There have been a number of cases on responses to subject access requests in the last month, which are helpful in forming a risk based approach to responses when such requests are made once litigation has commenced with the data subject or when such requests put the data controller to a disproportionate effort.
Guidance from the ICO is clear that the right of subject access is a distinct and separate right, and just because a data subject is in the process of legal proceedings with the data controller, this does not give a data controller the right to refuse to respond to a subject access request. The exemptions should be applied on a case by case, document by document basis. However the cases below will give data controllers a glimmer of hope in these circumstances, as the court has taken a much less tolerant approach.
In Dawson-Damer and Ors v Taylor Wessing and Ors  EWHC 2366 (Ch) the High Court refused to order compliance with a data subject access request on the basis that it was made for an improper purpose, and where the search required to locate documents would not be reasonable or proportionate.
Facts: Individuals often submit data subject access requests to their current or former employers under s.7 Data Protection Act 1998 (DPA 1998) in order to obtain documents in connection with some broader dispute, such as grievances, disciplinaries or even ongoing litigation. Complaints about subject access requests can be made to the Information Commissioner's Office (ICO) or to the County/High Court. The Courts have generally declined to order compliance with subject access requests made for improper purposes (such as to obtain documents in connection with litigation). In contrast, the ICO has underlined its views that the right to make a request is "purpose blind", although in practice enforcement action on the part of the ICO is rare.
In this case, the claimants were in dispute with a trustee company based in the Bahamas. The claimants submitted individual subject access requests to the trustee's solicitors based in the UK, seeking copies of all personal data held by the solicitors relating to them. When the solicitors declined to comply with the request, the claimants applied to the High Court for an order requiring compliance.
The High Court declined to exercise its discretion to order the solicitors to comply with the subject access requests. In reaching this decision, the Court considered that the requests had been made with the improper motive of seeking documents in connection with the litigation against the trustee in the Bahamas, as opposed to any proper purpose connected with the protection of their privacy. The Court also accepted the solicitors' contention that most if not all of the documents which they processed containing the claimants' personal data were exempt from disclosure on the basis of the legal privilege exemption set out in the DPA 1998. The Court was prepared to interpret this exemption broadly. Significantly, the Court went on to follow an earlier decision in which it held that a 'reasonable and proportionate' search for personal data was sufficient to comply with a subject access request, despite the fact that this qualification does not appear in the DPA 1998 and that the ICO has openly disagreed with this perspective. Applying this principle to the present case, it was not reasonable and proportionate for the solicitors to conduct a review of all of their files to ascertain if any personal data was being processed outside of the boundaries of privilege. It is understood that this decision is subject to an appeal.
What does this mean for employers: Employers are often vexed at the prospect of undertaking the time-consuming and costly exercise of searching for documents containing an individual's personal data in response to a subject access request, particularly where the request is being made in the context of some broader dispute between the parties. This decision provides further scope for employers to take a pragmatic approach when responding to requests made in this context, taking account of the individual's motive for making the request and also whether a reasonable and proportionate search for the personal data is possible. A copy of the judgment is available here.
In Mulcahy v Metropolitan Police Service (MPS), the case considers the proportionality of the burden imposed for reviewing (and, where necessary, redacting) rather than searching for information before disclosure. ICO Guidance is clear that the use of the words in s.8 (2) of the DPA "disproportionate effort" refer to the obligation to provide documents in hard copy form, implying that the personal data should still be provided, but in a different format. Mulcahy was a convicted rapist serving a 24 year prison sentence when he submitted to the MPS a subject access request for all evidence used in his prosecution. The court considered that the request put the MPS to disproportionate effort and, accordingly, section 8(2) of the DPA applied and the MPS succeeded in not having to disclose information to Mulcahy, regardless of format. A copy of the judgment is available here.
Finally, in Ittihadieh V 5-11 Cheyne Gardens RTM Co Ltd & 6 Ors (2015) a dispute arose between one resident and several other residents of a block of flats, and the claimant submitted a subject access request to the management company of which the residents were members.
Part of the claim related to the failure by 6 of the residents to disclose any information in response to the request – it was held that such residents were not data controllers, the claimant's subject access request had not met the formalities required (for example, a £10 fee was not offered to each of the residents) and, in any event, the exemption under s.36 of the DPA (processing by individuals for domestic purposes) would most probably have applied. The management company had responded to the request with appropriate disclosures and by doing so had discharged its obligations under the DPA. An appeal has been made to the Court of Appeal. A copy of the judgment is available here.
What action could be taken to manage risks that may arise from this development?
In certain circumstances, companies may wish to take a more risk based approach to responses to subject access requests, based on the approach of the courts in these cases.