Data protection laws require organisations served with a ‘data subject access request’ to reveal personal data they hold on an individual. Organisations are required to carry out a ‘reasonable and proportionate’ search for such data.
Guidance issued by the Information Commissioner’s Office (the independent body charged with upholding individuals’ data privacy rights) indicates that, if an organisation has authorised employees to hold such data on their personal devices, in their private email or social accounts, etc and has good reason to believe they are holding such data, then it may be reasonable and proportionate to search such devices, accounts, etc for relevant personal data.
The same may apply to those providing services to the company, but who are not employees, such as non-executive directors.
Operative date
- Now
Recommendation
- Employers should consider a work policy stating whether employees can use personal devices, accounts, etc for work purposes and, if they can, setting out when and how employees must make personal data on these available to their employer, how the process of doing so is recorded, and the penalties if they refuse.
- Employers should also consider setting up dedicated business email accounts for non-employees involved with the company, such as non-executive directors, who may have access to personal data because of their role but would not otherwise have a ‘work’ email at the organisation.
This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.
Copyright © Atom Content Marketing
ICAEW Business Advice Service
Grow your business with trusted business advice. We connect entrepreneurs, start-ups, and SMEs with ICAEW regulated accountancy firms who will provide a free initial consultation without obligation.
