Remedies for inadequate response to a subject access request: the High Court decision in Rudd v Bridle

April 16, 2019

In Rudd v Bridle and another (Rev 1) [2019] EWHC 893 (QB), the High Court considered to what extent the claimant could obtain remedies for inadequate subject access responses under sections 7, 10 and 13 of the Data Protection Act 1998. The judgment gives useful guidance on the exemptions from the right to claim subject access, about how to assess if information is a claimant’s personal data and how to balance a claimant’s right of access to their personal data against the rights of unnamed third parties.

The claimant, Dr Rudd, was a medical doctor specialising in the science of exposure to asbestos. The defendant, Mr Bridle, had spent his career working in the asbestos industry and had tried to get the GMC to strike off R. The second defendant was a company controlled by Mr Bridle and his son. The background to the action was, in the words of the judge, “a profound dispute or difference between Dr Rudd and Mr Bridle concerning the role of asbestos in causing mesothelioma and other diseases, and (specifically) R’s conduct in his role as an expert witness for claimants in actions for damages for disease attributed to exposure to asbestos cement products”.

The court considered the legal framework under the DPA 1998. Section 7 relates to subject access requests, section 10 to the right to prevent processing causing unwarranted damage and section 13 compensation. 

The court ruled that Mr Bridle was the data controller and that the company was not.

The court also considered the exemptions to subject access requests: journalistic, regulatory activity and privilege and rejected the arguments that these exemptions applied. There was no evidence that any personal data relating to Dr Rudd had been included in any publication made by either defendant to the public or any section of the public. Nor was there any evidence that the defendants intended or planned to include any reference to Dr Rudd in any publication by them to the public or any section of the public. The manner in which the personal data were or were to be used to “raise public awareness” evidence was not explained. The evidence was that the purpose was a campaigning one.

The defendants had argued that their correspondence with the GMC meant the regulatory activity exemption applied. The judge rejected this. This is a qualified exemption, which only applies “to the extent to which” the provision of subject access “would be likely to prejudice the proper discharge” of the relevant functions. The defendants provided no evidence that compliance with section 7 would cause any such prejudice. 

The judge also ruled that the privilege exemption was not fully made out. The evidence, “sparse though it is, was sufficient to justify the claim to legal advice privilege; but the focus has been on the claim to litigation privilege”, and the evidence did not satisfy the judge that the relevant principles have been correctly applied.

In relation to the adequacy of the information provided under the subject access request, the judge ruled that the responses were inadequate, at least to the extent to which they failed to provide any information at all about the matters for which legal professional privilege has been claimed.

Another point was whether Dr Rudd was entitled to know the names of people with whom the defendants were corresponding. The judge said that the identities of those who, within the personal information disclosed, were alleged to have conspired with or assisted or collaborated with Dr Rudd in the alleged fraud qualified as part of his personal information. It was information that focused on him and was biographically significant. However, the identity of those to whom there was disclosure was not personal data.

The judge also dealt with the question of sources and considered that a data controller could not have a blanket refusal to provide information about sources of personal data they were holding. He agreed with Dr Rudd that in relation to some personal data there was no information about the purposes for which it was processed, although there was no requirement to provide such information on a document by document or item by item basis. Previous case law has not covered this point and the ICO “offers little guidance” concerning it, according to the judge.

The judge said that he would make an order under section 7(9) of the Data Protection Act 1998, that Mr Bridle would provide further information including descriptions of recipients of personal data, the identities of persons who had been communicating with him about Dr Rudd and any information as to the sources of the personal data. No remedies were granted against the company as it was not a data controller. The court also dismissed Dr Rudd’s claims for damages from Mr Bridle as he had not provided evidence of harm or distress.

Although the case concerned pre-GDPR law, it can be applied to the new regime.