In this second instalment, Faranak Ghajavand continues her assessment of Subject Access Requests ("SARs") in commercial litigation, and turns now to the limits of SARs in civil litigation.
The right of subject access only applies to personal data.
Individuals' right to access information under the DPA is restricted to personal data. S1 DPA defines personal data as "data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual". Largely, an individual is only entitled to personal data held by the data controller in electronic form or in the case of paper-based records those that are held in a "relevant filing system".
The scope of what constitutes personal data has ranged from a narrow approach taken in Durant v Financial Services Authority  to a broader interpretation being applied in the EU Working Party Opinion, with the ICO's guidance note on 'Determining what is personal data' attempting to bridge the gap. The respective narrow and broad interpretations can be summarised as follows:
- Durant: Mere mention of an individual's name in a document does not amount to personal data. Personal data constitutes information that (i) has as its focus the data subject and is biographical in a significant sense, namely it goes beyond simply recording the data subject's involvement in a matter or event that has no personal connotations, and (ii) relates to an individual in a way which might affect their privacy, whether in their personal or family life, business or professional capacity.
- EU Working Party Opinion: Information can relate to an individual regardless of whether its focus is on that person. When considering whether information relates to an individual for data protection purposes, the content, purpose and result must be considered.
In the UK, the current approach to what constitutes personal data can be determined from case law handed down in recent years. In R (Kelway) v The Upper Tribunal and others , the High Court confirmed Durant as the leading authority on what is meant by personal data, but appeared to limit its application, due to the fact-specific nature of that case. Instead, the court favoured a comprehensive and multi-layered approach when interpreting the definition of personal data under s1(1) DPA, saying it was necessary to consider the EC Data Protection Directive, the EU Working Party Opinion, the ICO's guidance note and Durant together using a structured approach, incorporating the relevant elements of all four sources.
The Court of Appeal in Edem v The Information Commissioner and another  (a case determining whether the names of FSA employees were personal data) seemed to endorse the approach applied in Kelway and criticised the First Tier Tribunal for too rigidly applying Durant. It had been wrong to look for whether the context in which the names were mentioned was biographically significant or affected the employees' privacy to determine whether it was personal data. A name was personal data unless it was so common that without further information, a person would remain unidentifiable despite its disclosure. Further, it was not always necessary to consider biographical significance to determine if data were personal data; biographical significance only needed to be considered where information was not obviously about an individual or clearly linked to him.
In Deer v University of Oxford  , the Court of Appeal held that the definition of personal data consisted of two limbs: (i) whether the data in question "relate to" a living individual, and (ii) whether the individual is identifiable from those data. Further, information was not disqualified from being personal data merely because it had been supplied to the data controller by the data subject.
The DPA contains exemptions to the right of subject access which must be observed
The right to subject access is not without limitations. The DPA recognises that there are circumstances where data controllers have legitimate reasons for not complying with a SAR and provides a number of exemptions from the obligation to do so in Part IV and Schedule 7 DPA. Some of the more notable ones are:
S29 DPA (crime and taxation): Personal data that are processed for certain purposes relating to crime and taxation are exempt from the right of subject access. These purposes are (i) the prevention or detection of crime, (ii) the capture or prosecution of offenders, and (iii) the assessment or collection of tax or duty.
S31 DPA (regulatory activity): Organisations that perform regulatory activities can rely on an exemption from subject access if they have regulatory functions that concern the protection of the public or charities, or fair competition in business.
Schedule 7, paragraph 1 (confidential references): Confidential references given by the data controller for employment or educational purposes are exempt from having to be disclosed. It should be noted that a data controller must comply with a SAR requesting access to a reference that has been received by it (subject to the rules of disclosure of third party information under s7(4) to 7(6) DPA).
Schedule 7, paragraph 7 (negotiations): Personal data consisting of a record of a data controller's intentions in negotiations with a data subject are exempt to the extent that compliance would likely prejudice the negotiations.
Schedule 7, paragraph 10 (legal professional privilege (LPP)): Personal data that consist of information in respect of which a claim to LPP could be maintained in legal proceedings are exempt from the subject access provisions. The extent of the LPP exception has now been confirmed by the Court of Appeal in Dawson-Damer & ors v Taylor Wessing LLP & ors  as applying only to documents that carry LPP for the purposes of English law, including both legal advice privilege and litigation privilege.
The obligation imposed on data controllers under the DPA is to provide the information requested in an intelligible and permanent form (for instance, paper) unless that is impossible or "would involve disproportionate effort" pursuant to s8(2)(a) DPA. It is not clear whether this is intended to operate as an exemption from the right to subject access (although the section has to a degree been treated as such by the courts) as the EC Data Protection Directive contains no concept of disproportionate effort. Nonetheless, what is clear is that the language of s8(2) limits a data controller's obligations where the supply of the information would require disproportionate effort on its part. The Code of Practice states at page 25 that data controllers "cannot refuse to comply with a SAR on the basis that it would involve disproportionate effort, simply because it would be costly and time consuming to find the requested personal data held in archived emails".
Once again, some light was shed on the interpretation of s8(2) by the Court of Appeal in Dawson-Damer. The data controller had relied on the LPP exemption to withhold personal data from disclosure but had not provided information as to the searches it had carried out or what review, if any, it had undertaken to determine what material was (and what was not) subject to a claim to LPP. The judge at first instance held that any additional searches by the firm of solicitors would involve disproportionate effort for the purposes of s8(2) and so it was excused from doing so - it would not be reasonable or proportionate to expect the solicitors to carry out any search or to expect it to be able to determine which documents were privileged (as it would involve the consideration of privilege under Bahamian law).
The Court of Appeal disagreed. It indicated that the reference in s8(2) to "supply" not only covered the copying and physical provision of information, but also searching for documents. Further, it held that the burden of proof was on the data controller to show that the supply of copies of personal data in permanent form would involve disproportionate effort. In this instance, all the solicitors had done was to review its files, which did not amount to showing that disproportionate effort would be involved in complying with the SAR.
The application of the principle of proportionality to SARs was considered in Deer v University of Oxford. The Court of Appeal held that while the principle of proportionality does not justify a blanket refusal to comply, it does limit the scope of efforts that a data controller has to take to those that are reasonable and proportionate: it is not an obligation to leave no stone unturned.
In Deer, Lewison LJ (at paragraph 104) held that a discretion conferred upon the court by legislation was conferred for a purpose (as opposed to being "general and untrammelled" as had been stated obiter in Durant). When exercising its s.7(9) discretion, the court had to have regard to the general principle of proportionality. In striking a balance between the rights of data subjects and the interests of data controllers, the court could consider: (i) whether there was a more appropriate route to obtaining the requested information, (ii) the reason for the SAR, (iii) whether the application was an abuse of rights or procedurally abusive, (iv) whether the request was really for documents rather than personal data, and (v) the potential benefit to the data subject.
Whilst there are exemptions to the right of subject access, the authorities underline the position that the onus lies on the party claiming the exemption to establish it applies by reference to evidence (see Gurieva v Community Safety Development (UK) Ltd  in which it was held that a private investigation company had failed to establish that either a crime or a privilege exemption applied and that there was no good reason why the court should not exercise its discretion under s7(9) to order compliance with a valid SAR).
Subject access is not a substitute for disclosure under the CPR
Subject access provides a right to see the information contained in personal data, rather than a right to see copies of the documents that include that information. Accordingly, it is not a substitute for disclosure under the Civil Procedure Rules (CPR) and should not be treated as such by data subjects seeking to rely on SARs within the context of civil litigation. Where the facts of a case permit, SARs can be used as part of a litigation strategy to complement rights of disclosure under CPR, especially where the provisions of the CPR are not yet engaged or where the information that is requested is not relevant to the dispute in such a way so as to meet the test for standard disclosure in CPR 31.6. Data subjects and their advisers should take note of instances where the court has not viewed the use of subject access favourably where this has been an attempt to circumvent the disclosure provisions in the CPR. In DB v General Medical Council  , the court held that the GMC had been wrong to decide to disclose an independent expert's report to a patient where that report also contained personal data of the patient's doctor, against whom the patient intended to bring a claim. It was considered a relevant factor that disclosure under s7 DPA would deprive the doctor of the protections afforded by the CPR in the context of civil litigation, in particular the restriction on the use of the report under CPR 31.22.
The judgment in DB v GMC was handed down before Dawson-Damer and the court's clarification in that case that there is no 'no other purpose' rule implied into the DPA. Nevertheless, whilst Dawson-Damer eases some of the concerns that the courts will look unfavourably on individuals who seek to use the subject access regime to request information where they are also engaged in legal proceedings (or may become so in the future), the court noted the position might be different if the s7(9) application was an abuse of the court's process. The mere holding of a collateral purpose would not normally amount to an abuse.
Ultimately, there are both significant merits and limits to the use of SARs within the context of civil litigation and each case is likely to be fact-dependent. However, those considering SARs for the purposes of litigation would be well advised at the outset to review the data protection principles to determine whether they are engaged.
Dawson-Damer & ors v Taylor Wessing LLP & ors  WTLR 253
DB v General Medical Council  EWHC 2331 (QB)
Deer v University of Oxford  EWCA (Civ) 121 Gurieva & Anor v Community Safety Development (UK) Ltd  EWHC 643 (QB)
Durant v Financial Services Authority  EWCA Civ 1746
Edem v The Information Commissioner and another  EWCA Civ 92
R (Kelway) v The Upper Tribunal and others  EWHC 2575 (Admin)
This article first appeared in The Commercial Litigation Journal: July/August 2017.