ICAEW.com works better with JavaScript enabled.

Case law: Clarity for organisations on responding to subject access requests under data protection law

Organisations considering how much effort to put into responding to a 'subject access request', including any human involvement and whether they need to supply documents as well as information, will benefit from recent Court of Appeal guidance.

Legal Alert

This update was published in Legal Alert - May 2017

Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.

UK data protection law allows an individual to ask an organisation to disclose personal data it holds on the individual, although there are circumstances in which the organisation can refuse to comply. Such requests are called 'subject access requests' (SARs).

One exception is that organisations need not comply with a subject access request if it would involve 'disproportionate' effort. In a recent ruling, the Court of Appeal said this would rarely apply. It also said that organisations receiving SARs may not refuse to comply solely on grounds that the personal data provided could be used against them in potential or actual legal proceedings.

However, in two more recent rulings in which the Court of Appeal (CA) found that neighbours and a former employer respectively had complied adequately with SARs served on them, the CA qualified its statements.

The CA said the purpose of a SAR is to find out what information an organisation holds about the individual, not obtain copies of, or otherwise access, the documents the information is in. As long as the organisation receiving the SAR provides the personal data that it holds, it need not provide the actual documents the personal data is in.

This can significantly reduce the value to an individual involved in a legal dispute with an organisation of making a SAR, as they may not necessarily see any of the organisation's documents.

The CA also gave useful guidance on the proportionality test, saying that the underlying assumption in data protection law is that personal data is accessible 'at the touch of a few buttons', but that this was generally not so.

The CA said:

  • An organisation could not use the proportionality test to refuse to comply with a SAR, but it could use it to justify a limit to the work it put in to respond to it. The fact that a more extensive search might have produced further personal data did not, of itself, mean that the first search was inadequate. Where there were many or complex documents, the court suggested the organisation discuss with the individual giving the SAR the parameters it planned to use when making its search
  • When assessing the work needed to respond to a SAR, it was relevant that automated searches inevitably required human involvement to identify whether, for instance, the personal data fell within an exception to data protection law so it did not have to be disclosed, or was protected under legal professional privilege. The CA suggested keeping a record of time spent on each SAR as evidence of the proportionality of the organisation's responses

The CA also set out questions to consider when deciding whether to order compliance, or further comply, with a SAR - including:

  • Can the information be obtained in other, more appropriate ways, such as 'discovery' (disclosure of relevant documents in legal proceedings)?
  • Is the SAR an abuse of rights, for example, are the relevant legal proceedings an abuse of process, such as being brought solely to create trouble for the organisation?
  • Is the real purpose of the SAR to see documents rather than find out which personal data is held? If the personal data would be of no real value, it is likely the real motive is to obtain sight of documents
  • Does the individual already have the information it seeks?
  • Did the individual create or receive the relevant document?

Operative date

  • Now

Recommendation

  • Organisations receiving a subject access request under data protection law should consider how much effort they need to put into responding to it, including any human involvement, and whether they need to supply documents as well as information

Case ref: Ittihadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121 and Deer v University of Oxford [2015] EWCA Civ 52

Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.