Case law: Court clarifies duty to respond to subject access requests under UK data protection law
Organisations considering how to respond to a ‘subject access request’ will benefit from court guidance given in a recent ruling.
This update was published in Legal Alert - June 2019
Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.
UK data protection law gives an individual (a ‘data subject’) a right to ask an organisation to disclose personal data it holds on them - although there are circumstances in which the organisation can refuse to comply. Such requests are called ‘subject access requests’ (SARs).
A medical expert on asbestos exposure served a SAR on a lobbyist for the asbestos industry. The lobbyist had alleged that the expert was part of a conspiracy to demonise white asbestos using false evidence. The expert believed that this was one element in a calculated attempt to discredit and intimidate him. The lobbyist provided information in response, but the expert argued that it was inadequate.
One item of information the expert asked for was details of the other parties he was alleged to have conspired with. The lobbyist argued that this information was not within the definition of the expert’s personal data, so he did not have to disclose that.
The court ruled that the identity of those other parties was part of the expert’s personal data. The information focused on him and was biographically significant, therefore it should be disclosed.
The expert had also requested the names of recipients of emails sent by the lobbyist which contained his personal data. However, the court said these did not have to be disclosed, though under data protection law and the Subject Access Code of Practice issued by the Information Commissioner’s Office, the expert did have a right to be given a description of recipients, such as ‘legal advisor’.
The court also ruled that the expert was entitled to be told the actual identity of the persons or bodies that had provided information about him to the lobbyist – not just a description. However, the court did not clarified whether, if the source was an individual within a company, the individual’s details had to be disclosed, or whether the company’s details would suffice; but it is clear that if an individual within a company is disclosed, either their consent must be obtained first, or it must be reasonable to disclose their details without their consent.
In relation to the obligation to disclose the purpose for which a data subject’s data is being processed, the court ruled that this does not have to be done document by document or item by item. It said that the essence of the right was simply to know what the data controller was doing or intending to do with the personal data generally.
Organisations receiving a SAR from an individual under data protection laws should ensure they disclose:
- the identities of third parties held by the organisation if that information is focused on the individual and is biographically significant;
- a description of recipients of emails containing the individual’s personal data (unless an exemption applies); and
- indicate why they are processing that data in general terms.
- They must also comply with the Information Commissioner’s Code as specifically referred to by the court.
Case ref: Rudd v Bridle & Anor (Rev 1)  EWHC 893
Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.
Copyright © Atom Content Marketing