Court of Appeal issues guidance on subject access requests under the Data Protection Act

The Court of Appeal considered various issues regarding a subject access request ("SAR") under the Data Protection Act 1998 ("the Act") in this judgment. Some noteworthy points are as follows:

(1) Data is "personal data" if it "relates to" a living individual and the individual is identifiable from that data. So personal data includes someone's name and contact details. Lewison LJ added that "In addition to the categories of data which I have thus far considered, it seems to me that a person's whereabouts on a particular day or at a particular time may also amount to that person's personal data. Those data may be highly relevant, for example in calculating sick pay or holiday pay, or in the investigation of crime". Furthermore, information is not disqualified from being "personal data" merely because it has been supplied to the data controller by the data subject.

(2) Payment of a fee is not a pre-condition to making a valid SAR: "The only pre-condition, then, is that the data controller must have "received … a request in writing." As a matter of ordinary English, at least in this context, a "request" is a communication which asks someone to do something. In this context, "writing" includes electronic transmission… So a SAR may be made by e-mail or even via social media sites such as Facebook or Twitter". A request can be made informally, but it must make it clear that the recipient is being called upon to comply with his duty under section 7 of the DPA as a data controller.

(3) The purpose of the right of access to personal data is to allow the data subject to check the accuracy of the data and to see that they are being processed lawfully. However, it is not a valid objection that a collateral purpose may be to obtain documents for the purposes of litigation: "First, the target of a SAR is not documents; it is information… Second, in principle the mere fact that a person has collateral purposes will not invalidate a SAR, or relieve the data controller from his obligations in relation to it, if that person also wishes to achieve one or more of the purposes of the Directive… Third, there is now a considerable body of domestic case law which recognises that it is no objection to a SAR that it is made in connection with actual or contemplated litigation…Fourth, section 27 (5) of the DPA provides that apart from exemptions contained in the DPA itself, the subject information provisions prevail over any other enactment or rule of law. Fifth, there is a sufficient safety net in the form of the EU doctrine of "abuse of rights"". See further below re the court's discretion, though.

(4) The data controller is not obliged under section 7(1)(b) of the DPA to supply personal data. It must instead provide a description of the personal data (eg the controller may say that it has processed the data subject's name and address). The obligation under section 7(1)(c) of the DPA is to supply information but not the documents themselves. Conversely, the mere supply of copy documents may not be enough (because, for example, it may not be apparent to whom the personal data have been disclosed).

(5) The Court of Appeal recognised that the DPA has an underlying assumption that personal data can be sufficiently retrieved and made ready for disclosure to the data subject at the touch of a few buttons: "Experience shows that this assumption is fundamentally unsound". However, the EU legislature did not intend to impose excessive burdens on data controllers. A search need only be reasonable and proportionate and need not leave no stone unturned.

(6) Finally, the Court of Appeal disagreed with the obiter comment in Durant v FSA [2003] that the court's discretion to order the data controller to comply with a SAR is "general and untrammelled". Various factors may be taken into account by the court, including:

(a)whether there is a more appropriate route to obtain the information, such as disclosure in legal proceedings;

(b) whether there is a legitimate reason for the request;

(c) whether the collateral purpose of assisting in litigation would be an abuse of rights (eg litigation is being pursued merely to impose a burden on the data controller, or is procedurally abusive (because the litigation has failed before));

(d) whether the real quest is for documents, rather than personal data; and

(e) whether the data subject has already received the data (or documents), other than under a previous SAR.