Individuals have the right to see a copy of all the information a business holds about them by submitting a data subject access request (DSAR) under the Data Protection Act 1998 (the “DPA”). DSARs are often used as pre-litigation “fishing” tactics and processing a request can be logistically challenging.
The Court of Appeal has given helpful guidance on the meaning of “disproportionate effort” and the limit of the legal professional privilege exception in the context of DSARs. An employer can argue that it does not need to expend disproportionate efforts in order to comply with such requests.
In the case, a law firm (Taylor Wessing) sought to rely on the legal professional privilege exception under the DPA in relation to a DSAR made to one of its clients. The request had been made before litigation and there was a concern that complying with the DSAR would give the would-be litigants an unfair advantage by getting advance disclosure.
The Court of Appeal decided that the legal professional privilege exception under the DPA applies only to documents that carry legal professional privilege for the purposes of English law. Secondly, the court clarified that the disproportionate effort qualification applies to all stages of subject access compliance. Third, it was an acceptable exercise of rights under the DPA even if the appellants intended to use the information obtained in subsequent litigation.
While this was not an employment case, the judgment provides welcome clarification of the legal professional privilege exception, the concept of disproportionate effort and the relevance of the data subject’s motive in making the request, which is likely to be relevant to employment practitioners.
What Should Employers Do Next?
Complying with DSARs can be time-consuming and costly, and employers may often be tempted to abbreviate searches or the responses given. However, the Information Commissioner can hand out sanctions against employers if they do not comply with their obligations. Employers should consider the Information Commissioner’s code of practice for complying with DSARs when they receive a request.