Section 7 of the Data Protection Act 1998 (DPA) provides data subjects with the right to access their personal data. In most cases, this is relatively straightforward – for example a patient accessing their medical records. However, in others it can be an incredibly complex and burdensome exercise – for example a member of staff or a serial correspondent requesting every document and email containing their personal data.
The subject access right is open-ended and far reaching, on the face of it entitling data subjects to access to all of their personal data, however and wherever held, subject only to limited, narrow exemptions. An exception to this right is provided for under section 8(2)(a), which provides that the obligation to communicate copies of personal data must be complied with by supplying the data subject with a copy of the information in permanent form unless the supply of such a copy would involve disproportionate effort.
The ICO’s view
The ICO has previously taken the view that the exception only applies to the supply of information, and did not place limits on the duty to search for and retrieve personal data or allow data controllers to exclude personal data from the response merely because it is difficult to access.
The issue faced by data controllers is that it is rarely the supply of personal data that is the problem; rather it is the process of finding, retrieving, reviewing and redacting the information in the first place. This process can tie up management, administrative and IT staff for days on end at considerable cost and inconvenience to the data controller.
This process is often regarded by data controllers as disproportionate or perhaps a blunt tool for pursuing an agenda which has very little to do with data protection. However, data controllers usually find themselves with little choice but to deal with the request in full, in knowledge of the approach the ICO would take in the event of a complaint.
The Court of Appeal takes a different view
In the case of Dawson-Damer -v- Taylor Wessing LLP  EWCA Civ 74, the Court of Appeal was required to determine a number of issues arising from a dispute between a Bahamian trust company and its solicitors. The beneficiaries of the trust company made subject access requests to the solicitors. Suffice to say, the beneficiaries were not satisfied with the solicitors’ response and the extent of the disproportionate effort exception was one of the issues that the Court of Appeal needed to resolve.
The Court of Appeal found that:
- Contrary to the ICO’s subject access code of practice, the difficulties that can be taken into account for the purposes of the disproportionate effort exception are not limited to those which arise in the process of producing a copy of a document.
- It will be a question for evaluation in each particular case whether disproportionate effort will be involved in finding and supplying the information as against the benefits it might bring to the data subject.
- What is weighed up in the proportionality exercise is the potential benefit that the supply of the information might bring to the data subject, as against the means by which that information is obtained.
The Court of Appeal also confirmed that there is no rule that subject access request can only be used for the purposes of exercising data protection rights and not for any other purpose. The existence of a collateral purpose for making a subject access request, such as to assist the data subject in legal proceedings, did not mean that data subjects could not enforce their subject access right.
Revisions to the ICO code
The ICO had stated in a previous version of its subject access code of practice that the disproportionate effort exception ‘had caused considerable confusion.’ That statement has been proven to be accurate!
Following the Court of Appeal judgment in Dawson-Damer and in other cases raising similar issues, the ICO has now revised the code and, in particular, provides the following new guidance on the disproportionate effort exception:
- ‘[You] may take into account difficulties which occur throughout the process of complying with the request, including any difficulties you encounter in finding the requested information.’
- ‘When responding to subject access requests (SARs), we expect you to evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access.’
- ‘In order to apply the exception, the burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps.’
- ‘We consider it good practice for you to engage with the applicant, having an open conversation about the information they require. This might help you to reduce the costs and effort that you would otherwise incur in searching for the information.’
- ‘If we receive a complaint about your handling of a subject access request, we may take into account your readiness to engage with the applicant and balance this against the benefit and importance of the information to them, as well as taking into account their level of co-operation with you in the course of the handling of a request.’
- ‘Whether or not the applicant has a ‘collateral’ purpose (ie other than seeking to check or correct their personal data) for making the SAR is not relevant.’
As is often the case, what is not in the revised code is as telling as what is. Statements within the previous code that have been retracted in the latest revision include:
- ‘The DPA does not permit you to exclude information from your response to a SAR merely because it is difficult to access...it does not place any express limits on your duty to search for and retrieve the information they want.’
- ‘...it will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive or inconvenient.’
- ‘... you must provide subject access to all personal data you hold, even if it is difficult to find.’
- ‘We stress that you should rely on the disproportionate effort exception only in the most exceptional of cases.’
However, as a word of caution, data controllers should pay particular attention to the following new wording included in the code:
‘The DPA places a high expectation on you to provide information in response to a SAR...you should ensure that your information management systems are well-designed and maintained, so you can efficiently locate and extract information requested by the data subjects whose personal data you process, as well as redact third party data where it is deemed necessary.’
Implications for data controllers
The revised code of practice clearly opens the door to data controllers taking a firmer stance when dealing with the most complex and burdensome subject access requests. This will help manage the time and resource implications of dealing with such requests in a proportionate way.
However, it is important to remember that, where a complaint is made, the burden of proof will be upon the data controller to demonstrate that that it has taken all reasonable and proportionate steps to comply and that the ICO will determine whether or not this is the case. The ICO still considers there to be ‘a high expectation’ on data controllers and while it must now take a more holistic view of whether difficulties in complying outweigh the subject access right, it will not easily be persuaded that this is the case. This will particularly be the case where difficulties arise from poor information management systems or practices.
On 25 May 2018, the GDPR will apply in the UK and replace the DPA. Subject access will be in accordance with Article 15 of the GDPR which does not include an equivalent exception. The UK is entitled to introduce derogations from the GDPR, including in relation to subject access, but at present it is not yet known whether the current exception will be preserved. The Government has consulted on derogations but at the time of writing is yet to provide its response or publish the forthcoming data protection bill announced in the Queen’s Speech. It is possible, however, that the exception will cease to apply.
What is clear, however, is that Article 25 of the GDPR will introduce a new obligation on data controllers to implement of ‘data protection by design’ and ‘data protection by default,’ so as to make sure their systems and practices enable them to fulfil their data protection obligations, including subject access. Therefore, where poor information management systems or practices are at fault for difficulties in dealing with subject access, this will not only be an inadequate excuse not to comply with a subject access request, but also potentially a breach of the GDPR in itself in respect of which the ICO can take enforcement action.