Hot on the heels of the decision in Dawson-Damer v Taylor Wessing LLP (see our 27 February newsletter for further details), the Court of Appeal has given further guidance on the proper approach to data subject access requests (DSARs) that are made in the context of (in this case employment-related) litigation. The decision in Oxford University v Deer is of particular interest because of its comments about when a court should exercise its discretion to order compliance with a DSAR.
Ms Deer was involved in long-running litigation with Oxford University concerning allegations of sex discrimination and victimisation. In the course of the litigation she made DSARs. The University initially refused to comply, on the basis that she was seeking to use the Data Protection Act to obtain disclosure for the purposes of her tribunal litigation. As the Court of Appeal made clear in the Dawson-Damer decision recently, having a "collateral purpose" of this sort in making a DSAR does not automatically mean that the request is invalid or that a Court will not order a data controller to comply.
Although the University subsequently disclosed some data to Ms Deer, she argued that it had not carried out adequate searches. Further searches were conducted by direction of the Court, involving the review of over 500,000 emails and other documents at a cost of around £120,000. This resulted in a further 33 documents being disclosed. The Court declared that these documents should have been disclosed within a reasonable period of the first DSAR, but refused to exercise its discretion to order the University to take any further steps to comply, as this would serve no useful purpose. The University appealed against the declaration and Ms Deer appealed against the decision not to require the University to take any further steps.
The Court of Appeal recognised that the fact that a DSAR is made for a collateral purpose such as to obtain documents for the purpose of litigation does not mean that a data controller can simply refuse to comply with the request. However, a data controller's duty is limited to taking reasonable and proportionate steps to identify and disclose relevant data. In addition, the exercise of the Court's discretion to order a data controller to comply with a DSAR is also subject to a general principle of proportionality. Relevant factors might include whether there is a more appropriate route to obtaining the requested information (eg disclosure), the nature and gravity of the breach, the reason why someone has made a DSAR, and whether the personal data is of real value to the data subject.
Applying these principles, the University did not have good grounds for initially refusing to comply with the DSAR. It had not carried out a reasonable and proportionate search and the Court was entitled to make a declaration. However, the University had conducted the further searches that it was ordered to carry out and the Court was also entitled to conclude that requiring further steps to be taken would serve no useful purpose. In reaching that decision it was relevant that the data subject was engaged in a "relentless pursuit" not just of personal data but of documents, and that the DSARs themselves were disproportionate.