Mike Ashley’s High Court Victory – What Does it Mean for Employee Data Subject Access Requests?

There is still plenty of room for debate when it comes to the “correct” way to deal with a data subject access request (DSAR) under the UK GDPR. Additional guidance issued by the Information Commissioner’s Office (ICO) over recent years has helped, but in many ways handling a DSAR is still an art rather than a science. Throw in a sensitive employee relations issue, a Bring Your Own Device policy, a mixture of electronic messaging systems or all of the above, and it quickly becomes a minefield.

The judgment handed down last week in Michael Ashley v Commissioners for His Majesty’s Revenue and Customs contains some welcome and important guidance. Key takeaways for employers in particular include:

• If you control it, you search it. That is, of course, subject to what the DSAR actually asks for and the principle of proportionality. But factors that won’t impact where you need to search are how the business is structured, whether data is held in one department or another, or even if different departments run their own separate process for handling the DSARs they receive. The key question is: “Who is the data controller?”
• “Personal Data” does not cover everything….. Call me cynical, but it’s a rare data subject who is genuinely concerned about how their data is being processed. There is always a backstory and people often think that a DSAR entitles them to more than it actually does. That includes Mr. Ashley, who broadly argued that all data relating to the assessment of his tax liability amounted to his personal data, because of the nature and potential effect that exercise might have on him. A rough equivalent in the employment field might be somebody who argues that all data relating to a redundancy exercise is their personal data (think Board Minutes, Proposal Documents, Financial Data etc.) Ignoring the management forecasting exemption that could apply, this would vastly increase the amount of highly confidential data that needed to be provided in response to a DSAR. Luckily, this is one point on which the court disagreed with Mr. Ashley. The question to ask is whether the specific information in question “relates” to the individual, not whether the overarching process taking place or reason for processing that individual’s data does.
• ….But it is still pretty broad. At the risk of immediately ruining that moment of relief for employers, “information relating to” an individual is still pretty broad. Each situation is different, and it depends on how and the extent to which the information is linked to the individual. For example, records of train delays and travel service information are not normally going to be personal data. But if that information was looked at because an employee is always late and you suspect they might be fibbing about the reason why, then it could be. This already aligns with ICO guidance, but is helpful to bear in mind.

  It is also important to remember that personal data will often encompass more than just the portion of a document or email that references the individual by name or their role. Surrounding information that refers to or relates to the part about the individual could also be their personal data. If it isn’t, you might still need to provide it as context, which brings me nicely on to….

• Context matters. When responding to a DSAR, you need to do so in a way that is concise, transparent, intelligible and in an easily accessible form. This means that there might be circumstances where you need to provide more than what is strictly construed to be the individual’s personal data. This does not mean you have to provide everything, or can’t redact portions of emails. It means that you can’t provide small, random snippets of data completely out of context and expect the individual to be ok with it. Where additional context is necessary for the individual to understand their personal data, you should provide it. An example might be leaving a key table unredacted in a spreadsheet, so the individual understands what the big X or * by their name means.

All in all, I can’t say that this is all new territory, but the ruling should provide some comfort to data controllers and practitioners (myself included) navigating the myriad of potential DSAR issues that they are trudging in the right direction.

A copy of the full judgment is available here.

Please get in touch if you need help with responding to a data subject access request or if you have any other data protection queries by contacting a member of our team, or submitting an enquiry form, below.