Court of Appeal provides guidance on responding to subject access requests
The Court of Appeal has given important guidance on the obligations of data controllers when responding to subject access requests.
The Court of Appeal has given important guidance on the obligations of data controllers when responding to subject access requests. The Court ruled that an employer cannot refuse to comply with a request because the data subject has a collateral purpose in making the request (such as to assist them in litigation), nor on the basis that it was the data subject who provided them with the information in the first place (although these may be factors a court can take into account when deciding whether to order compliance). A data subject has the right to know the purpose for which their personal data is being processed and to whom it is being disclosed, so the fact that they have the data already is irrelevant. However, an employer’s obligation to search for personal data is limited to a reasonable and proportionate search. The fact that a more extensive search might reveal further personal data does not mean that a search is inadequate.
In Dawson-Damer v Taylor Wessing, Taylor Wessing (a firm of solicitors) refused to comply with a data subject access request, making a blanket assertion that the personal data was covered by legal professional privilege and therefore exempt from disclosure. In Deer v University of Oxford, the University refused to comply with part of a data subject access request, arguing that some of the data was covered by legal professional privilege and that in respect of other data requested Ms Deer already had the documents. In both cases, the data controller also argued that they did not have to comply as the data subject’s purpose in making the request was for a collateral purpose (to obtain disclosure for the purposes of litigation), rather than to ensure that their personal data was accurate and being processed lawfully.
The Court of Appeal ruled that:
- A data subject’s right to make a subject access request is not subject to any express test of purpose or motive and they are not required to state one. A data controller cannot therefore refuse to comply with a data subject access request, for example, because the data subject’s motive is to obtain documents for the purposes of litigation.
- Data is personal data if it (a) relates to a living individual and (b) the individual is identifiable from the data. The fact that it was the data subject who provided the data to the data controller does not stop it being personal data and a data subject is entitled to know the purposes for which their personal data is being processed and to whom it is being disclosed.
- A data controller’s obligation to search for personal data in response to a data subject access request is limited to a reasonable and proportionate search. Each case has to be evaluated on its facts to determine whether disproportionate effort is involved in finding and supplying the information, weighed against the benefit it could bring to the data subject. The proportionality rule cannot justify a blanket refusal to comply, but it does limit the scope of the efforts a data controller has to make. The fact that a more extensive search might reveal further personal data does not mean that a search is inadequate.
- It is wrong to say that there are no limits on a Court’s discretion when it comes to deciding whether to order compliance with a data subject access request. A Court must have regard to the purpose of the legislation and the principle of proportionality. In striking a balance between the rights of the data subject to have access to his personal data on the one hand, and the interests of the data controller on the other, the Court can take into account factors including:
o Whether there was a more appropriate route to obtaining the requested information (such as disclosure in legal proceedings);
o The nature and gravity of the breach;
o The reason for making the subject access request;
o Whether the application was an abuse of rights (for example, where the case is being pursued merely to impose a burden on the data controller) or is procedurally abusive (for example, where it has failed before);
o Whether the request is really a request for documents, rather than personal data;
o The potential benefit to the data subject. For example, if they have already received the data (otherwise than under a previous data subject access request), this may be a reason for refusing to exercise discretion in the data subject’s favour. On the other hand, if it is clear that the data subject legitimately wishes to check the accuracy of their personal data, then this will be a good reason for exercising discretion in their favour. If there are no material factors other than a valid subject access request and a breach of the data controller’s obligations, then the discretion will ordinarily be exercised in favour of the data subject.
On the face of it, there appears to be something of a disconnect between what employers should do and what the courts can require them to do when it comes to responding to subject access requests. Employers cannot refuse to comply with a data subject access request because the employee has a collateral purpose in making the request, for example to obtain information for the purposes of litigation. Nor can they refuse simply because the employee provided them with the data in the first place or because they have already provided it to the employee. Despite these constraints, these may well be relevant factors when it comes to a court deciding whether to exercise its discretion to order compliance. However, employers will not want to get to the stage of court proceedings in order to run these arguments. In addition, the Information Commissioner may not take them into account when deciding whether to take enforcement action.
The costs of complying with data subject access requests is often a bone of contention. In the Deer case, the University spent an eye-watering £116,116 in complying with Ms Deer’s request, in addition to which they were ordered to pay at least some of her costs. The most they could recover from her was £10. The Court’s view (derived from a general principle of EU law) that the obligation to search for personal data is limited to a reasonable and proportionate search should assist employers. In an interim hearing in the Deer case in 2014, the University had been ordered to carry out searches of its servers for emails between 22 named individuals between specified dates, and to search the servers used by five departments and faculties. This resulted in the University then having to review over half a million emails and other documents. We are certainly hopeful that, in light of the later judgment by the Court of Appeal, employers will have a stronger argument to resist conducting such a mammoth review, although we await commentary from the Information Commissioner as to whether this case may affect its enforcement strategy.