Subject Access Requests in the UK - An Update

 
February 21, 2017

This OnPoint reports on the Court of Appeal judgment in Dawson-Damer & Ors v Taylor Wessing LLP, handed down on 16 February 2017, which addresses two key aspects of the legislation enabling individuals to lodge subject access requests. In short, there are two key messages from this decision for data controllers. First, in a dispute about whether the data controller has conducted a sufficient search, the data controller needs to show what searches it has conducted and bears the burden of showing that a further search is disproportionate. Second, the motive of the person for making a SAR is irrelevant to whether the subject access request is valid and should be complied with. 

Introduction 

Individuals have the right to make a subject access request (“SAR”) to a data controller pursuant to section 7 of the Data Protection Act 1998. Subject to the detailed requirements of the legislation, including various exemptions from disclosure, a subject access request requires the data controller, amongst other things, to provide the individual with the personal data that the data controller holds about the individual. In the employment context in particular, SARs are used on occasions by individuals as a means of obtaining details of communications about and other material concerning the individual which, once disclosed, may be used as the basis for or to support a claim. In Dawson-Damer & Ors v Taylor Wessing LLP the Court of Appeal addressed the extent to which data controllers can resist a SAR on the basis that the search required in order to comply is disproportionate or that the request has been made for a “collateral purpose” such as to assist an employee in actual or contemplated litigation. 

Collateral purpose 

Data controllers seeking to resist SARs which they consider to be “fishing expeditions” have sought to argue that the courts should not require compliance with a SAR where it has a “collateral purpose” in addition to seeking disclosure of the personal data which the data controller holds - such as furthering litigation - even though the Information Commissioner takes the view, in its Code of Practice, that there is nothing in the legislation that limits the purpose for which a SAR can be made. 

In Dawson-Damer Lady Justice Arden rejected the suggestion that there is a “no other purpose” rule such that the court will not order compliance with a SAR if the person making the SAR proposes to use the information for some purpose other than verifying or collecting data held about the individual. Only where there are specific circumstances justifying the refusal of an order to comply with a SAR will the court not exercise its discretion to make such an order. The judgment of Auld LJ in the earlier case of Durant v FCA had been interpreted as suggesting that compliance should not be ordered where the individual lodging the SAR had an ulterior motive for making the request. However, in Dawson-Damer it was clarified that Auld LJ’s observations in Durant in effect made the point that the right to make a SAR was not established to assist parties to litigation but rather to enable an individual to obtain readily accessible personal data. Nonetheless if a SAR is an abuse of process – perhaps because disclosure is ongoing in specific proceedings – the court may decline to make an order. 

Unless it is successfully appealed, the Dawson-Damer decision appears now to settle the question of the relevance to the validity of a SAR of the motive of the person making it – employers cannot easily resist SARs on the basis that the person making the request does so with a view to actual or potential litigation by seeking information which might substantiate or support a claim. 

Disproportionate effort 

SARs can put employers to very considerable effort not only in locating and identifying potentially disclosable information but also in assessing whether material which the employer holds is actually disclosable or whether one of the potential exemptions, such as legal privilege, applies. Employers often seek to argue that complying with a SAR will entail disproportionate effort. One way in which that concern can be addressed is by seeking to narrow the scope of the SAR whether by reference to a specific time-frame, agreed search terms or specific individuals within the employer’s organisation. 

The Information Commissioner’s Code of Practice makes clear that employers are expected to make extensive efforts to find and retrieve information, although they are not required to do things that are unreasonable or disproportionate to the importance of providing the information. In Dawson-Damer, the Court of Appeal made clear that the correct approach when considering this issue is to examine what steps the data controller has taken and to ask if it would be disproportionate to require further steps to be taken to comply with the individual’s right of access to his or her personal data. The burden of proof is on the data controller and it is not enough simply to assert that it is too difficult to search through voluminous papers. In this case the defendant could not argue that compliance would involve disproportionate effort since it had relied on the legal professional privilege exemption to refuse compliance and had not conducted a sufficient review of the potentially disclosable material to be able to argue that compliance with the SAR would involve disproportionate effort. 

By contrast, in the recent High Court decision of Holyoake v Candy and another (24 January 2017), the argument failed that a data controller had not properly complied with its obligations in relation to a SAR in circumstances where the searches actually conducted extended to a review of over 17,000 individual documents and time charges in excess of £37,000. Warby J held that the data controller's implied obligation to carry out a search on receipt of a SAR is limited to what is reasonable and proportionate.

In that case the question also arose of whether the private email accounts of directors should have been reviewed. There was no evidence in this case that the individuals in question had used private email accounts. It was held that if a company director uses a personal email account in relation to the company's business, then the individual may owe the company a duty to allow access if necessary to enable the company to comply with a SAR. However, the company is not required to enquire about the position without sufficient reason to do so. 

Conclusion 

The Dawson-Damer decision emphasises the need for employers to consider carefully – and at an early stage – how they are going to deal with a SAR to avoid complaints of breach either to the Information Commissioner or to court. Considering whether a SAR can be narrowed in scope, whether any of the exemptions – such as legal privilege and management planning – apply and the extent of the search – in terms of where material may be located – can be crucial. Employers need to appreciate that they cannot resist a SAR just on the basis it is a fishing expedition, that they cannot easily resist compliance on the basis of the effort involved and that it can be important to increase awareness amongst staff of the potential disclosability of their emails and other communications in response to a SAR.

Subscribe to Dechert Updates