Last month we blogged on two recent cases which collated practical guidance from the courts on subject access requests (“SARs”) and foreshadowed another Court of Appeal decision on the same topic.

That decision, in the conjoined appeals of Ittihadieh v Cheyne Gardens; Deer v University of Oxford, has now been handed down and, once again, we have put on our hard hats and mined the shiniest gems of practical utility from the decision.

Collateral Purpose

The Court of Appeal reserved judgment in Cheyne until its differently constituted self passed judgment in Dawson-Damer v Taylor Wessing. As such, the two judgments gel together rather better than they otherwise may have done, particularly on the issue of collateral purpose.

In fact, Cheyne expressly refers to Dawson-Damer saying that it, “put beyond doubt” the question of whether collateral purpose (such as concomitant litigation) invalidates an SAR. It does not.

Proportionate Searches

On this point, Cheyne was also very consistent with the two cases mentioned in our first blog. From the point of view of data controllers, this is very helpful.

The court noted that there is an implied limitation on searches to what is reasonable and proportionate in the circumstances. This may mean that not every item of personal data relating to an individual will be retrieved –

“there may be things lurking beneath another stone which has not been turned over”.

Even if another search reveals such additional data, then that does not mean that the first search was inadequate.

Form of response to a subject access request

The court noted that it may be more convenient and cheaper in some cases for a data controller to supply copy documents. However, there is no legal obligation to do so and the obligation is simply to supply information.

Although in most cases individuals will be looking for copies of documents (e.g. because they have a collateral purpose), the court said it would be enough for a data controller to inform the data subject, for example, of what personal data is recorded, in how many documents it is recorded and between what date range.

The utility of this approach will vary on a case by case basis. Consider an SAR in the context of litigation – if the copy documents are relatively anodyne, then it is likely to be cheaper just to provide them.

On the contrary, if they are damaging, then this narrower interpretation of a data controller’s obligations comes into play and it may be possible to prevent early disclosure to the other side.

Enforcement (and costs)

This area is arguably where some of the shine starts to come off, at least from the perspective of a data subject (and their lawyers).

The court, although it stressed that a collateral purpose was not an absolute bar to a SAR, held that such a purpose was relevant when it considered whether its own discretion to enforce compliance should be exercised.

Many other factors also weigh for and against the exercise of discretion (varying, as they inevitably will, on a case by case basis) and include: the potential benefit to the data subject of the information; whether disclosure is more appropriately obtained in the context of litigation; the nature and gravity of the data controller’s breach; and, whether the SAR has been used in such a way as to amount to an abuse of process.

The purpose behind the SAR will also have a bearing when it comes to deciding the issue of costs. As Deer’s SARs were found to be essentially antagonistic by the court, it upheld the High Court’s decision to reduce her costs award by 25%, even though she had won and even though she had a statutory right to the material.

The future

More decisions, particularly on the issue of enforcement, are likely.

It seems to us that, in practical terms, arguments over collateral purpose will still rage, albeit with a shifted focus. It had seemed, following Dawson-Damer that data subjects could, to a large extent, avoid such arguments in order to get an effective remedy through the courts. So, in a sense, Cheyne is a step back for them.

In any event, the EU’s General Data Protection Regulation is only a little over a year away from coming into force (25 May 2018) so prepare for even more judgments in the future (and, of course, more blogs from us...).