Under the Data Protection Act 1998, individuals can request that data controllers provide them with copies of all the personal data held about them on computerised or structured filing systems, subject to certain exceptions. This seems to be simple enough, but complying with these data subject access requests (“DSARs”) has become increasingly time consuming and expensive given the growth in the amount of data typically held and the fact that it is often mixed with other data.
There has also been a trend towards DSARs being used for purposes that do not reflect what they were originally designed for. For example, DSARs are increasingly used to obtain early access to documents and information which could be used to support litigation. Solicitors are also receiving DSARs from former clients who are seeking to obtain copies of their files without first paying their outstanding legal fees and, in so doing, trying to circumvent the solicitor’s lien over that material.
Inevitably, this has led to some push-back by data controllers, which has now found support from the Court in Dawson-Damer v Taylor Wessing . The judgment throws into stark relief the differing approaches taken by the Court and the data protection regulator, the ICO, to enforcing compliance with DSARs.
In this case, a DSAR was sent to the law firm Taylor Wessing by a mother and her two children, in which they sought disclosure of all their personal data which was held by the firm. Taylor Wessing’s client was the trustee of the claimants’ family trust. Taylor Wessing did not comply with the DSAR on a number of grounds, and the claimants asked the Court to order Taylor Wessing to comply.
Ruling on these issues, the Court held that:
- The Court’s power to order compliance with DSARs is discretionary. The Court will consider the purpose behind the DSAR in exercising that discretion. The Court reaffirmed that the purpose of the DSAR provisions is to enable individuals to check whether a data controller’s processing of their personal data unlawfully infringes their privacy, and to allow them to take steps to prevent it. The purpose is not to enable the individual to obtain early disclosure of documents in support of legal proceedings, which would be an abuse of process. The Court held that if the DSAR was an abuse of process, this would be an important factor in the Court refusing to exercise its discretion to order compliance.This approach is in contrast to the ICO’s guidance on DSARs which makes clear that requesters do not have to provide any information about the purpose of their request or what they intend to do with the data provided.
- The exception to the DSAR provisions allowing a data controller to refuse compliance on the basis that the requested documents are legally privileged should be interpreted widely. In this case, the Court said it did not matter that the issue of privilege was a matter of foreign law rather than English law.
- A data controller is only required to supply such data as is found after a reasonable and proportionate search. The Court held that it was not reasonable to require Taylor Wessing to carry out any search to determine if particular documents were covered by privilege or not, on the basis that this exercise would be complex and very costly.Again, this is in contrast to the ICO’s guidance which states that the “disproportionate effort” exception only applies to supplying the information, and that controllers cannot refuse to deal with a request just because it will be time consuming to do so.
- Where non-computerised information is held in manual files which are not structured in relation to individuals and which contain multiple categories of information, this is unlikely to amount to a “relevant filing system” and therefore does not fall under the DSAR provisions.
This judgment will be relied upon by data controllers who are seeking to limit their DSAR obligations. However, it is open to individuals to refer breaches of the DSAR provisions to the ICO rather than to the Court. This puts data controllers in the difficult position of relying on the Court’s more restrictive approach in the face of pressure from the ICO to follow their more onerous guidance. We would hope that the ICO will now revisit its guidance to bring it into line with the Court’s view.
However, before that happens, we may have to wait for the outcome of an appeal as the Court has given the claimants permission to appeal, such is the importance of the ruling.