Case law update: subject access requests

12.04.2017

A series of recent judgments have provided some important clarifications and guidance for employers on a number of contentious subject access request (SAR) issues. However, as one might expect with the most heavily-litigated area of data protection law, uncertainty remains and certain issues will need to be resolved by the courts at a later date.
(i) The relevance of the data subject’s motive
The Court of Appeal (in Dawson-Damer and Ittihadieh/Deer) has confirmed that barring an abuse of process (under EU doctrine or UK rules) it will be difficult for any employer to refuse an SAR notwithstanding it may be antagonistic or a simple “fishing expedition”. The court in Dawson-Damer held that there is no requirement that an SAR must have “no other purpose” other than to access and verify accuracy of personal data in order to be valid. Similarly, the judgment in Ittihadieh/Deer noted that having a collateral purpose will not invalidate an SAR where the individual also wishes to access and verify accuracy of personal data – even where the SAR is made in connection with actual or contemplated litigation. Although, lacking a “legitimate basis” is a factor weighing against granting of relief. The court held this point is “now put beyond doubt”.
However, it is worth noting that Mr Deer’s costs were reduced by 25 per cent due to his SAR being considered by the court to be “essentially antagonistic”.
(ii) Court’s discretion to refuse an SAR
Motive however is not the only factor to consider in the context of SARs. The court also has a general discretion whether enforce an SAR in respect of which the judgments in Dawson-Damer and Ittihadieh/Deer have provided useful (albeit somewhat conflicting) guidance. The court in Dawson-Damer endorsed the view that a court’s discretion should be “general and untrammelled”. In contrast, the court in Ittihadieh/Deer “had difficulty” with such a wide discretion noting the precedent fact a controller has breached the Data Protection Act (DPA) will have a “significant bearing” on manner in which discretion shall be exercised.
The court in Ittihadieh/Deer went on to helpfully outline some factors the courts will consider before deciding whether to exercise its discretion: (i) whether there is a more appropriate route for obtaining the information sought (such as by discovery in proceedings); (ii) the nature of gravity of the breach; (iii) the purpose and motive of the SAR (as discussed above); (iii) whether the SAR is procedurally abusive e.g. it has failed previously; (iv) whether the individual is already in possession of the information; (v) if the information is of no real value that may be a reason to refuse the SAR; and (iv) whether the objective of the SAR is in fact to obtain documents not personal data, which would weigh against granting the SAR.
On this final point, employers should bear in mind that responding to an SAR involves the supply of personal data; not documents. Processes should be in place to ensure that additional documents and information is not inadvertently supplied which may grant a (soon to be former) employee an advantage in litigation. Similarly, the court also warned controllers against taking the view that mere provision of documents will meet the requirements of the DPA under which descriptions must also be provided of the purposes for which the personal data is processed, recipients (or categories of recipients) to which the personal data may be disclosed, etc. Unless such information is abundantly clear from the (redacted) documents or information provided it is often prudent for employers to accompany its SAR response with a cover letter outlining this information.
The current position under UK law perhaps is best reflected by the judgment in Ittihadieh/Deer which noted that “if there are no material factors other than an SAR in valid form and a breach of the data controller’s obligations” then the court’s discretion will generally be exercised in favour of the data subject.
(iii) What constitutes an adequate search?
Once it has been established that an employer must respond to an SAR, the question becomes one of the extent to which the employer must search for relevant personal data. On this point, the High Court in Holyoake has held that a controller must conduct only a “reasonable and proportionate” search for personal data on receipt of an SAR. It noted that this obligation will not in the ordinary course require a search of personal email accounts of directors or employees unless there are grounds to suspect such accounts have been used to process the requester’s personal data. On proportionality, the court in Dawson-Damer held that, in assessing whether responding to an SAR would involve “disproportionate effort”, all stages of the SAR response process (including the effort involved in searching for and locating personal data) should be taken into account. The broadens the scope of this exemption as it is currently set out in ICO Subject Access Code of Practice, which limits its application only to the effort involved in supplying a copy of the personal data.
Whilst these favourable clarifications on searches are to be welcomed by employers, the judgment in Dawson-Damer makes clear that the threshold to be met to rely on this exemption is high. The court noted that “so far as possible, SARs should be enforced” and emphasised the importance of individuals’ rights under the Charter of Fundamental Rights. This underlines the importance of having systems in place to be able to deal with SARs promptly and efficiently, including the ability to comprehensively locate personal data; as the court noted “most data controllers can be expected to know of their obligations to comply with SARs and to have designed their systems accordingly to enable them to make most searches for SAR purposes”.
(iv) Application of the legal professional privilege exemption
In Holyoake, the High Court was unwilling to extend the iniquity principle (i.e. the principle that legal professional privilege (LPP) cannot be relied on to withhold evidence of a crime or fraud) to a breach of data protection/privacy rights. The court also noted that a “strong prima facie case” was needed to displace LPP rather than mere speculation as to criminality/fraud and that the court should inspect materials subject to LPP only as a last resort. This is welcome (if unsurprising) endorsement of this important exemption. On a less positive note for employers, however, the court in Dawson-Damer confirmed that the LPP exemption applies only to materials in respect of which LPP could be claimed in the UK and this exemption did not extend to include materials subject to rules of non-disclosure. The court also confirmed that blanket reliance on the LPP exemption is inadequate and reasonable and proportionate steps must be taken by the controller to ensure the exemption actually applies to the specific materials and information being withheld.
Conclusion
Whilst clarification and guidance in respect of “reasonable and proportionate” searches is to be welcomed by employers, the judgments are a timely reminder of the extent of data subjects’ rights under the DPA and that it is only in exceptional circumstances that an employer can avoid having to response SAR (and bear the related effort and expense). With the General Data Protection Regulation (or the equivalent UK legislation post-Brexit) only serving to strengthen the position of data subjects, employers now more than ever must ensure they are prepared.