In the first April edition of our employment law round-up we considered the Court of Appeal's decision in Dawson–Damer v. Taylor Wessing LLP  EWCA Civ 74, which (amongst other things) concerned the relevance of an individual's motive in making a data subject access request (DSAR) under the Data Protection Act 1996, when considering whether compliance should be ordered. It seems that this is a hot issue at the moment and in Ittihadieh v. 5 to11 Cheyne Gardens RTM Company Limited and Others  EWCA Civ 121, the Court of Appeal has considered whether a company was required to comply with a DSAR when a request was made for the purpose of fishing for information to use in litigation. The Court of Appeal's decision also provides useful guidance on the approach data controllers should take to handling DSARs and in particular on how far companies should go to ensure their searches in response to DSARs are reasonable and proportionate.
Mr Ittihadieh owned a flat at 5 to11 Cheyne Gardens. The non-corporate owners of other flats in the building (with the exception of Mr Ittihadieh and his partner) became members of RTM (a right to manage company affiliated to the building). Mr Ittihadieh and his partner later also became members, but their attempts to secure a position on RTM's board were blocked by the existing members. Mr Ittihadieh was apparently unhappy about this and alleged that RTM kept a file about him and that other residents were swapping and otherwise using personal information about him. Mr Ittihadieh made a DSAR to obtain those documents (which were personal data), and stated that he intended to bring claims of discrimination, harassment and victimisation. It would seem that there was in fact a file about Mr Ittihadieh, as following the DSAR 400 redacted documents were disclosed to him by RTM. A file of documents called the "Alireza file" was referenced in the disclosed documents, although it was not itself disclosed. Mr Ittihadieh sought disclosure of the Alireza file but this was refused by RTM. Mr Ittihadieh commenced High Court proceedings against RTM and its individual members, to obtain an order for disclosure of the Alireza file. The Judge refused to order its disclosure on the grounds that to do so would be disproportionate. The Judge said that RTM had already disclosed 400 documents, and the individual respondents were not data controllers against whom he could order compliance with the DSAR. The Judge pointed out that if any of the individual respondents held personal data in a personal capacity, the domestic purposes exemption would apply. On that basis the claim against the individual members was dismissed.
It should be noted that a second case, Deer v. Oxford University was heard by the Court of Appeal alongside Mr Ittihadieh's appeal. The facts were, of course, different but the issues and the principles that came out of both cases were the same. We have not specifically considered Deer for the purposes of this summary.
The Court of Appeal agreed with the High Court, and refused to order RTM to disclose the Alireza file on the grounds that it would be "wholly disproportionate" to do so. The Court of Appeal also agreed that the High Court Judge had been right to dismiss the claim against individual members. The Court of Appeal also gave some useful guidance for data controllers about the steps that should be taken to comply with a DSAR.
A flat refusal to comply with a DSAR will not be justified. However, data controllers are not required to go so far to leave "no stone unturned": a proportionate search will usually fall somewhere in between the two.
To constitute personal data, the data must either name or identify the individual, and must have them as its focus. The fact that a document contains a person's name does not necessarily mean that this will be personal data.
When the purpose for making a DSAR is litigation, this does not invalidate the request. It will, however, be a relevant consideration for a court when determining whether further disclosures should be ordered.
What is the practical impact of this for employers?
It is helpful for employers, as data controllers, to have some further guidance on dealing with a DSAR. In particular, it is useful to have case law confirming that there is no need to take a "no stone unturned" approach to ensure a search is reasonable and proportionate as required under the Data Protection Act. Whilst this case does not change the stated position in Dawson–Damer that the fact that a DSAR is made for the purpose of litigation does not release the data controller from the obligation to comply with it, it is now clear that motivation can still be a relevant factor in determining whether compliance should be ordered.
Employers should remember that the General Data Protection Regulation (GDPR) will come into force on 25 May 2018. Whilst this will not directly impact on this case, employers should start to prepare for the introduction of the GDPR now.