The High Court has recently refused an application made under the Data Protection Act 1998 (DPA) for compliance with a subject access request where it held that it was not reasonable or proportionate to do so.
Subject access requests (the Requests) were made in the context of litigation by family members undertaking proceedings in the Bahamas in relation to a Bahamian trustee company. The Requests were made to the solicitors handling the litigation on behalf of the Bahamian trustee. The client relationship began in 1987 and the Requests sought all data held about certain members of the family by the solicitors. Compliance with the broad Requests, spanning almost 30 years, was therefore very onerous and expensive.
The trustee’s solicitors did not comply with the Requests, claiming that a blanket legal professional privilege exemption applied, and also that certain data was contained in unstructured manual files not caught by the DPA’s definition of ‘data’.
Section 7 of the DPA gives an individual the right to make a subject access request to a data controller for data that it holds about the individual, and section 7(9) gives the Court the power to order compliance where a data controller has failed to comply with a request. Section 8(2) provides that a copy of an individual’s personal data must be supplied in permanent form, unless this is not possible or would involve disproportionate effort.
The Information Commissioner’s Office (ICO) ‘Subject Access Code of Practice’ states that the ‘disproportionate effort’ provision is intended to apply where supplying a copy of the requested information in permanent form would be so onerous or expensive as to outweigh the requester’s right of access to their personal data. The Code of Practice goes on to state that section 8(2) should only be relied upon in the most exceptional of circumstances.
Schedule 7, paragraph 10 of the DPA states that personal data can be withheld in response to a subject access request where it is covered by legal professional privilege.
In arriving at its judgment, the High Court considered the purpose of subject access under the DPA, which is to enable an individual (the data subject) to ascertain what data is held about them by an organisation, to check its accuracy and take steps to protect it. The purpose of subject access is not to enable individuals to undertake a fishing expedition for the purposes of litigation.
Behrens HHJ agreed with the trustee’s solicitors in holding that it was not reasonable or proportionate for them to search through each document to ascertain whether it was covered by legal professional privilege.
The High Court deemed that there was no indication that the individuals wanted to use their right of subject access to check the accuracy of the data held by the trustee’s solicitors. Further, the individuals went even further than this and in making the application to the High Court, had an improper purpose. The individuals’ actions were only intended to assist the on-going litigation.
Organisations will frequently seek to rely on the fact that compliance with a subject access request involves disproportionate effort. They may be advised against relying on the disproportionate effort provision, due to the extremely high threshold required to overcome it and the risk of a complaint being raised about non-compliance.
This case (which was made more complex by the Bahamian proceedings) turned on very specific facts and the discretion afforded to the judge under the DPA. The purpose of subject access was central to the High Court’s decision, colouring the Court’s consideration of the disproportionality provision.
Any guidance from the Courts as to what constitutes disproportionality when responding to a subject access request is extremely useful. Often, organisations will take a risk-based approach when dealing with time-consuming and troublesome requests as there is no express provision in the DPA allowing an organisation to refuse compliance with a request on the basis that it is not made for the right reasons. Further, as the ICO guidance gives a starting point that the disproportionality provision should only be relied upon in the most exceptional of circumstances, organisations may be able to take some comfort from judicial decisions such as this when assessing compliance with the trickier subject access requests received.