By way of wider context, the parties in Holyoake v. (1) Candy and (2) CPC Group Limited  EWHC 52 (QB), are currently engaged in a multi-million pound dispute relating to a loan agreement. Separate to these proceedings the claimant made subject access requests (SARs) against both of the defendants, which he subsequently narrowed and to which the defendants responded. However, the claimant asserted that the defendants had not properly answered the SARs due to (1) inadequate searches and (2) the invalid use of legal professional privilege to exclude documents for review. Therefore, the claimant applied to the court to order compliance with his SARs.
The decision focused on three main issues:
1. Abuse of process
The defendants argued that the SARs were an abuse of the rights conferred by the Data Protection Act 1998 (DPA) (namely the right to access personal data in s7 DPA). They argued that their main purpose was to get early (and potentially additional) disclosure for the forthcoming litigation. This would get around the restriction, under the Civil Procedure Rules, that allows claimants to use materials disclosed only for the proceedings in which they are disclosed.
The case law surrounding this issue is unclear and so the court decided to err on the side of caution and not make a finding on this issue until the Court of Appeal judgments touching on this issue are available. The Court of Appeal judgments referred to are Dawson-Damer v. Taylor Wessing LLP, Deer v. University of Oxford, and Ittihadieh v. 5 -11 Cheyne Gardens RTM Co Ltd. However, it is likely that with the release of these judgments more guidance on how the CPR and DPA interrelate, or if indeed they should even interrelate at all, should be forthcoming.
2. Reasonable and proportionate search
The court reiterated that the defendants (the data controllers) have an implied obligation to only carry out a search that is reasonable and proportionate. The claimant had argued that (among other things) the second defendant's (CPC Group Limited) search was not proportionate because the second defendant limited its search to company email accounts. The court stated that it was possible the directors had used personal email accounts. If they had used personal accounts they might owe the company a duty to allow that account to be searched to comply with an SAR. However, without evidence that the directors had used private email accounts the defendant was not obliged to ask the question. The second defendant also did not have a general right of access to check the position.
3. Legal Professional Privilege (LPP) and the iniquity issue
The iniquity exception to reliance upon LPP states that LPP may be lost if the document was produced to further fraud or crime. The claimant argued the first defendant's (Mr Candy) claim to LPP was not legitimate. He argued the alleged privileged documents related to surveillance/investigation of the claimant and his family by a security consultancy that was marred by criminal conduct. In the alternative he argued the surveillance/investigatory activities resulted in a breach of his fundamental human rights (namely the right to privacy). This alternative argument tried to extend the principle of iniquity to breaches of fundamental human rights. The claimant argued that because of this the court should inspect the documents to decide whether the claim to LPP was legitimate or not.
The court reiterated that a court will only refuse to uphold LPP if there is an apparent strong case of wrongdoing. A merely speculative case would not be enough to displace LPP. In this case the conduct complained about did not necessarily involve a criminal breach of s55 DPA (regarding the unlawful obtaining of personal data). In relation to the extension of the iniquity principle the court remarked that whilst it was a novel argument such an extension could significantly reduce the right to LPP, which in and of itself is a fundamental human right.
This case will be of comfort to data controllers. It confirms that searches have to be reasonable and proportionate, as well as confirming that courts are unwilling to go behind data controllers' assertions of compliance to act on the suspicions of those making an SAR. The decision also provides helpful comments on a company's duty to search private emails – namely they do not have to ask unless there is a sufficient reason to think that they have used their private account(s). We are, however, awaiting clarification of the abuse of process point as to whether SARs and the CPR can interrelate and, if so, to what extent.