Subject Access Requests: Four Key Cases

April 27, 2017

Over the last few months, the courts have handed down four
significant decisions which impact how data controllers (such as employers)
respond to subject access requests under the Data Protection Act 1998.

The decisions consider key practical issues such as the
extent of data controllers’ obligations to conduct searches to locate personal
data and the scope of the exemption for documents covered by legal privilege.

Background

The right of access to the personal data processed by a data
controller is enshrined the DPA 1998, s 7. The purpose underlying the right is
to enable an individual to request the deletion or correction of personal data
in appropriate circumstances.

Over the years, the boundaries of the right have been tested
when individuals have submitted subject access requests (SARs) in the context
of litigation, or some wider dispute with the data controller, as a general
means of gaining access to information. Under the DPA 1998, the individual’s
motive for submitting a SAR is irrelevant, and the Information Commissioner’s
Office has followed this approach in its guidance, which has directed data
controllers to comply even where the SAR is made for a collateral purpose.
However, the courts also have a role to play in the enforcement of SARs, and
there has been a reluctance on the part of the courts to exercise their powers
where the SAR is too broad in nature or otherwise submitted to fuel a related
dispute between the parties. This has resulted in a degree of uncertainty
around how far a data controller must go in order to satisfy a SAR.

The Decisions

In four separate cases heard at the end of last year, the
Court of Appeal and High Court dissected the fundamental nature of the right of
access, and considered the extent to which a data controller is discharged from
complying with a SAR where an ulterior motive was at play, or where a data
controller had already conducted reasonable and proportionate searches in order
to locate personal data.

In Holyoake v Candy [2017] EWHC 52 (QB)
the High Court declined to enforce further compliance with a SAR as the data
controller had already carried out proportionate searches and properly applied
the privilege exemption. In Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74
and the jointly heard appeals in Ittihadieh v Cheyne and Deer v Oxford
University
[2017]
EWCA Civ 121 
the Court of Appeal considered the limits on a data
controller’s obligations when responding to a SAR. In all four cases, there was
a broader dispute between the parties.

The following principles can be drawn from the decisions of
the Court of Appeal and the High Court:

  • The obligation is to carry out a proportionate search – A
    fundamental issue in these cases was whether a data controller is obliged to
    carry out only reasonable and proportionate searches in order to locate an
    individual’s personal data when responding to a SAR. The courts focused on the
    provisions of the DPA 1998 which discharge a data controller from supplying
    copies of documents in response to a SAR if this would involve ‘disproportionate
    effort’. Somewhat surprisingly, the courts stretched this proportionality
    principle to all aspects of a data controller’s efforts to respond to a SAR,
    including the often onerous task of searching for the individual’s personal
    data. It was recognised that even where a data controller is able to conduct
    electronic searches using keywords etc, human intervention is always needed to
    evaluate whether particular personal data should be disclosed. It is now clear
    that data controllers can consider issues such as time and cost to determine
    what amounts to a proportionate response to a SAR in any given case.
  • It is irrelevant if the requestor has an ulterior motive – The
    courts considered the arguments for and against a data controller being able to
    take account of an individual’s collateral purpose for submitting a SAR,
    particularly where separate legal proceedings between the parties were
    underway. Ultimately the courts were persuaded by the fact that the DPA 1998
    does not qualify the right to make a SAR by reference to the individual’s
    motive, ie the right is ‘purpose blind’. The earlier case law on this point (in
    particular, Durant v FSA [2003] EWCA Civ
    1746
    ) was disregarded. A data controller will now find little refuge in the
    argument that it does not need to respond to a SAR which is pursued for a
    collateral purpose. Interestingly, in Ittihadieh the Court of Appeal nonetheless
    recognised that there would be circumstances in which it should not exercise
    its discretion to enforce compliance with a SAR, for example if the SAR
    amounted to an abuse of process. This does not translate into the ability for a
    data controller to decline to respond to a SAR, however.
  • The exemption for legal professional privilege should be
    applied narrowly
    – In Dawson-Damer there was a question over whether
    this exemption should be interpreted broadly, for example to cover documents
    which a trustee could refuse to disclose under Bahamian trust law. The courts
    decided the exemption covered only documents in respect of which privilege
    could be asserted under UK law. On a related point, the court did not accept
    the law firm’s broad assertion of legal privilege over all documents held on
    behalf of their client, in circumstances where the firm suggested a search to
    locate any limited non-privileged documents would be disproportionate. It is
    important that any assertion of privilege to withhold documents containing the
    requestor’s personal data should be targeted and not general in nature.
  • There is a distinction between data processed by an
    individual on behalf of their employer and in a personal capacity
    – The
    SARs submitted in Holyoake and Ittihadieh were far-reaching in nature, and
    sought the disclosure of e-mails processed in private (as opposed to corporate)
    e-mail accounts. The courts underlined the principle that individual employees
    and directors are not data controllers in their own right, and a SAR can only
    properly extend to their activities carried out on behalf of their employer.
    This would exclude any obligation to search personal e-mail accounts of
    employees and directors, unless there was clear evidence that these accounts
    had been used for work related purposes. As a separate point, in Ittihadieh the
    Court recognised the availability of the exemption for personal and household
    processing carried out by an individual; such processing is not covered by the
    DPA 1998 and accordingly there is no right of access to such data.

Conclusions

The decisions are a mixed bag for data controllers when
dealing with SARs. The clarification that data controllers are obliged to carry
out only proportionate searches is very welcome, and this provides a solid
basis to push back on SARs which are too far-reaching in nature. On the other
hand, the courts’ reluctance to limit the right where the SAR is made for a
collateral purpose will increase the burden on data controllers to comply with
SARs regardless of any broader context, for example even where this results in
a costly overlap with disclosure searches for the purposes of litigation.

With effect from May 2018, the SAR regime will be subject to
further changes as a result of the implementation of the General Data
Protection Regulation. These changes include the abolition of the maximum £10
fee for compliance, and a reduction in the period for compliance from 40 days
to one month.

Khurram Shamsee is a Partner in the Employment Department at
DAC Beachcroft: www.dacbeachcroft.com