A recent ruling by the High Court in Ezsias v Welsh Ministers (2007) confirms the previous Court of Appeal ruling on the nature of the subject access right and goes further in giving guidance on the scope of the search to be undertaken by the data controller.
Section 7 of the Data protection Act 1998 (DPA) establishes the right of any individual to make a subject access request to a data controller who holds personal information about him or her. This has been interpreted to mean that the data controller must provide copies of all documents in their possession of which the individual is the subject.
But section 8(2) of the DPA limits this right to information in terms of the data controller’s obligation to provide the information in a permanent form. The data controller is not obliged to provide a permanent copy of the data where doing so would involve a disproportionate effort.
The DPA does not specify the depth of the search to be conducted by data controllers other than to say that the data controller must provide “the information constituting personal data of which that individual is the data subject”. In practice this means that many data controllers undertake exhaustive searches to locate all the relevant data.
In Eszias, Judge Hickinbottom considered the scope of the search to be undertaken by a data controller stating that:
“Under the 1998 Act [DPA], upon receipt of a request for data, a data controller must take reasonable and proportionate steps to identify and disclose the data he is about to disclose.”
The judge also considered section 8(2) of the DPA and whether the “disproportionate effort” qualification should be interpreted broadly and not restricted to the obligation to provide the information in a permanent form. The Information Commissioner’s current guidance does not adopt a broad interpretation of the “disproportionate effort” provisions and provides that this limitation only applies to the obligation to provide the information in a permanent form, not to the search.
In Ezsias the judge considered the “disproportionate effort” provisions of section 8(2) should also apply to the search obligations. The suggestion is therefore, that the data controller can limit its search on similar grounds.
Practical implications of Ezsias
- Where the data subject is in litigation with the data controller and entitled to obtain the information as part of that litigation, it may be reasonable and proportionate to conduct a more limited search under DPA than would be the case where no litigation is ongoing or proposed.
- The key message for data controllers is that they will be able to comply with their legal obligations so long as they conduct a reasonable and proportionate search. What constitutes a reasonable and proportionate search will depend on the circumstances of the particular case.
What is reasonable and proportionate?
In order to justify a search as being reasonable and proportionate a data controller should:
- identify the limits of the search they propose to undertake;
- be able to justify why any locations/databases/archives are excluded – including on the basis they are unlikely to contain any, or any significant, personal data regarding the data subject;
- quantify the potential time, cost and effort that would have been involved in searching any excluded locations (including IT expenses, employee costs, legal fees); and
- record all of the above matters in writing.