Mr Holyoake had sent subject access requests ("SARs") under the Data Protection Act 1998 to Mr Candy and CPC. Both responded to narrowed versions of the SARs, disclosing a limited amount of information. In Mr Candy's case, he did not provide certain information on the basis that it was protected by legal professional privilege ("LPP") and as such was exempt from disclosure. Whilst Mr Holyoake accepted that the searches had been ostensibly thorough (they involved a review of 17,000 documents and time charges in excess of £37,000), he considered the responses to his SARs to be flawed. He brought High Court proceedings against both Mr Candy and CPC, seeking an order that would require their compliance. The main issues for the Court to consider were:
- whether Mr Candy and CPC carried out adequate searches; and
- the validity of Mr Candy's reliance on the LPP exemption.
In relation to the first issue, the Court considered the fact that, aside from Mr Candy's personal gmail account, searches had been limited to corporate email accounts. Mr Holyoake argued that, if directors of CPC used personal email accounts to process data relating to him, they were obliged to search these too. The Court accepted that in principle a company director who has used a personal email account for corporate business may well owe the company a duty to allow access to that account if it was needed to comply with a SAR. However, the Court did not agree that a company was bound to ask its company directors whether they had used a personal email account, unless there was sufficient reason to indicate they should do so. The key question for a data controller is whether a search of personal email accounts forms part of a reasonable and proportionate search. This is a question that has to be determined by the facts in each case. In this particular case, there was no evidence that the company directors had used their personal email accounts to communicate about Mr Holyoake. As a result, the Court held that:
- the failure to search private email accounts of the company directors was not a breach of the duty to comply with the SAR; and
- the searches carried out were reasonable and proportionate.
In respect of the LPP issue, the Court considered the application of the exemption and the principle that it cannot be used as a basis for withholding material that is evidence of iniquity (i.e. a crime or a fraud). The alleged crime in this case was the unlawful obtaining, disclosing, or procuring the disclosure of Mr Holyoake's personal data without his consent. The Court found that Mr Holyoake could not demonstrate sufficient evidence that the crime had occurred. The Court also rejected his alternative argument that the iniquity principle should be extended to information that evidences a breach of the right to privacy which is short of a crime or fraud. Having made these conclusions, the Court held that Mr Candy had properly applied the LLP exemption, such that the information did not need to be disclosed.
What does this mean for employers?
This is a useful judgment for employers since it confirms that a data controller's obligation to carry out searches in respect of a SAR is limited to what is reasonable and proportionate. Data controllers are not obliged to ask individuals to carry out searches of personal email accounts unless there are grounds to suggest these have been used to communicate about a data subject. Data controllers should also avoid accessing personal accounts to check the position, since that itself might be an unjustified intrusion of privacy.
The case is also a useful example of the Court upholding the application of LPP where litigation was in contemplation.
To view the case of Holyoake v Candy and CPC Group Limited  EWHC 52 (QB), please click here.