The High Court has ruled that a business that receives a Subject Access Request ("SAR") can refuse to disclose the requested information in some cases, if the dominant purpose of the SAR is litigation. This appears to mark a significant departure from existing case law and regulatory guidance on this issue.

On 23 September 2016, the High Court of England and Wales issued its judgment in DB v GMC [2016] EWHC 2331 (QB), in which it provided important clarifications on how businesses should respond to SARs in the context of actual or anticipated litigation.

The law

Section 7 of the Data Protection Act 1998 gives individuals ("data subjects") the right to ask a business to provide them with access to their personal data by making a SAR. A SAR must be made in writing (although there is no specified format) and must be accompanied by the applicable fee (not more than £10). It should be noted that from 25 May 2018, businesses will no longer be allowed to charge such a fee in most circumstances, under the General Data Protection Regulation (the "GDPR"). Further guidance on that point is available in Chapter 9 of White & Case's GDPR Handbook.

If complying with the SAR would oblige the business to disclose personal data of another individual, then the business is not obliged to comply with the SAR unless: (a) the other individual has consented; or (b) it is reasonable in all the circumstances to comply with the request without the other individual's consent.

The facts

P had been diagnosed with cancer. P complained to the General Medical Council (the "GMC"), alleging that the incompetence of his doctor ("DB") had delayed the diagnosis by a year. The GMC investigated, and produced a report (the "Report") which found in DB's favour and concluded that no further action should be taken.

P then submitted a SAR to the GMC for a copy of the full Report. DB refused to consent to the disclosure of his personal data contained in the Report because he believed that P would use the Report to bring further litigation. The GMC concluded that it could disclose the Report to P without DB's consent. DB subsequently brought judicial review proceedings against the GMC's decision to disclose the Report to P.

The decision

Because the Report contained the personal data of P and the personal data of DB, the High Court had to balance P's legitimate right of access to that information, against DB's legitimate right to protect his own privacy. The High Court emphasised that the courts should be wary of attempting to provide principles of general application with regard to such balancing exercises (citing Durant v FSA [2003] EWCA Civ 1746) as each case must be considered on its own merits. However, the court detailed three general principles that provide guidance for businesses:

  • It is essential to keep in mind that the exercise involves a genuine balance between the respective privacy rights of data subjects.
  • If an affected individual does not consent to the disclosure of his personal data, then there is a rebuttable presumption against disclosure of his personal data, and any express refusal of consent is an important factor to be taken into account.
  • If it appears that the sole or dominant purpose behind the SAR is to obtain information for the purposes of litigation, that is a weighty factor against disclosing the personal data, on the basis that the more appropriate forum is the Court procedure under Civil Procedure Rule 31.

On the facts, the GMC had failed to begin with a presumption against disclosure. The GMC had considered DB's refusal to consent only as a trigger for the balancing exercise, which was incorrect. The GMC's decision also did not take adequate account of the fact that the purpose of P's SAR was to use the Report in future litigation against DB. In light of this, the process under Civil Procedure Rule 31 was the appropriate procedure for P to follow to obtain the Report.

Impact on businesses

The decision in DB v GMC is of interest to businesses because it marks something of a departure from the existing guidance and case law on this issue. The UK Information Commissioner's Office (the "ICO") has issued a Subject Access Code of Practice (which amounts to non-binding regulatory guidance) in which it indicated that a SAR must be honoured, except where the SAR "would not have been made but for the desire to access information to be used in other legal proceedings". That is, the ICO appears to have suggested that a SAR could only be refused if the sole purpose of the SAR was litigation.

The recent case law on this issue has been decidedly mixed. In 2015, in Dawson-Damer v Taylor Wessing [2015] EWHC 2366 (Ch), the High Court refused to order compliance with a SAR, on the basis that the judge considered that the "real purpose" of the SAR was to obtain information for use in litigation. However, earlier this year, the High Court in Gurieva v CSD [2016] EWHC 643 (QB) (which we previously discussed here) held that a SAR had to be honoured, despite the fact that the data subject almost certainly intended to use the information received in response to the SAR in litigation, because the court considered that litigation was not the sole or dominant purpose behind the SAR.

Following the High Court's decision in DB v GMC, it appears that the position is now as follows:

  • Any business that receives a SAR should carefully consider all of the circumstances before disclosing the personal data of any other individual in response to the SAR. Before disclosing any such data, the business should balance the rights of the affected individuals, using the test outlined above.
  • If it appears that the sole or dominant purpose of the SAR is to obtain information to be used in litigation then that is "a weighty factor in favour of refusal" of the SAR and the business should consider whether Civil Procedure Rule 31 is a more appropriate route for the data subject to obtain the requested information.

While the decision in DB v GMC appears to be a positive development for any business that wishes to resist a SAR, it is unlikely to provide a defence against a data subject who presents a well-crafted SAR and identifies legitimate reasons (other than litigation) as being the motivation for that SAR.

Chris Ewing and Victoria Speers, are Trainee Solicitors at White & Case, assisted in the development of this publication.