Publications & Events
Alert

High Court considers the scope of Subject Access Requests and their exemptions

EU data protection law contains a powerful tool called a Subject Access Request ("SAR") which allows an individual to obtain copies of data about themselves, on demand, within a tight timeframe, and at low cost. Satisfying such requests is challenging for many businesses. In the latest in a series of cases exploring the obligation to disclose data in response to a SAR, the English High Court has provided guidance on the application of the available exemptions.

Businesses are facing an increasing number of SARs following the coming into force of the General Data Protection Regulation ("GDPR") and the increased public attention to privacy and data protection issues. In addition, a SAR can be very broad and can force a company to expend significant resources in locating, reviewing, redacting and disclosing relevant information. As a result, many businesses are increasingly keen to limit the scope of the personal data they must provide in response to a SAR, and are seeking to rely upon more exemptions in order to limit disclosure.

Unsurprisingly, the scope and validity of a SAR is often contested, especially where a dispute exists (or is likely to exist) between the individual and the business that holds the data. In the past few years, a series of High Court decisions have explored the extent to which a business can resist a SAR, or limit the information that must be disclosed to the individual making the SAR (see here, here, here, and here).

 

The facts

In Rudd v Bridle & Anor [2019] EWHC 893 (QB), the claimant, Dr Rudd, had issued SARs against the defendants, John Bridle and his company, J&S Bridle Limited. Dr Rudd had also issued a request that the defendants cease processing his personal data. The court noted that Dr Rudd is recognised as one of the UK's experts in asbestos exposure and provided expert witness testimony in a number of related cases. Mr Bridle, as a campaigner opposing Dr Rudd's view on the causal links between certain diseases and asbestos, had made complaints to the General Medical Council ("GMC") and the Secretary of State for Justice, claiming that Dr Rudd had been making falsified expert reports on the health risks associated with asbestos exposure. Mr Bridle sought to defend against the SAR on the basis that the majority of the personal data which Dr Rudd had requested was exempt from disclosure.

The High Court was asked to determine:

(a) whether the personal data requested under Dr Rudd's SAR were exempt from disclosure, on the basis of three claimed exemptions: the legal professional privilege exemption; the journalism exemption; and the regulatory proceedings exemption, and

(b) whether the recipients of the SAR were obliged to disclose copies of documents containing the relevant personal data, or whether the individual was only entitled to the information that directly constituted his personal data.

 

The court's decision

The High Court concluded that Mr Bridle, and not his company, was the controller of Dr Rudd's personal data as Mr Bridle had at all material times controlled what was being done with those data. The court relied in part on an Article 29 Working Party Opinion on the concepts of "controller" and "processor" which states that it is necessary to "look at the specific processing operations in question and understand who determines them, by [asking]…the questions "why is this processing taking place? Who initiated it?"". The evidence, in the court's view, pointed in all cases to Mr Bridle being the controller. Turning to the question of whether the exemptions put forward by Mr Bridle could be relied upon, the court held that:

The Journalism Exemption

  • It is for a controller to establish that the relevant personal data were only being processed for journalistic purposes. Further, the concept of journalism cannot be "stretched to embrace every activity that has to do with conveying information or opinions", which the court believed Mr Bridle was attempting to do in this case.
  • Therefore, the applicability of the journalism exemption will depend upon the ability of the business that wishes to resist a SAR, on the basis of the journalism exemption, to demonstrate: (a) that the relevant personal data were only being used for "journalistic purposes, with a view to publication"; and (b) that these were the purposes intended by the controller, "which are matters of fact which require proof".

The Regulatory Proceedings Exemption

  • Mr Bridle had asserted that disclosure of correspondence and documents passed to the GMC were exempt from the SAR, as the personal data were processed to "[protect] members of the public against dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons authorised to carry on any profession or other activity".
  • After reviewing Guidance issued by the UK Information Commissioner's Office (the "ICO") on this exemption, the Court concluded that the regulatory proceedings exemption only applies where disclosure of the data "would be likely to prejudice the proper discharge of the relevant [regulatory] functions". Citing R (Lord) [2003] EWHC 2073, the Court concluded that a business that wished to resist a SAR on the basis of this exemption would need to demonstrate that disclosure of the requested personal data would have "a very significant and weighty chance of prejudice to the identified public interests".

The Legal Professional Privilege Exemption

  • The court highlighted that the legal professional privilege exemption is subject to a high threshold. Once again, the burden of proof in relation to this exemption falls on the business that is looking to resist a SAR on the basis of this exemption.
  • In the instant case, the Court was willing to accept that legal advice privilege applied in the context of advice provided to the defendant by solicitors. However, the Court was unwilling to accept that litigation privilege applied unless it could be shown that litigation was reasonably contemplated or anticipated, and that the relevant communications were prepared for the dominant purpose of enabling the provision of legal advice, or to enable evidence or information to be used in connection with the anticipated litigation. On the facts, Mr Bridle had failed to satisfy these criteria.

The obligation to identify other individuals in response to a SAR

A SAR only entitles the individual making the SAR to information that constitutes his or her own personal data. However, it is possible that information that falls within this category could also be the personal data of another person. For example, the statement "John said Fred was late" is the personal data of both John and Fred, as it conveys information about each of them. If Fred then issues a SAR seeking to know who said he had been late, it is important for a business to know whether it is obliged to reveal John's identity.

In the instant case, citing the ICO's Subject Access Code of Practice, the Court held that a business in receipt of a SAR "must not apply a blanket policy of withholding [the identities of other individuals]" in responding to a SAR, but must instead make a "detailed assessment of this issue". This would include, for example, contacting those individuals to enquire whether they would consent to the disclosure of their personal data in response to the SAR.

 

Impact on businesses

As a growing number of SARs are issued against businesses, it is likely that this judgment will join a growing body of English case law analysing the rights of individuals to gain access to their personal data, and the exemptions that businesses may rely upon to defend against disclosure of personal data that they hold. In light of the court's approach here, a business that wishes to rely upon an exemption should be mindful of the fact that it must establish, with supporting evidence, that the requirements of the relevant exemption are met. Failure to do so will likely result in a court concluding that the relevant exemption is not available, forcing the business to disclose the requested personal data.

Paula Melendez, a Trainee Solicitor at White & Case, assisted in the development of this publication.

 

Click here to download PDF.

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP