What is a Subject Access Request?
An individual whose data is being processed (a data subject) has the right to request copies of that data from the organisation that is processing it (the data controller) under the Data Protection Act 1998 (DPA). The data controller must respond within 40 calendar days and is entitled to charge the data subject a fee of £10.
The issue of how far a Subject Access Request obliges businesses to search for the relevant information has been debated several times by the courts. There have also been questions as to whether businesses are obliged to comply with Subject Access Requests that are vexatious or made solely in order to 'fish' for information with a view to future litigation. The decisions in Dawson-Damer v Taylor Wessing LLP and Ittihadieh v 5-11 Cheyne Gardens / Deer v University of Oxford have provided some clarity on these issues. We examine the outcome of each case and their impact on businesses.
Dawson-Damer v Taylor Wessing LLP
Mrs Dawson-Damer and her children were beneficiaries of a trust, of which Grampian was the sole trustee. The Dawson-Damer family were involved in legal proceedings against Grampian and made a Subject Access Request of Grampian’s solicitors, Taylor Wessing LLP (TW). TW refused, citing legal professional privilege.
In July 2015, the High Court decided that TW did not have to comply with the Subject Access Request on the basis that the search would have been disproportionately costly given the need to separate out all of the data protected by legal professional privilege.
Businesses were hopeful that the High Court’s decision signified a move by the courts to minimise the perceived burden of compliance with Subject Access Requests.
The appeal of the decision of the High Court was recently decided by the Court of Appeal as follows:
The ‘disproportionate effort’ exemption applies both to the search itself and to the provision of copies
Contrary to the Information Commissioner’s Office (ICO)’s Subject Access Code of Practice, the exemption from compliance where ‘disproportionate effort’ would be involved is not restricted to effort involved in providing copies but also includes the search for relevant personal data.
Businesses should therefore apply the concept of ‘proportionality’ to all aspects of the obligation to find and supply information. Whether or not compliance with a Subject Access Request involves disproportionate effort should be weighed up against the benefits that the provision of the information might bring to the data subject.
The threshold between proportionate and disproportionate effort is a high one
TW had not shown that it had gone far enough to comply with the Subject Access Request, and further compliance would not have involved disproportionate effort. If TW wished to rely on legal professional privilege then it would need to be willing to undertake the work required in order to establish legal professional privilege in each instance, rather than applying a blanket exemption. TW was not able to provide any evidence of the lengths that it had gone to in identifying the data and establishing a plan of action to comply with the request.
The data subject’s motive in making the Subject Access Request is not relevant
The Subject Access Request regime is ‘purpose blind’: data subjects are not limited as to the purposes for which they may make Subject Access Requests. The position might be different if the Subject Access Request was an abuse of process, however, merely having more than one purpose for making a Subject Access Request would not normally be an abuse of process.
For advice on the specific implications of this decision for non-UK trustees, offshore trustees should contact John Barnett or Suzanna Harvey.
On 3 March 2017, the Court of Appeal provided further guidance in the joined appeals of Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121.
Deer v University of Oxford
Dr Deer, a former employee and student, brought sex discrimination claims against the University. In the course of the proceedings, she made a Subject Access Request which the University declined on the basis that Dr Deer sought to use the DPA as a proxy for obtaining disclosure for her litigation in the Employment Tribunal. When Dr Deer issued a claim against the University for failure to comply with the Subject Access Request, the judge concluded that none of the withheld material constituted Dr Deer’s personal information and exercised his discretion in favour of the University.
Ittihadieh v 5-11 Cheyne Gardens
Mr Ittihadieh was a member of RTM, the management company that managed the building in which he owned some flats. A dispute arose between Mr Ittihadieh and RTM's directors and Mr Ittihadieh made a Subject Access Request stating that he intended to bring proceedings against RTM for discrimination, harassment and victimisation. Although RTM claimed that the request was a fishing expedition and an abuse of process, it agreed to disclose 400 documents (some of which were redacted). Mr Ittihadieh subsequently issued proceedings against RTM for damages and an injunction; however the judge held that Mr Ittihadieh had failed to show that RTM’s disclosure was inadequate and refused his application.
Decision
Dr Deer and Mr Ittihadieh both appealed the judges’ decisions. The Court of Appeal held:
- Definition of 'personal data' – As set out in Durant v FSA [2003] EWCA Civ 1746, the mere fact that someone’s name is mentioned in a document does not without more mean that the document contains the individual’s personal data.
- Motive underlying Subject Access Request – The Court concluded that, as a matter of principle, if an applicant lacks a 'legitimate reason' for making a request, that can be a factor weighing against granting relief (although having a collateral purpose is not necessarily an absolute bar). The Court upheld the High Court’s decision that there should be a 25% reduction to the costs awarded to Dr Deer in view of the "essentially antagonistic" motives behind the Subject Access Request.
- Proportionality – While the principle of proportionality does not justify a blanket refusal to comply with a Subject Access Request, it does limit the scope of efforts that a data controller has to take to those that are reasonable and proportionate.
- Judge’s Discretion to Order Compliance – The Court provided a helpful analysis of the current law in this area and concluded that, in exercising its discretion to order or to decline to order a data controller to comply with a Subject Access Request, the court has to consider:
- whether there is a more appropriate route to obtaining the requested information
- the reason for the Subject Access Request
- whether the data subject has already received the relevant data or document through other means
- whether the request is an abuse of rights or procedure
- whether the request is really for documents rather than personal data
- the potential benefit to the data subject.
In both cases, the Court of Appeal dismissed the appeal on the basis that the exercise of the judge’s discretion was within the permissible range of decisions that they could have reached.
What does this mean for businesses?
The decision in Dawson-Damer v Taylor Wessing LLP is clearly data subject-friendly and more in tune with the approach of the ICO. However, businesses should welcome the clarification by the Court of Appeal that the 'disproportionate effort' exemption also applies to the extent of the obligation to search (and not just the obligation to provide copies, as indicated by the ICO).
The decision in Ittihadieh v 5-11 Cheyne Gardens / Deer v University of Oxford is significant in that it confirms the relevance of the data subject’s motive to the judge’s discretion under the DPA as to whether to order a data controller to comply with a Subject Access Request.
The fact of the reduction in costs in this case also indicates that arguments relating to motive will be relevant, not only to whether an applicant obtains relief, but also how their case on costs will be judged.
There will certainly be more to come from the courts on the application of the Subject Access Request regime.
The default position remains that businesses should continue to comply with Subject Access Requests "where and so far as possible".
This article was first published on 22 February 2017 and updated on 13 March 2017.