In recent months, the UK High Court examined the circumstances in which an individual can make an access request for their personal data (a subject access request, or “SAR”) under the UK Data Protection Act 1998 (“DPA”). This arose in the case of Kololo v Commissioner of Police for the Metropolis. Mr Ali Babitu Kololo, sentenced to death for a serious crime in Kenya, submitted a SAR to the Metropolitan Police Service (the “MPS”), which assisted with the investigation. The High Court, exercising its discretion under the DPA, ordered the MPS to comply with the SAR made on behalf of Mr Kololo. The case highlights a somewhat marked difference between the Irish and English approaches to SARs.
How did the case arise?
Mr Kololo was found guilty of robbery with violence and kidnapping British nationals and was sentenced to death by a Kenyan court. As part of a challenge to his conviction, lawyers for Mr Kololo submitted a SAR to the MPS. This mechanism allows an individual to request any information relating to him/her held by the person or organisation controlling the data. The MPS refused to grant Mr Kololo’s request on the basis that it constituted an abuse of process. It argued that the SAR was an improper attempt to circumvent certain UK laws which enabled overseas courts or prosecuting authorities to request the assistance of UK authorities in obtaining evidence (the Crime (International Co-Operation) Act 2003)(“CICA”).
Under the DPA, UK courts have discretion as to whether to order compliance with SARs. The Court indicated this statutory discretion was "general and untrammelled”. However, it accepted that its exercise of this discretion should be proportionate and should give effect to the principles behind the DPA. Mr Kololo's primary reason for making the SAR was to determine whether there were inaccuracies in the data retained by the MPS. The Court noted that Mr Kololo would therefore want to correct any inaccuracies discovered in the hope that it might assist with his case.
What were the Court’s findings?
The Court rejected the argument that the SAR was an abuse of process, finding that there was nothing to indicate that CICA should to be the exclusive route to obtaining evidence.
The Court decided against exercising its discretion to refrain from ordering compliance with the SAR. Looking to the purpose behind the SAR – to determine whether the data held was accurate – the Court observed that it was proportionate for the Court to order the MPS to comply with the SAR. This was influenced by the fact that Mr Kololo had been sentenced to death. Furthermore, the existence of parallel proceedings in Kenya, for which the verified or corrected data was sought, did not of itself amount to a reason to refuse the SAR.
Subject Access Requests in Irish Case Law
The English courts’ focus on the purpose behind a SAR is markedly different from that adopted by the Irish courts. The Irish High Court, in Dublin Bus v Data Protection Commissioner, confirmed that an individual does not have to explain their reasons for making a SAR. The Irish Court emphasised that, under Irish law, a SAR was not a matter of discretion but rather a statutory right, which is subject to limited exemptions.
The Dublin Bus case came before the Irish High Court after the Data Protection Commissioner (“DPC”) ordered Dublin Bus to provide CCTV footage to Ms Margaret McGarr in the context of her personal injuries claim.
In contrast to the Kololo case, in Ireland an individual usually applies to the DPC to enforce a SAR. If the DPC feels there has been non-compliance, she can issue an ‘enforcement notice’ compelling compliance. The business that receives that enforcement notice may, if it wishes, appeal that notice before the courts. Unlike the UK, however, there is no equivalent discretion under Irish law for a court to decide whether to compel compliance with the SAR. A SAR generally must be complied with, unless a statutory exemption can be made out. In Ireland, unlike the UK, there is no general discretion as to whether a SAR ought to be complied with.
What does this mean?
Both cases highlight the possibility of using a SAR to obtain personal data for evidence in a court case. The common theme is that if an individual submits a SAR in order to scrutinise evidence either before or after a case, the request will generally be regarded as a lawful exercise of data protection access rights. The cases do highlight the difference in regulatory models between the UK and Ireland. While the English courts have discretion under the DPA to order compliance with a SAR, the Irish courts do not have such discretion. In Ireland, a SAR must be complied with unless one of the limited statutory exemptions can be made out.