Wanting It All: Unreasonable Subject Access Requests

June 3, 2008

Subject access rights are an important part of any data protection framework, allowing individuals to check and correct information relating to them. However, this right can impose a heavy burden on businesses, especially when individuals make demanding requests either as a fishing expedition in support of litigation or simply to create nuisance.
The more demanding requests often ask for all information held by an organisation regardless of where it is stored. There has been an ongoing debate within the United Kingdom about how to deal with this type of request and, in particular, whether an organisation really has to search all of its records in response to such a request.
The recent decision by the High Court in Ezsias v Welsh Ministers [2007] All ER (D) 65 confirms that limits can be applied and an organisation need only conduct a ‘reasonable and proportionate’ search in response to a subject access request. This conclusion was clearly sign-posted by earlier decisions but is still very welcome.

Background: A History of Litigation

Mr Ezsias was employed by a hospital in Wales as a consultant oral and maxillofacial surgeon. He had a difficult relationship with his employers, was suspended in April 2003 and finally dismissed in February 2005. In response he commenced proceedings in the Employment Tribunal on the basis that he was a ‘whistleblower’ and therefore his dismissal was automatically unfair. To support his whistleblowing claim he relied on a number of clinical and administrative complaints he had raised, including allegations that his colleagues were guilty of fraud, dereliction of duty and incompetence. These proceedings are ongoing.
Mr Ezsias also wrote extensively and repeatedly to various branches of the Welsh regional government asking them to investigate these matters. He was not satisfied with their responses so complained to the Public Service Ombudsman for Wales. The Ombudsman dismissed the complaint, though that dismissal is now itself the subject of an application by Mr Ezsias for judicial review.
Finally, Mr Ezsias made a number of subject access requests to the Welsh regional government in respect of his earlier correspondence. The main purpose of these requests was to obtain information to assist him in the Employment Tribunal in his action against the hospital. He was not satisfied with the Welsh regional government’s response, so launched the current proceedings.

Subject Access Requests and Litigation

Mr Ezsias was seeking to enforce his right under s 7 of the Data Protection Act 1998. This entitles him to:
• be informed if his personal data is being processed
• be given a description of that personal data, the purposes for which it is being processed, the source of the personal data, the persons to whom it is provided and the logic of any automated decisions, and
• have communicated to him in an intelligible form any information constituting that personal data.
This right appears to be very wide. However, it provides access only to personal data and does not give wider rights to litigation discovery, a point made forcibly in the seminal decision of the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746: ‘the purpose of section 7 … is to enable [the individual] to check whether the data controller’s processing of [his personal data] unlawfully infringes his privacy and, if so, to take such steps as the Act provides … to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties’. Accordingly, Mr Ezsias’ use of this right to obtain information to use in litigation against his employer meant his ‘entire approach to the application [was] misconceived’.
Mr Ezsias also suffered from the common misconception that he was entitled to be provided with documents, whereas the Act only confers a right of access to data.  This was also addressed by Auld LJ in Durant: ‘It is not an entitlement to be provided with original or copy documents as such, but … with information constituting personal data in intelligible permanent form’.  It is up to the data controller to decide what permanent form they wish to supply the data in. It is often simplest just to print electronic information out or photocopy manual records, but there is nothing to stop the personal data being extracted and placed into a new document. This is sometimes preferable to providing redacted documents as the data subject does not then see areas of redacted information which they often think are being inappropriately withheld.
However, none of this invalidated the subject access request and it was still necessary for the judge to review the information disclosed by the Welsh Ministers (running to approximately 1,000 pages) and the information withheld (running to approximately 1,400 pages) to determine if the request had been handled correctly.

Was the Information Personal Data?

The primary issue was whether the information withheld by the Welsh Ministers was personal data in the first place. The judge found that in almost all cases the information withheld related to Mr Ezsias’ complaint and not to him as an individual. Accordingly, this information was not personal data and did not need to be disclosed.
In coming to this conclusion, the judge followed the narrow interpretation of ‘personal data’ set out in Durant and did not adopt (or even refer to) the much wider definition advocated by the UK Information Commissioner in his recent guidance on this topic.
This is not surprising given that the judge was bound to the decision of the Court of Appeal in Durant by stare decisis and this is a useful reminder that it is up to the courts to interpret the meaning of the Act and the Information Commissioner can merely offer guidance.

Limiting a Search’s Scope

The next issue was whether the Welsh Ministers conducted a sufficiently thorough search for this information. For example, Mr Ezsias complained that not all the relevant departments within the Welsh regional government had been contacted to determine if they held information.
This issue is significant as individuals commonly ask for copies of ‘all’ (or in this case, ‘ALL’) information held about them. Literal compliance with such a request could be very time-consuming and expensive for many large organisations who typically have substantial e-mail, document management, back-up and other systems. Moreover, such a comprehensive review is likely to generate tens of thousands of documents which will then have to be reviewed to determine if they are disclosable.
The judge concluded that the Act only requires a ‘reasonable and proportionate’ search and, in this case, the Welsh Ministers had satisfied this requirement.
This interpretation is slightly controversial and the correct approach to this issue has been the subject of some discussion in the United Kingdom. There is no express provision in the Act allowing an organisation to limit its search in this manner (the only ‘proportionality’ limitation applies to the obligation to supply this information in permanent form: see s 8(2)).
Moreover, the judge did not provide detailed reasoning for his conclusions. He referred to the nominal fee for making a subject access request (£10) and the that fact the Welsh Minsters would not be required to spend more than £600 searching for unstructured manual personal data (the Welsh Ministers are a public authority and therefore obliged to disclose unstructured personal data following amendments made by the Freedom of Information Act 2000). He also referred to general comments on proportionality made in the Durant case, though, strictly speaking, these relate to the question of what constitutes a relevant filing system rather than the scope of the subject access request. Finally, while it appears that these are the judge’s conclusions on the scope of this right, they may overlap with his views on whether he would exercise his discretion to order further searches in any event.

Practical Issues

Subject access requests remain an important part of the Act and have been vigorously enforced by the Information Commissioner. There is no reason to suggest this position will change following the decision in Ezsias. The question is therefore how to deal with onerous requests in light of this judgment and how to determine what constitutes a ‘reasonable and proportionate’ search.
In the first instance, an organisation should always talk to the individual to find out what information they really want and, if possible, agree which search parameters should be applied. This is a legitimate tactic and is reflected by the Act, which entitles an organisation to ask for further information to ‘locate the information which that person seeks’ (s 7(3)). A request to a large organisation for ‘all information relating to me’ might not fulfil that requirement if, for example, the organisation can’t identify who might have sent e-mails containing personal information about the individual, what data might exist on back-up tapes etc.
In many cases this process should narrow the scope of the search considerably. However, if no agreement can be reached then the organisation will need to determine the scope of the search itself. This will normally involve providing information that clearly relates to the individual and is readily available (for example, a copy of the individual’s personnel file) and limiting the search for other information based on one or more of the following parameters:
• limiting the date ranges of the search
• excluding some or all back-up information
• where email is involved, only searching a limited number of mail boxes most relevant to the request and/or
• limiting the search terms used.
In setting the parameters, the organisation should consider whether this constitutes a reasonable and proportionate search. This will depend on the circumstances but an organisation should consider:
• the likelihood that such information exists (as many requests seem to be fishing expeditions for the proverbial ‘smoking gun’ that in most cases won’t exist);
• the value or importance of that information to the individual;
• the cost and expense of locating that information and subsequently reviewing it to determine if it is disclosable;
• whether the information is intended for use in litigation. While pending litigation does not invalidate a subject access request, it may still be more appropriate for the individual to obtain that information using the normal discovery process.

Suzanne Rodway is Privacy Director at Barclays. Peter Church is a Solicitor at Linklaters LLP.