Over the last few months, the courts have handed down four significant decisions which impact how data controllers (such as employers) respond to subject access requests under the Data Protection Act 1998.
The decisions consider key practical issues such as the extent of data controllers' obligations to conduct searches to locate personal data and the scope of the exemption for documents covered by legal privilege.
If your organisation deals with subject access requests, you should read on.
The right of access to the personal data processed by a data controller is enshrined in section 7 of the Data Protection Act 1998 (DPA 1998). The purpose underlying the right is to enable an individual to request the deletion or correction of personal data in appropriate circumstances.
Over the years, the boundaries of the right have been tested when individuals have submitted subject access requests (SARs) in the context of litigation, or some wider dispute with the data controller, as a general means of gaining access to information. Under the DPA 1998, the individual's motive for submitting a SAR is irrelevant, and the Information Commissioner's Office has followed this approach in its guidance, which has directed data controllers to comply even where the SAR is made for a collateral purpose. However, the courts also have a role to play in the enforcement of SARs, and there has been a reluctance on the part of the courts to exercise their powers where the SAR is too broad in nature or otherwise submitted to fuel a related dispute between the parties. This has resulted in a degree of uncertainty around how far a data controller must go in order to satisfy a SAR.
In four separate cases heard at the end of last year, the Court of Appeal and High Court dissected the fundamental nature of the right of access, and considered the extent to which a data controller is discharged from complying with a SAR where an ulterior motive was at play, or where a data controller had already conducted reasonable and proportionate searches in order to locate personal data.
In Holyoake v Candy the High Court declined to enforce further compliance with a SAR as the data controller had already carried our proportionate searches and properly applied the privilege exemption. In Dawson-Damer v Taylor Wessing, Ittihadieh v Cheyne and Deer v Oxford University the Court of appeal considered the limits on a data controller's obligations when responding to a SAR. In all four cases, there was a broader dispute between the parties.
The following principles can be drawn from the decisions of the Court of Appeal and the High Court:
The obligation is to carry out a proportionate search – A fundamental issue in these cases was whether a data controller is obliged to carry out only reasonable and proportionate searches in order to locate an individual's personal data when responding to a SAR. The courts focused on the provisions of the DPA 1998 which discharge a data controller from supplying copies of documents in response to a SAR if this would involve "disproportionate effort". Somewhat surprisingly, the courts stretched this proportionality principle to all aspects of a data controller's efforts to respond to a SAR, including the often onerous task of searching for the individual's personal data. It was recognised that even where a data controller is able to conduct electronic searches using keywords etc, human intervention is always needed to evaluate whether particular personal data should be disclosed. It is now clear that data controllers can consider issues such as time and cost to determine what amounts to a proportionate response to a SAR in any given case.
It is irrelevant if the requestor has an ulterior motive – The courts considered the arguments for and against a data controller being able to take account of an individual's collateral purpose for submitting a SAR, particularly where separate legal proceedings between the parties were underway. Ultimately the courts were persuaded by the fact the DPA 1998 does not qualify the right to make a SAR by reference to the individual's motive, i.e. the right is "purpose blind". The earlier case law on this point (in particular, Durant v FSA) was disregarded. A data controller will now find little refuge in the argument that it does not need to respond to a SAR which is pursued for a collateral purpose. Interestingly, in Ittihadieh the Court nonetheless recognised that there would be circumstances in which it should not exercise its discretion to enforce compliance with a SAR, for example if the SAR amounted to an abuse of process. This does not translate into the ability for a data controller to decline to respond to a SAR, however.
The exemption for legal professional privilege should be applied narrowly – In Dawson-Damer there was a question over whether this exemption should be interpreted broadly, for example to cover documents which a trustee could refuse to disclose under Bahamian trust law. The courts decided the exemption covered only documents in respect of which privilege could be asserted under UK law. On a related point, the court did not accept the law firm's broad assertion of legal privilege over all documents held on behalf of their client, in circumstances where the firm suggested a search to locate any limited non-privileged documents would be disproportionate. As such, it is important that any assertion of privilege to withhold documents containing the requestor's personal data should be targeted and not general in nature.
There is a distinction between data processed by an individual on behalf of their employer and in a personal capacity – The SARs submitted in Holyoake and Ittihadieh were far reaching in nature, and sought the disclosure of e-mails processed in private (as opposed to corporate) e-mail accounts. The courts underlined the principle that individual employees and directors are not data controllers in their own right, and a SAR can only properly extend to their activities carried out on behalf of their employer. This would exclude any obligation to search personal e-mail accounts of employees and directors, unless there was clear evidence that these accounts had been used for work related purposes. As a separate point, in Ittihadieh the Court recognised the availability of the exemption for personal and household processing carried out by an individual; such processing is not covered by the DPA 1998 and accordingly there is no right of access to such data.
The decisions are a mixed bag for data controllers when dealing with SARs. The clarification that data controllers are obliged to carry out only proportionate searches is very welcome, and this provides a solid basis to push back on SARs which are too far reaching in nature. On the other hand, the courts' reluctance to limit the right where the SAR is made for a collateral purpose will increase the burden on data controllers to comply with SARs regardless of any broader context, for example even where this results in a costly overlap with disclosure searches for the purposes of litigation.
With effect from May 2018, the SAR regime will be subject to further changes as a result of the implementation of the General Data Protection Regulation. These changes include the abolition of the maximum £10 fee for compliance, and the reduction in the period for compliance from 40 days to one month.