Recent court decisions have highlighted that data subject access requests are no longer simply a tool to check whether data is processed lawfully, but have become a recognised litigation tactic.
We consider how employers should respond to this change.
Back in 2003, the Court of Appeal in Durant v FSA confirmed that the Data Protection Act (DPA) did not create an automatic right for employees to access all personal data held about them by their employer. Rather, the purpose of the data subject access request (DSAR) was deemed relevant when considering whether or not the employer had to comply with it. However, a number of cases during 2017, a few of which are considered below, have called into question this approach.
Dawson-Damer v Taylor Wessing LLP (February 2017)
This case concerned the fact that Taylor Wessing had refused to comply with a DSAR citing, among other things, that the individual's real motive in making the DSAR "was to use the information in legal proceedings." and that this was not a proper use of the DPA.
The Court of Appeal disagreed with the employer, saying that the motive behind the making of the DSAR is irrelevant to whether or not the employer should comply with it. The individual was entitled to make a DSAR even if the 'collateral purpose' in doing so was to aid litigation. There is nothing in the DPA which limits the purpose of a DSAR or places a requirement on an individual to explain what they want the information for.
Ittihadieh v 5-11 Cheyne Gardens/Deer v. University of Oxford (March 2017)
These joined cases also confirmed the approach taken in Dawson-Damer, namely that any 'collateral purpose' for making a DSAR is irrelevant in terms of the employer's need to comply with it. Fortunately for employers however, the court in these cases did offer some guidance as to the factors to be taken into account when considering a refusal to comply with a DSAR. In particular, when an employee considers that the employer hasn't properly dealt with a DSAR and asks the court to order compliance, the court should consider the following factors in deciding whether to grant such an order:
- Is there a more appropriate way of obtaining the information?
- How serious is the breach by the data controller?
- Is there an abuse of process?
- What is the potential benefit to the data subject?
- Have they already got the information they're requesting?
- Will the search require 'disproportionate effort'?
The consideration of 'disproportionate effort' has proved a topic of debate in and of itself. In Holyoake v. Candy (February 2017), the High Court reiterated that the obligation to carry out a search for personal data on receipt of a DSAR is limited to what is 'reasonable and proportionate'. This applies to all stages of the DSAR. Although there is no legal definition of what is reasonable and proportionate and it is determined on a case by case basis, the court has commented that it is very much a balancing exercise between the effort involved in finding and supplying information as against the benefits it might bring to the data subject. Employers should therefore bear this in mind when considering the reasonableness of any DSAR received.
What approach has the ICO taken?
The ICO seems to have a dim view on employers taking into account the 'relevant factors' (outlined above) when met with a DSAR. This indicates that, regardless of whether any of these relevant factors are present, the ICO will still want to see that a proper effort has been made by an employer to comply with the DSAR. After all, disgruntled employees or ex-employees are more likely to complain to the ICO, which is free, as opposed to commencing litigation which may attract legal costs.
Where does this leave employers?
Although it may be clear when an employee or ex-employee is submitting a DSAR that it is simply a means of supporting a tribunal or court claim, employers should not treat this as grounds for refusing to comply with the DSAR.
On receipt of a DSAR, employers should balance any difficulties involved in complying with the DSAR against the benefits the information might bring to the data subject. By doing this, both the ICO and the court will be much more sympathetic should the employer refuse to comply on grounds of the volume of information sought or other difficulty. Above everything, employers must not simply ignore a DSAR as it is likely to be a one way ticket to a fine or other sanction.
General Data Protection Regulation (GDPR) Considerations
With the 25 May deadline for GDPR compliance now firmly on employers' minds, dealing with a DSAR under the current DPA may seem like even more of a burden, but they should not be neglected. We have to assume that the GDPR will not wipe the slate clean and that last year's rulings will still apply. The only respite may be that, unlike the DPA, the GDPR offers employers the ability to apply for up to a two- month extension on the one-month compliance requirement, where a DSAR is particularly onerous, which is often the case in the context of employment related requests. The downside is that under GDPR, an employer's response to a DSAR requires more detailed information to be given to the data subject. For more information see our previous article: HR and GDPR: How will data subjects' rights change?
ADENDUM: We offer a range of advice on data protection matters including dealing with subject access requests and ensuring you are GDPR compliant. If you would like further information, please visit out dedicated data protection compliance page here.