As demonstrated in the recent case of Gaines v HMRC, it is crucial to have robust protocols in place for dealing with Data Subject Access Requests (DSARs). Once a DSAR has been made, the data controller needs to put a game plan together – swiftly but carefully – and must be prepared to justify the approach taken to the disclosure of data and the manner in which any searches are undertaken. In cases where there are many thousands of electronic documents, consideration should be given to the use of a virtual data room: we have used these platforms to assist clients in managing DSARs to great effect, and have thus been able actively to demonstrate compliance with the Data Protection Act 1998 (DPA).
The DPA permits data subjects (in educational institutions these might be students, their parents, or staff) to request details of personal data which a data controller (eg a university, college or school) is processing, its source and to whom it has been disclosed. DSARs may be made for “pure” data protection purposes, but are frequently used as a tactic in litigation.
Earlier this year, the Court of Appeal cases of Dawson-Damer & Ors v Taylor Wessing, Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v The University of Oxford considered a data controller’s duties when faced with an onerous DSAR. It was confirmed that even if a DSAR is made in the context of litigation, and for litigation purposes, it can still be a valid request under the DPA (so it must be taken seriously by the data controller); and also that searches carried out by the data controller to respond to the DSAR should be reasonable and proportionate – the data controller does not have to leave “no stone unturned”.
These principles are important in light of the General Data Protection Regulation (GDPR), which will come directly into force in the UK in May 2018. The rights of data subjects will be enhanced under the GDPR, and the time limit for data controllers to respond to a DSAR will be reduced from 40 days to one month.
Gaines-Cooper v HMRC
The recent High Court case of Gaines-Cooper v HMRC applied the above principles to a claim that HMRC was in breach of s7(1) DPA. The manner in which HMRC responded to a very broadly worded DSAR, and the rationale of the judgment, provide helpful guidance to data controllers.
There was no dispute about the validity of GC’s DSAR, even though it was made in the context of highly complex, long-running and high-value litigation. The difficulty for HMRC was in dealing with the request in a proportionate way given the sheer volume of data involved.
Although the rights under a DSAR relate to data, and not to documents, data controllers have to assess the electronic and manual documents they hold in order to identify the personal data in question, and to consider whether it should be disclosed, whether any information needs to be redacted or whether the data is not disclosable because of one of the exemptions provided by the DPA, eg legal professional privilege.
In this case, there were several hundred manual files relating to the litigation, 1,500 electronic documents in relation to investigations, and 24 boxes of documents, not held electronically, also relating to investigations.
HMRC set up a specialist team to assess the documents. The team’s supervisor briefed its members on the protocols to be used (eg in order to identify data which was exempt from disclosure). Worked examples were given to the team and their work was checked. The potentially disclosable documents were personally checked by the supervisor; she also took the decision not to search correspondence between GC and HMRC (as this had already been seen by GC), and determined that the 24 boxes of documents were not an organised filing system and were outside the scope of the DPA.
GC brought proceedings on the basis that the disclosure was inadequate.
The High Court, whilst disagreeing that the 24 boxes were not within the scope of the DPA, concluded that the balance came down in favour of the search being a proportionate response. HMRC had been able to demonstrate what they had done to identify the material, and to work out a plan. Further searches might disclose additional personal data of GC, but the effort of making those further searches outweighed the potential benefit to GC.
The Court went on to consider whether, if there had been a breach of the DPA, an order would have been made for disclosure of further documents, or a financial remedy. A number of factors were taken into account, including the primary purpose of the DSAR (which was connected with the litigation), the severity of the breach, and whether the personal data in question was of real value to GC. The Court’s view was that even if there had been a breach, no remedy would have been awarded.
This case emphasises that data controllers need to put protocols in place for dealing with DSARs alongside their other data protection policies, and need to establish a game plan when a specific DSAR is made.