Employee DSARs vs. Customer DSARs: Key Differences and Challenges

Why Employee DSARs Are Different

Employee DSARs present unique challenges that customer DSARs do not. The employer-employee relationship involves vast amounts of personal data, complex power dynamics, and data spread across numerous HR, IT, and communication systems. Employment tribunal claims and workplace disputes often trigger employee DSARs, adding legal sensitivity that customer requests typically lack.

Data Categories: Customer vs. Employee

Typical Customer Data

• Account information (name, email, address)
• Transaction history
• Cookie and browsing data
• Support tickets and communications
• Marketing preferences

Typical Employee Data

• Recruitment records (applications, interview notes, reference checks)
• Employment contracts and amendments
• Payroll, tax, and benefits records
• Performance reviews and disciplinary records
• Training records and certifications
• IT usage logs (email, internet, device monitoring)
• CCTV footage of workplace areas
• Occupational health records
• Internal communications mentioning the employee

The sheer breadth of employee data makes searches far more complex and time-consuming.

Key Challenges with Employee DSARs

Unstructured Data

Employee data is often scattered across emails, chat messages, shared drives, handwritten notes, and informal records. Unlike structured customer data in a CRM, employee mentions can appear anywhere in the organization's communications.

Legal Privilege

If an employee DSAR is triggered by a workplace dispute, some documents may be subject to legal professional privilege. Privileged material does not need to be disclosed, but identifying it requires careful legal review.

Management Notes and Opinions

Performance reviews, informal management notes, and discussions about the employee between managers are personal data that must be provided. This can be sensitive and may reveal opinions the employee was not aware of.

Third-Party Data

Employee records frequently mention other employees (e.g., in disciplinary proceedings, grievance investigations, or team evaluations). Extensive redaction may be required to protect third parties.

Handling Tips for Employee DSARs

• Involve legal early: Given the litigation risk, engage employment lawyers from the outset.
• Map HR data sources: Maintain an inventory of all systems that hold employee data (HRIS, email, file shares, monitoring tools).
• Set clear scope: Clarify with the employee what data they are seeking. A targeted request is easier to fulfill than a blanket "give me everything" request.
• Redaction protocols: Establish clear criteria for what must be redacted and train staff accordingly.
• Preservation: If litigation is anticipated, ensure relevant data is preserved and not routinely deleted.

Jerisaliant's DSAR module supports workplace-specific request workflows with HR system integrations, automated PII detection for redaction, and legal hold capabilities.