But it should be very unlikely that if the data protection professional of the company has been involved in the grievance process that there is unnecessary or inappropriate data stored that would be needed to be disclosed anyway…
There is no such thing as a conflict of interest, but it would be prudent to adapt the process slightly to have a stronger case for a fair process and independent review if a complaint with the ICO will be filed. Let the DPO still advise on what should be redacted, but let e.g. the HEad of HR make the decision based on the advice.
HellenB
This is a really thoughtful answer
Your point about the DPO advising what should be redacted rather than making the final decision is something that should be a general practice, not least where there may be legal implications for a business. The practice of redaction could possibly be considered an ‘operational decision’ which some might suggest is outside the remit of a DPOs advisory role.
Stephen Lark
You need to be careful and consider the actual data required. A SAR is a request for information contained on that data subject. It does not mean they have access to the content of all the communications that took place….only those that involved their personal data.
The DSAR procedure should specify exactly what type of data is being sent and the rest should be redacted.
Anything more may require a legal challenge by the data subject.
Simon
Potentially, yes. I would recommend that those individuals have zero involvement with the SAR other than as data subjects as necessary. You may need to find a new ‘home’ for the data you’re redacting while processing the SAR.
I would discuss it with them, and/or the level of seniority above them (even if that’s the CEO) and request another individual of equal seniority provides the sign-off. You may need to train that new person so they can make an informed decision.