February 27, 2017

Complying with Data Subject Access Requests

There have been two recent Court of Appeal decisions on data subject access requests. We look at the guidance given by the Court of Appeal, and the implications of these decisions for employers.

An individual has the right to access data held about them and to check it is being processed lawfully.  To do this, an individual may make a Data Subject Access Request (or DSAR) to ask:

(i) whether data is being processed about him, for a description of the data, the purposes for which it is being processed and to whom it may be disclosed; and

(ii) for a copy of that personal data (which should be supplied in permanent form unless that is not possible or would involve disproportionate effort).

When faced with a DSAR, an initial search should be conducted and an assessment should be made to determine which of the resulting data constitutes the individual's personal data.  The search for personal data must be reasonable and proportionate but may be limited, if the effort to find and supply the document outweighs the benefit to the employee; and the purpose for which an individual is requesting personal data is not relevant (i.e.  the effort would be disproportionate).

There is no obligation to comply with a DSAR in relation to personal data that is subject to legal professional privilege.  Such data would include confidential communications between lawyers and their clients for the purpose of (i) seeking or giving legal advice or (ii) being used in litigation. Legally privileged documents do not need to be shown to a third party or the court. 

In the first case, Mrs Dawson-Damer is a beneficiary of a Bahamian trust and has been involved in an ongoing court case in the Bahamas against the trustee of the trust.  She and her two children submitted DSARs to the trustees' lawyers seeking personal data relating to them that was held by the law firm.  The law firm said that the personal data it held was covered by legal professional privilege and therefore exempted from disclosure.  The law firm included within this exemption the documents that its client, the trustee, could refuse to disclose to the beneficiaries under Bahamian trust law.  There was no clear evidence to show whether the law firm had undertaken any searches which would allow them to claim privilege in relation to all the documents and since there was a wide range of documents, it was possible that there was material which was not covered by legal professional privilege.   

The High Court previously decided that:

  • the law firm did not have to disclose any documents which the trustee could refuse to disclose to the beneficiaries under Bahamian trust law (as the legal professional privilege exception applied); and
  • it was not reasonable or proportionate for the solicitors to search over 30 years of files to determine whether the information requested was protected by legal professional privilege; and
  • since the Dawson-Damers intended to use the information in the Bahamian court case, and this was not a proper use of data protection law, the judge declined to enforce the request.

As a result of the High Court decision, the law firm was not required to comply with the DSAR.

However, the Court of Appeal took a very different view, deciding that:

  • the legal professional privilege exception applies only to documents which carry legal professional privilege for the purposes of English law. Bahamian trust law should not be taken into consideration;

  • disproportionate effort must involve something more than an assertion that it is too difficult to search through voluminous papers;

  • the disproportionate effort qualification applies to all stages of subject access compliance; and

  • the judge had been wrong to decline to enforce the request because the Dawson-Damers intended to use the information obtained in their Bahamian litigation. Previous cases have confirmed that an individual cannot claim that something is personal data in order to obtain that data to use against a third party in court.  However, if the data is personal data relating to the individual, the purpose for which they are requesting it should not be taken into account.

The result was that the law firm was required to comply with the DSAR.

Subsequent decision

A judgment on two similar cases (Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Ors) was delivered very soon after the judgment in the Dawson-Damer case.  In the latest judgment, the court gave the following guidance:

  • An individual's personal data includes personal data originally provided by the individual.
  • There is no obligation to "leave no stone unturned" when searching for personal data. In other words, although on the one hand a blanket refusal to comply with a DSAR could not be justified, on the other, as long as a reasonable and proportionate search has been made, a more extensive search would not be required even if it would have revealed more personal data.
  • The motive for making a DSAR should not be taken into account when deciding whether to comply with the DSAR.However, it may be taken into account when deciding whether enough has been done to comply with a request.  Other factors that may be taken into account are:  whether there was a more appropriate route to obtaining the data (e.g. by disclosure in legal proceedings); whether the DSAR was an abuse of rights (e.g. made during legal proceedings for the purpose of putting additional pressure on the other party); whether the request was for documents rather than personal data; and the potential benefit to the individual.

What this means for employers

It is helpful that the court has clarified the use of the legal professional privilege exemption in data protection legislation (which helps employers determine the limits of compliance with a DSAR) – that this exception applies only to documents which carry legal professional privilege for the purposes of English law. 

It is important to remember that:

(i) each DSAR should be dealt with on a case by case basis and an employer faced with a DSAR must show that it has taken all reasonable steps to comply with it

(ii) the purpose for which personal data is requested should not be used as a reason to reject a DSAR

(iii) a DSAR should not be immediately rejected. An initial search should be undertaken, at least to determine the scope of the search required

(iv) the obligation on employers is to carry out a reasonable and proportionate search. When considering what is proportionate, the court will try to strike a balance between the rights of the individual as against the interests of the data controller

(v) there is an exemption in relation to supplying copy documents – employers can rely on this when the effort of supplying copy documents requires "disproportionate effort"

If you would like to learn more about this and other developments to data protection law, we will be discussing this topic at our workshop on 22 March 2017. For more information on this workshop and to register your interest please click here.