What is a Subject Access Request?
An individual whose data is being processed (a data subject) has the right to request copies of that data from the organisation that is processing it (the data controller) under the Data Protection Act 1998 (DPA). The data controller must respond within 40 calendar days and is entitled to charge the data subject a fee of £10.
The issue of how far a Subject Access Request obliges businesses to search for the relevant information has been debated several times by the courts. There have also been questions as to whether businesses are obliged to comply with Subject Access Requests that are vexatious or made solely in order to 'fish' for information with a view to future litigation. The appeal decision in Dawson-Damer v Taylor Wessing LLP has provided some clarity on these issues.
Dawson-Damer v Taylor Wessing LLP
Mrs Dawson-Damer and her children were beneficiaries of a trust, of which Grampian was the sole trustee. The Dawson-Damer family were involved in legal proceedings against Grampian and made a Subject Access Request of Grampian’s solicitors, Taylor Wessing LLP (TW). TW refused, citing legal professional privilege.
In July 2015, the High Court decided that TW did not have to comply with the Subject Access Request on the basis that the search would have been disproportionately costly given the need to separate out all of the data protected by legal professional privilege.
Businesses were hopeful that the High Court’s decision signified a move by the courts to minimise the perceived burden of compliance with Subject Access Requests.
The appeal of the decision of the High Court was recently decided by the Court of Appeal as follows:
The ‘disproportionate effort’ exemption applies both to the search itself and to the provision of copies
Contrary to the Information Commissioner’s Office (ICO)’s Subject Access Code of Practice, the exemption from compliance where ‘disproportionate effort’ would be involved is not restricted to effort involved in providing copies but also includes the search for relevant personal data.
Businesses should therefore apply the concept of ‘proportionality’ to all aspects of the obligation to find and supply information. Whether or not compliance with a Subject Access Request involves disproportionate effort should be weighed up against the benefits that the provision of the information might bring to the data subject.
The threshold between proportionate and disproportionate effort is a high one
TW had not shown that it had gone far enough to comply with the Subject Access Request, and further compliance would not have involved disproportionate effort. If TW wished to rely on legal professional privilege then it would need to be willing to undertake the work required in order to establish legal professional privilege in each instance, rather than applying a blanket exemption. TW was not able to provide any evidence of the lengths that it had gone to in identifying the data and establishing a plan of action to comply with the request.
The data subject’s motive in making the SAR is not relevant
The Subject Access Request regime is ‘purpose blind’: data subjects are not limited as to the purposes for which they may make Subject Access Requests. The position might be different if the Subject Access Request was an abuse of process, however, merely having more than one purpose for making a Subject Access Request would not normally be an abuse of process.
What is the impact of this decision for businesses?
This appeal decision is clearly data subject-friendly and more in tune with the approach of the ICO. However, businesses should welcome the clarification by the Court of Appeal that the 'disproportionate effort' exemption also applies to the extent of the obligation to search (and not just the obligation to provide copies, as indicated by the ICO).
The default position remains that businesses should continue to comply with Subject Access Requests “where and so far as possible”.
These issues continue to be discussed in the courts. The next few months should see an appeal decision handed down in Ittihadieh v 5-11 Cheyne Gardens / Deer v University of Oxford which it is hoped will provide further clarity on the approach businesses should take to Subject Access Request compliance.