The decision in Dawson-Damer, in which the Court of Appeal suggested that searches to identify data would rarely be "disproportionate" so as to limit a data controller's obligations under the Data Protection Act 1998 (DPA), rightly gave professional advisers, who hold enormous amounts of personal data, cause for concern. In a recent decision deliberately issued after that in Dawson-Damer, the Court of Appeal, though following its own recent decision in Dawson-Damer, does show a measure of sympathy with the plight of data controllers faced with wide-ranging and onerous Subject Access Requests (SARs).
Ittihadieh v 5-11 Cheyne Gardens/Deer v University of Oxford concerned two separate claims filed by individuals who considered that the respondents in their respective cases (in one case, his neighbours in an apartment building and in the other, her former employer) had not adequately complied with their SARs. At first instance, in both cases the court refused to exercise its discretion under s7(9) of the DPA to order disclosure of (the full amount of) documents requested in the SARs. Both claimants filed appeals, both of which have now been rejected by the Court of Appeal.
The Search Obligation
The Court of Appeal emphasised that the target of a SAR is not documents, but information. It pointed out that a data controller's obligation under section 7 of the DPA is to provide on request a description of the personal data and to supply information constituting the personal data and the source thereof, but not the documents themselves. This can be read as an indication that (despite the confirmation in Dawson-Damer that a SAR being made in order to obtain material for use in litigation does not justify a data controller withholding information requested in a SAR) SARs are not to be used as a cheap and early method of obtaining disclosure of documents.
Lewison LJ, giving judgment on behalf of the Court, further recognised that whilst the DPA implies a search obligation on the data controller, the underlying assumption, both in the DPA and in the Directive on which it is based, that personal data can be retrieved "at the touch of a few buttons" was "fundamentally unsound".
Stressing the importance of proportionality as a fundamental principle of EU law, which must be taken into account when interpreting the provisions of the DPA, Lewison LJ stated that "while the principle of proportionality cannot justify a blanket refusal to comply with the SAR, it does limit the scope of the efforts that a data controller must take in response". He added that the mere fact that a further and more extensive search might have revealed further personal data does not mean that the first search was inadequate.
He went on to recognise that a human element was necessary when reviewing the results of a computerised search, as an evaluative judgment is required to determine whether, for example, the personal data in question are covered by legal professional privilege or exempt under any of the other exemptions in Schedule 7 to the DPA. This, coupled with the recognition that the search must be proportionate and that there is no obligation to "leave no stone unturned", may be an indication that, in appropriate cases, the courts may now be prepared to come to the aid of data controllers overwhelmed by sweeping SARs by exercising their discretion under section 7(9) of the DPA.
The Court's Discretion
The Court of Appeal's judgment in Ittihadieh lists a number of factors to be taken into account by a Court when exercising its discretion to order compliance with a SAR under s7(9) of the DPA. These include:
- whether there is a more appropriate route to obtain the information, such as disclosure in legal proceedings. This appears to go some way towards alleviating the statement in Dawson-Damer that the purpose behind the SAR is irrelevant to the obligation to comply with it;
- whether there is a legitimate reason for the request or whether it is an abuse of rights. For example, where the SAR is made with a collateral purpose of assisting in litigation, but that litigation is being pursued merely to impose a burden on the data controller, or is procedurally abusive (e.g. because the litigation has failed before), that is a factor the Court should take into account;
- whether the real quest is for documents, rather than personal data (for example where the personal data would be of no real value to the data subject). This, again, seems designed to limit the effect of the rejection of the "no ulterior purpose" test in Dawson-Damer;
- whether the data subject has already received the data (or documents), other than under a previous SAR;
- whether the data subject legitimately wishes to check the accuracy of his personal data;
- whether the data subject was an author or recipient of the document in question.
It is also interesting to note that in addition to being a factor in the Court exercising its discretion as to making a s7(9) order, the conduct of the parties also has significant costs implications. In Dr Deer's case, the Court made a deduction of 25% to Dr Deer's costs because of an assessment by the judge at first instance that Dr Deer's motive in pursuing litigation was "essentially antagonistic".
Whilst there is some comfort in knowing that the obligation to conduct a search is not unqualified, firms would do well to adopt a proactive approach to the issue of SARs. Our previous article suggested ways in which firms should prepare for SARs, including considering whether current document management systems are appropriate, whether your firm has or should implement a response system in anticipation of receipt of SARs, and what might be included in a response to a SAR where the firm has decided either not to comply or to limit the SAR's scope.
Firms are always encouraged to record the steps adopted in responding to a SAR, such as the methodology adopted for a search, or the basis upon which a decision not to comply was reached, with the latter to include estimates of the time and costs associated with the search. Lewison LJ's comments suggest a record of the management time involved, i.e. the human element, would not go amiss in such an explanation. Further, in cases involving many or complex documents it can be advisable to contact the data subject to attempt to agree in advance the search parameters to be used (similar to the procedure commonly adopted in disclosure exercises).
In arriving at a decision that a search, or part of it, is not proportionate, firms would also do well to take heed of and cite the factors above, where relevant. These factors can also be used as a basis for firms to encourage data subjects to narrow their request, along with other tools such as requesting further information about when the data was processed and what it was processed for.
The Court has indicated its reluctance to set prescriptive guidelines on this issue, and as such each SAR should be considered on a case by case basis, with reference to the Court's decisions where possible. In some instances, it may be necessary to seek specialist legal advice in order to determine how to respond to a SAR.