Data subject access requests (DSARs) are often used by employees as a tactic before or during litigation against their employers. Gurieva v Community Safety Development Ltd shows that the Courts are still reluctant to find that DSARs made by employees looking to obtain early access to information for use in litigation might be improper.
In this case, the High Court ordered a private investigator to comply with a DSAR made by a Russian couple who were involved with a company that the private investigator (Community Safety Development Ltd (CSD)) was investigating. CSD had refused to comply with the DSAR on the grounds that:
- two of the exemptions set out in the Data Protection Act 1998 (the DPA) applied (prevention and detection of crime and legal professional privilege)
- it would be disproportionate for CSD to have to comply with the DSAR
- the DSAR was an abuse of process as it had been made for an improper purpose, i.e. in order to gain access to information for the purposes of litigation
None of these grounds were accepted by the Court, which emphasised that the general principle is that its discretion "will ordinarily be exercised in favour of a claimant who has made a valid DSAR, in the absence of a good reason not to".
CSD had also claimed that the DSAR was not valid as it had been made by the Claimant's solicitors (rather than the Claimants themselves) and insufficient evidence had been provided as to the identity of the requester. In this regard, the Court found that whilst it may be reasonable for an organisation which receives a DSAR to seek proof of authority where the requester is not the data subject, where a DSAR is requested by a firm of solicitors who confirm their authority to act, this will suffice.
The DPA sets out a number of specific exemptions which can be relied on to avoid data disclosure. The Court considered that the exemptions cited may have applied to some of the data held by CSD. As CSD had failed to disclose any data at all, however, and had made no attempt to analyse which data was covered by the exemptions and which was not, the Court was unable to uphold either of the exemptions. To do so would have been to grant a blanket exemption in relation to a substantial quantity of data, not all of which would, when properly analysed, fall within the relevant exemptions.
Requests need not be complied with where it is not reasonable or proportionate to do so, and CSD had argued that it would be neither reasonable nor proportionate to require it to analyse all the documentation it held on the Claimants in order to determine which documents or parts of documents were privileged. The Court disagreed, finding that the cache of 1,500 documents which had already been identified was not vast and that it would not be a complex matter to determine whether or not privilege applied to the data.
Abuse of process
The Judge emphasised that an individual seeking access to his or her personal data is not required to justify or explain the request in any way.
The Judge also stated that he did not consider "that the use of a DSAR to obtain early access to information that might otherwise be obtained via disclosure in litigation would be improper". Any abuse of process should simply be thwarted by "properly reasoned reliance on the privilege and crime exemptions". If CSD had properly analysed the data in its possession, and given a detailed account of why it considered that an exemption applied to particular datasets, it may have been able to avoid disclosing them.
What this means for employers
Although the courts had been taking a more relaxed attitude to permitting data controllers to rely on exemptions, the decision in the Gurieva case suggests that this attitude is changing, with judicial opinion again favouring claimants over respondent data controllers. The Courts now appear very comfortable with the fact that DSARs have become a common feature of the litigation process.
This decision also highlights the dangers of employers issuing a blanket refusal in response to all data requested under a DSAR. It is clear from the judgment that organisations will be expected:
- To analyse with care all data held in relation to the data subject
- To disclose any documentation which is not exempt for any reason
- To be able to provide detailed explanations as to why any information has been withheld
The full text of the judgment is available here.