Q: An employee used our email system to run their side business. Now we have received a subject access request from one of their customers. What should we do?
If your employee was engaged in what lawyers rather delightfully call ‘a frolic of their own’, they are almost certainly the data controller and the request should be addressed to your employee and not to you.
However, things are rarely that simple and your employee has left you with a number of challenges regardless.
The data in scope is held on your information systems and the employee almost certainly needs your cooperation to fulfil the request. That would make you a data processor if you agree to do that. You might prefer to refuse – but even if you do you should keep an archived copy of the data in case you are ordered to provide it in future, for example if you become party to a complaint to a court or the regulator.
You should have policies in place such as an Acceptable Use policy, setting out how employees can use your assets (such as devices, licenced software and information systems) and clarifying that the company has reasonable access and oversight rights for how assets they provide are used by staff. These policies wouldn’t normally allow the use of company assets to be used by staff to run unrelated business activities without permission from the company. You should check your policies cover everything you want them to and that your employees understand them.
A data protection impact assessment (DPIA) can help flush out and anticipate one-off or unusual circumstances like this, allowing you to risk assess such events and outline how to deal with them should they arise. Now could be a good time to check whether anyone else is up to anything similar (your IT team should be able to help with this), and to run a staff awareness campaign to remind them of what is and isn’t allowed. It is also advisable to check that your disciplinary, grievance, complaint and whistleblowing policies also accommodate employee obligations and company action in this regard.
Data protection is far from your only issue. By using your email system, your company name, email footers and registered company information may have made it look like the employee’s side business is associated with your business, which may carry its own risks. Your employee may also have contravened other business rules by working another job and using company equipment for it. You should involve your HR team and company lawyers to assess all the risks you face here and make sure you can take appropriate action.