In the last two months there have been three important decisions that give guidance on the obligations of data controllers when faced with subject access requests.
Those cases are Holyoake v (1) Candy & (2) CPC Group Ltd (High Court); Dawson-Damer v Taylor Wessing LLP (Court of Appeal); and Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v University of Oxford (joined cases in the Court of Appeal).
It is important for employers, as data controllers, to take note of the main points coming out of these decisions, which can be summarised as follows:
The motive or purpose of a subject access request does not affect its validity or allow a data controller to refuse to provide personal data based solely on the purpose of the request. (Dawson-Damer)
- the motive of the data subject is relevant when the court is considering an order for costs against the data controller – the costs award was reduced by 25% in Dawson-Damer.
- the Court of Appeal in Ittihandieh/Deer held that whether a data subject has a “legitimate reason” for their request can be a factor for the court to consider when deciding whether to order the data controller to comply with the request. (Ittihandieh/Deer)
The mere mention of an individual’s name in a document does not, without more, mean that the document contains “personal data”. (Ittihandieh/Deer)
- However, data which reveals the whereabouts of an individual at a certain point in time may be personal data, as it can be highly relevant to (for example) calculating sick pay or holiday pay or the investigation of a crime. (Ittihandieh/Deer)
The search for personal data is limited to what is “reasonable and proportionate”. (Holyoake)
- What is reasonable and proportionate depends on the facts of the case but there is no general right of access to directors’ personal email accounts, which can only be searched if a company has sufficient reason to do so (e.g. the director carries out work on behalf of the company using that account).
The exception to disclosure, where the data contoller’s ability to comply with the request involves “disproportionate effort” includes difficulties with the search (not just its ability to provide copies of the data). (Dawson-Damer)
- This is the Court’s interpretation of section 8(2)(a) of the Data Protection Act 1998 (DPA) which says that a subject access request must be complied with “by supplying the data subject with a copy of the information in permanent form unless: (a) the supply of such a copy is not possible or would involve disproportionate effort.”
A data controller can rely on the legal professional privilege (LPP) exemption to disclosure and a speculative case of wrongdoing is not sufficient to remove that privilege by reason of iniquity. (Holyoake)
- The Claimant tried to argue that “iniquity” includes a breach of the fundamental right to privacy, and that the parties’ respective rights had to be balanced by the court when considering the application of legal professional privilege.
- Both arguments would have seriously eroded the protection afforded by LPP and received short shrift from the Court of Appeal.
The LPP exemption only applies where the claim to privilege would be recognised in legal proceedings in the UK – not any other system of law. Further, it does not extend to a situation where other rules of confidentiality/non-disclosure apply (e.g. a trustee’s duty). (Dawson-Damer)
There is not a settled position regarding how the court should exercise its discretion when considering whether to order compliance with a subject access request.
- The Court of Appeal in Dawson-Damer held that the court’s discretion is wide and its power to order compliance should not be limited. However, in Ittihandieh/Deer, the Court said that the fact a breach of the DPA has occurred should have a significant bearing on the way in which the court exercises its discretion and expressly disagreed with the proposition that the Court’s discretion is “general and untrammelled”.
- As with most areas of unsettled law, this could result in considerable legal argument, especially where a data controller considers it particularly important to resist disclosure.
The cases overall are quite balanced, with some of the findings favouring data controllers and others favouring data subjects. In general, they are a reminder that the right of data subjects to get copies of their personal data is not unlimited and the proportionality principle applies at all stages but the finding that subject access requests are (for the most part) purpose blind will be frustrating for employers who face tactical SARs when former employees bring proceedings.
If you have any questions in relation to this blog please Get In Touch