Considerations for Handling Employee Access Requests (DSAR)
On January 1, 2023, the California Privacy Rights Act’s (CPRA) amendments to the California Consumer Privacy Act (CCPA) took effect. In parallel, the California legislature failed to extend exemptions that since 2020 granted employers a temporary reprieve from many CCPA compliance obligations. And so the exemptions expired on Jan 1st.
What does this mean for businesses and their HR and Legal departments?
As of Jan 1st California employees and contractors can exercise their full set of rights under CCPA 2.0, starting with the Right to Know/Access their personal information along with the context around its collection, use, and disclosure.
As under EU’s General Data Protection Regulation (GDPR), the right of access (i.e. via data subject access request, or “DSARs”) should be viewed as a gateway to the other enforceable rights individuals may exercise. In an Human Resources context, this comes with a number of unique legal and procedural implications.
Employees as “Consumers”
The amended CCPA applies to the personal information and “sensitive personal information” California businesses collect for recruitment, payroll, benefits management and other human resources administrative functions. Covered individuals include:
- Job applicants
- Past and current employees
- Independent contractors
- Owners, directors and other company officers
Components of a DSAR Response
According to the Purpose and Intent section of Proposition 24 (CPRA): “Consumers should [still] know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children.”
What an organization ‘knows’:
- Categories of personal information it has collected about that consumer.
- Categories of sources from which the personal information is collected.
- Business or commercial purpose for collecting, selling, or sharing personal information.
- Categories of third parties to whom the business discloses personal information.
- Specific pieces of personal information it has collected about that consumer.
To whom that data may have been disclosed, “sold” or “shared”:
- Categories of personal information that the business collected about the consumer.
- Categories of personal information that the business sold or shared about the consumer.
- Categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each category of third parties to whom the personal information was sold or shared.
- Categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom It was disclosed for a business purpose. [i.e., service providers and independent contractors]
Like under the GDPR organizations would also need to disclose whether they engage in profiling and automated decision-making.
In-Scope Personal Information
Workforce members can exercise all of the same privacy rights as other California “consumers”. Starting with the gateway right “to know”, employees can request Access to more information than already provided under the California Labor Code.
Under the state labor code employees may access information such as:
- Payroll records
- Personnel records
- Benefits records
- Signed documents
Under CCPA 2.0, employees may also learn about and access additional specific pieces of information, including:
- Geolocation information
- Biometric information
- Internet activity
- Inferences (per guidance by the California AG)
Considerations for Processing Employee DSARs
While employee access requests follow the same mechanical process as other privacy requests (i.e. data subject requests or “DSRs”) there are unique considerations for HR to navigate.
External vs Internal systems
When a Data Subject Access Request is made, the personal data in question may not only live in third-party HR SaaS apps, but potentially also in what we call “Internal Systems”. These can include:
- Custom Databases: MongoDB, MySQL
- Data Warehouses or Data Lakes: Snowflake, Redshift
- Unstructured Data Stores: Elasticsearch, AWS S3
- Internally Built Applications: Proprietary platforms and apps
You can learn more about DataGrail’s Internal System Integration capabilities here.
Many popular HR and talent recruitment applications offer employees self-service capabilities. In many cases, employees will be able to login to view their personnel files and related information. This can also include former employees, who may be able to retrieve some information (commonly payroll, tax and benefits records) after termination.
However, not all information may be directly accessible, and not by all individuals in all regions, in which case the job applicant, current or former employee may need to reach out to Privacy or HR.
Employee handbooks and other such documentation should specify how workforce members could avail themselves of any self-servicing capabilities. And set out the circumstances where HR should be contacted directly or by way of a standardized intake form.
Generally, upon request HR organizations must provide access to or a copy of all relevant personnel data. This may include electronic or paper employment records, benefits information, performance test results, grievance-related information, and in some cases certain emails correspondence.
However, information concerning an employee can overlap with other kinds of company information. For example, the majority of work emails and shared files are about job functions and interactions, not specific employees. Additionally, correspondence and files may involve other individuals or contain trade secrets and other company-confidential. In both cases information would be protected from disclosure.
HR organizations will need to work closely with Legal to ensure employee DSARs are handled in line with company policies and applicable laws. This includes following appropriate legal hold and litigation discovery procedures where required.
The CCPA as amended by CPRA (i.e., CCPA 2.0) has an uncapped look-back provision that may create additional challenges for HR organizations.
CCPA 2.0’s Right to Access has two components:
- Expanded look-back reach. All DSARs are retroactive. Under the original CCPA there was a 12-month limit on how much information a California business needed to provide in a summary or detailed access response. CCPA 2.0 lifts this 12 month cap, allowing Californians to ask for as much historic information as is possible for an organization to provide.
That said, because of how the amended law works, organizations do not need to reach past Jan 1, 2022.
- Expanded scope of information. Valid DSAR responses would need to follow the CCPA 2.0’s comprehensive, GDPR-like transparency requirements. Organizations need to keep track of and be prepared to provide categorized context about virtually all of their operational activities involving individuals’ personal and sensitive personal information. This includes categories of “third parties” as well as “service providers” and independent “contractors” to whom employee data may have been disclosed.
To meet the full scope of employee DSARs, HR organizations need to know where all employee data is and where it may be going. In some cases HR service providers may need to be asked for help. Contracts with HR-related service providers may need to be updated to clarify support responsibilities and turnaround timelines.
DSAR Processing Timeline
In the U.S. businesses must adhere to the following timelines when responding to DSARs, beginning with their receipt of the request:
- Within 10 days – Businesses must acknowledge their receipt of a DSAR
- Within 45 days – Businesses must respond to a DSAR, either:
- Providing the requested information and confirming the request was completed
- Denying the request based on its validity and providing the reasons why
- Notifying the requester that the data processing will take longer than 45 days and why
- Within 90 days – Businesses may extend their timeline up to 90 days if they notify the requester and provide the reasons for delay
Compiling Information for the DSAR Response
After determining the DSAR’s validity and scope, businesses must begin collecting the employee’s personal data and compiling a report on when and how it was collected, processed, and stored.
That said, businesses should take all due care with disclosing legally protectable trade secrets, information pertaining to other individuals (outside of a valid request submitted on behalf of a data subject), and especially sensitive pieces of personal information (see below).
Section 7024 of the modified CCPA Regulations reiterate circumstances under which company- or privacy-sensitive information should not be disclosed:
As discussed above, HR organizations may find it necessary to deny a DSAR in whole or in part. A response denying a request is expected to provide:
- Reasons for denial, including:
- Conflicts with state or federal laws
- CCPA exceptions
- Inadequate documentation
- Unreasonable or disproportionately effort-intensive requests (e.g., such as those requiring the parsing work-related emails from those specifically about the employee).
- An explanation of those reasons if citing unreasonable or disproportionate efforts
- Their ability to provide a written statement of no more than 250 words and request its addition to their files if correcting medical information inaccuracies
- Their right to request the deletion of the personal information in question, unless exceptions apply.
- As of Jan 1, 2023 California employees and contractors can exercise their full set of privacy rights, including the strengthened Right to Know/Access.
- To respond to Access requests (DSARs) HR organizations will need to ensure their system inventories and data maps, as well as vendor contracts and company policies are current.
- Job applicants and employees may already have access to self-service tools, but they still have the right to request all relevant information collected or inferred concerning them.
- What information is relevant and appropriate to disclose can be constrained by competing legal, confidentiality and practical exemptions. HR administrators may need to work closely with Legal to define the scope of what is accessible and disclosable, how and under what conditions.
We discuss these and related issues in a recent webinar DataGrail Expert Series: Countdown to the CPRA.
Information is provided for informational purposes only and is not meant as legal advice.
California Legislative Information. 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100]. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
CPPA. Modified Text of Regulations. https://cppa.ca.gov/regulations/pdf/20221102_mod_text.pdf
State of California Department of Industrial Relations. Personnel Files and Records. https://www.dir.ca.gov/dlse/faq_righttoinspectpersonnelfiles.htm
Shouse Labor Law Group. California Labor Code 1198.5 LC – Personnel Records. https://www.shouselaw.com/ca/labor/labor-code-1198-5/
BakerHostetler. CCPA Compliance Meets Trade Secret Protection: A Peaceful Coexistence? https://www.bakerdatacounsel.com/ccpa/ccpa-compliance-meets-trade-secret-protection-a-peaceful-coexistence/