Subject Access Requests:
Subject Access Requests: "not an obligation to leave no stone unturned"

Subject Access Requests: "not an obligation to leave no stone unturned"

White & Case Technology Newsflash

The English Court of Appeal has ruled in two recent cases that subject access requests are generally valid, and businesses must comply with such requests, even if they are made for collateral purposes, such as collecting information for use in litigation. However, the court also clarified that the subject access regime only requires businesses to conduct a reasonable and proportionate search – not an exhaustive search.

Individual claimants are increasingly using subject access requests ("SARs") as a weapon in litigation. A business that receives a valid SAR is obliged to either provide the requested information, or show that an exemption applies. The relevant exemptions are construed narrowly and, as a result, businesses should expect to have to comply with SAR's in the majority of cases.

 

The facts

The Court of Appeal was asked to determine whether it is a breach of the Data Protection Act 1998 (the "1998 Act") to refuse to carry out searches in relation to a SAR on the grounds of proportionality, improper purpose and specific exemptions. The facts of Dawson-Damer v Tayor Wessing LLP [2017] EWCA Civ 74 relate to an on-going trust dispute in which the beneficiaries of certain Bahamian trusts issued SARs to the law firm Taylor Wessing. Taylor Wessing declined to provide the requested information, relying on the legal professional privilege ("LPP") exemption. The beneficiaries appealed.

In the combined cases of Ittihadieh v 5-11 Cheyne Gardens, and Deer v Oxford University [2017] EWCA Civ 121, Mr Ittihadieh became concerned that other residents of Cheyne Gardens had been keeping a file containing his personal data, during the course of various disputes he had with them. He submitted a SAR to the company that manages Cheyne Gardens and, in response, the company disclosed more than 400 documents. Mr Ittihadieh was not satisfied and brought a claim under section 7(9) 1998 Act. Under that section the court may exercise its discretion to order a business to comply with a SAR. The High Court refused to exercise this discretion against the other residents of Cheyne Gardens, on the basis that: (i) it was not established that the documents already disclosed by the management company had failed to provide all the information to which Mr Ittihadieh was entitled; and (ii) to make such an order would be disproportionate in the circumstances. Further, the other residents of Cheyne Gardens were entitled to rely on an exemption, on the basis that the data in question were processed only for the purposes of their personal, family, or household affairs. Mr Ittihadieh appealed.

Similarly, Dr Deer had submitted two SARs to Oxford University, stemming from ongoing employment dispute. The University rejected several of Dr Deer's requests, but did disclose some information in response to two of the requests. In response to a claim under section 7(9) 1998 Act the University reviewed 500,000 documents at a cost of £116,116. An additional 33 documents containing Dr Deer's personal data were later disclosed. The High Court did not order the University to take any further steps, and Dr Deer appealed.

 

The court's decisions

In Dawson-Damer the Court of Appeal overturned the High Court's decision by finding differently on three key issues:

  • Purpose of the SAR – In previous cases, it had been argued that SARs should be issued for purposes connected with the 1998 Act, and for no other purpose (i.e., arguing that individuals should not be able to use SARs to gain information for the purposes of future litigation). The court rejected this argument and held that there is no limitation on the purposes for which an individual may request his or her personal data via a SAR. The court stated that, "There is no reason why having a collateral purpose should disqualify [an individual] from relief."
  • The court noted that a SAR could, in principle, amount to an abuse of process (which would invalidate the SAR) but held that no such abuse had arisen on the facts of this case. Furthermore, the mere fact that the individual making the SAR has a collateral purpose (e.g., the intent to use the disclosed information in litigation) does not normally establish that an abuse of process has occurred.
  • Disproportionate effort – Under the 1998 Act, the controller's obligations are qualified by the words "unless … the supply of such a copy is not possible or would involve disproportionate effort." The court held that correct approach is to examine the steps that the controller has taken, and then to ask whether it would be disproportionate to require further steps. The test for proportionality includes a consideration of any difficulties that arise in the process of complying with the request (contrary to the Subject Access Code of Practice issued by the UK Information Commissioner's Office, which indicates that such process-related difficulties are not relevant to this test).
  • The burden of proof is on the controller to show that disproportionate effort is required. This means that any business that wishes to argue that compliance with a SAR would require disproportionate effort must first demonstrate that it faces significant practical difficulties in providing the requested information. On the facts, it was held that compliance by Taylor Wessing with the SAR would not involve disproportionate effort, and the firm needed to work out a plan of action to comply with the SAR.
  • The LLP exemption – The LPP exemption protects information that is subject to privilege (see the Court of Appeal's recent decision on that point, here). However, the LPP exemption does not apply to documents that are not protected by privilege. Where privilege is claimed under the laws of another jurisdiction, the LPP exemption only applies to documents that would be protected by privilege in the UK (i.e., the LPP exemption does not extend to privilege claimed under the laws of another jurisdiction if that privilege would not apply in the UK).

In Ittihadieh, the Court of Appeal dismissed both appeals and held as follows:

  • The definition of "personal data" – The question is not whether a given document is focussed on the individual but rather whether it contains personal data. The fact that an individual's name is mentioned in a document does not mean that the whole of the document constitutes personal data. If a document contains personal data, then those data (and not necessarily the whole document) must be disclosed in response to the SAR.  
  • The court also held that a person's whereabouts on a particular day or at a particular time may amount to personal data. Further, information is not disqualified from being "personal data" merely because it has been supplied to the controller by the individual (i.e., a business may need to disclose to an individual, in response to a SAR, data that were originally provided to the business by the individual making the SAR).
  • The purpose of the SAR – The court noted that "the mere fact that a person has collateral purposes will not invalidate a SAR". In particular, the fact that the SAR is made in contemplation of legal proceedings does not automatically provide a ground for refusing to disclose the requested information.
  • A controller cannot refuse to disclose information in response to a SAR on the grounds that disclosure of that information will not tell the individual anything he did not already know (i.e., information that is responsive to the SAR must be disclosed even if that information is already within the knowledge of the individual making the SAR).
  • The domestic purposes exemption – The court noted that a balance must be struck between the competing rights of the individual and the controller. Personal data of Mr Ittihadieh held by the other residents of Cheyne Gardens in their capacity as directors of the management company of Cheyne Gardens may be disclosable in response to a SAR issued to the management company. However, personal data of Mr Ittihadieh that those residents held in a personal capacity, in connection with disputes with Mr Ittihadieh, would be exempt under the domestic purposes exemption.
  • A reasonable and proportionate search – The court noted that the obligation to comply with a SAR is only an obligation to conduct a reasonable and proportionate search. Specifically, "it is not an obligation to leave no stone unturned". A business responding to a SAR has satisfied its obligations provided that it has conducted a reasonable and proportionate search, even if there is a possibility that additional relevant personal data might still be found if a more extensive search were conducted.

 

Impact on businesses

These cases, together with the numerous other SAR cases we have reported over the last 12 months (e.g., see here, here and here) demonstrate that individuals are increasingly using SARs as a means of obtaining evidence for use in litigation, and that this tactic is viewed by the courts as being legitimate (absent an abuse of process). Businesses cannot refuse to disclose requested personal data solely on the basis that the data may be used to support a claim against the business, nor on the basis that the individual is already aware of the relevant data.

However, businesses should bear in mind that the subject access regime only imposes an obligation to provide copies of personal data, not necessarily the documents that contain those data. That is, it is only necessary to disclose the information that is actually about the individual – not all documents falling within the scope of the SAR. Information that does not constitute the personal data of the individual can be withheld or redacted, as appropriate.

In addition, businesses are only obliged to conduct a reasonable and proportionate search. The fact that a more extensive search might reveal additional relevant personal data does not necessarily mean that the business has not complied with its obligations, provided that it can show that the search it conducted was reasonable and proportionate. Moreover, when enforcement of the GDPR begins, on 25 May 2018, businesses will need to respond to SARs within 1 month (not the 40 days currently permitted). Consequently, businesses should take practical steps to design an efficient process for dealing with SARs.

Businesses seeking to rely on an exemption should do so carefully, as the available exemptions have been narrowly construed, and as noted above, are only likely to apply in limited situations. In the vast majority of cases, a businesses in receipt of a valid SAR will be obliged to provide the requested information.

 

Kimberly Sharp, a Trainee Solicitor at White & Case, assisted in the development of this publication.

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2017 White & Case LLP