Recently we’ve seen a number of disgruntled employees exercise their rights under the Data Protection Act to make Data Subject Access Requests of their employers. Having a genuine concern to see one’s own personal data is all well and good, but what if you suspect that it is nothing more than a fishing expedition for information to strengthen contemplated or ongoing legal proceedings? How far should an employer have to bend to accommodate such requests?
The legislation does not require a current or former employee to give any explanation of how he intends to use the information. Neither is there a get-out clause for employers where there are ongoing or contemplated legal proceedings. In fact, the Information Commissioner in his Guidance states that it would “seriously undermine this fundamental right” if such a request could be avoided where legal proceedings were ongoing or in contemplation.
Earlier this year, the issue of subject access requests came before Leeds County Court in Elliott v Lloyds TSB Bank Plc and others. The Judge looked at the obligation to comply with a Subject Access Request where the individual making the request has mixed motives and concluded that where this is the case “the application will not be an abuse of process unless it can be shown that, but for the collateral purpose, the application would not have been brought at all”. Taking this forward, it seems that if an employer can show that, but for the prospect of litigation, the request would not have been made, there may be an argument that the employer should not have to comply with the request as it is an abuse of process. That is, providing that the employer is able to show that this is the case, which is of course more or less impossible.
In addition the Court held that the data controller was “only obliged to supply such personal data as is found after a reasonable and proportionate search”. Although this does not sit neatly with the Information Commissioner’s Guidance, it does fall in line with previous case law which suggests that a data controller is not required to carry out a disproportionate search for personal data. This conflict is not surprising given that the Information Commissioner’s guidance is not binding but a County Court is bound by precedent from higher courts. In any event, don’t be fooled into thinking that this lowers the threshold for the level of response required – in Elliott it was estimated that approximately 188 hours had already been spent in responding to the DSAR (over a month doing a solid 8-hour day), even without searches with five more individuals still outstanding at the time of the Hearing!
It should be noted that so far Elliott is only a first instance decision, but it provides encouragement that employers should not have to go beyond what is “proportionate” (though this was not defined) when conducting searches. Correspondence with the subject may enable the employer to focus on what the person making the request actually wants, and may also flush out the actual from the suspected or hypothetical in terms of the personal data held, but it rarely forms grounds to go past the 40 day deadline.