Important note - Since this blog was published, the General Data Protection Regulation (‘GDPR’) has come into force and the content of this blog has not been updated to reflect the new regime.
Two recent cases - Holyoake v Candy and CPC Group Limited and Dawson-Damer v Taylor Wessing LLP – considered a number of issues that are important in practice. Of particular interest is how this effects the circumstances in which SARs can (or cannot) be legitimately resisted. We have drawn together the key lessons learned, which complement our earlier guidance.
Firstly, both cases are a useful reminder that the Information Commissioner (viewed by some as a slightly “toothless” regulator) is not the only route which can be pursued by data subjects who are not satisfied with the response to their SAR.
Under section 7(9) of the DPA, the court can order a data controller to comply with an SAR – the claimants in both cases above were seeking such an order, with the cost and time commitment that brings. The Dawson-Damer case is a Court of Appeal decision relating to a SAR made in August 2014, and it still has to go back to the High Court for the issues to be determined.
Although this is likely to be rare in an employment context, there is still always the possibility that an employee can seek a court order to ensure compliance by their employer. As the law is clarified, employees may feel that the risk in bringing such litigation is reduced.
It is possible, under the DPA, to resist an SAR if the supply of the data is not possible or would involve disproportionate effort. Dawson-Damer gives some helpful guidance on what that means.
As many data controllers will know, compliance with an SAR is often time consuming and expensive – the current £10 fee barely begins to cover it. However, the acceptance by the court that compliance need only be proportionate is probably not the salve for data controller’s that one might initially think it is – in reality the bar to relying on this exception is relatively high.
The court noted, "so far as possible, SARs should be enforced. Moreover, most data controllers can be expected to know of their obligations to comply with SARs and to have designed their systems accordingly to enable them to make most searches for SAR purposes”.
Taylor Wessing (the data controller in the case) had taken no steps to explain what it had done to identify the relevant material or to produce an action plan for compliance. Data controllers should be mindful that, at the very least, this would be required if they intended to rely on this exception.
Holyoake also discusses the extent of a company’s obligation to carry out searches in the context of SARs and the limitation of such searches to what is reasonable and proportionate in the circumstances. In this case, the court held that the searches undertaken had been reasonable and proportionate.
The claimant contended that the data controller should have searched the private email accounts of its directors. The court rejected that and said that, in general, a director may owe a duty to allow his company to access his personal email account if company business has been carried out from it. However, the company is not bound to do this unless there is a sufficient reason and there is no general right of access to check the position.
It has been a point of contention among lawyers since Durant v FSA as to whether using the SAR as an attempt to obtain disclosure of information to aid a claimant in other court proceedings, was improper and had the effect of invalidating their SARs.
This issue, pending any appeal to the Supreme Court, seems to have been firmly put to bed by the Court of Appeal in Dawson-Damer. Unless there is an abuse of process (on which unfortunately there was no guidance), then a SAR will be valid even if there is on-going litigation.
Under the DPA, if information is covered by legal privilege, then it is exempt from disclosure.
In Dawson-Damer, it was clarified that this only applies to documents which are covered by privilege under English law.
Taylor Wessing was both the data controller for the purposes of this action and also an agent for a Bahamian trustee. The High Court had held that privilege could be interpreted purposively to cover documents which, under Bahamian trust law, were protected from disclosure by a trustee and so Taylor Wessing could rely on it to resist the SARs. That was overturned by the Court of Appeal.
Holyoake also touches on the issue of legal privilege as an exception to compliance, in particular, when and how the presence of ‘iniquity’ will displace such privilege. In essence, the bar to challenging privilege on this basis is high – a case of some serious wrongdoing (e.g. fraud) must be made out.
We are expecting a second Court of Appeal decision to be handed down shortly. It is anticipated that this case will also provide further insight into SARs, the relevance of motive and the extent of the search required.
As we noted here, data controllers should be mindful of the need to prepare for the new data protection regime following the introduction of the EU’s General Data Protection Regulation.
We have previously published our ‘Top 10 Tips’ for both making and responding to subject access requests (“SARs”) under the Data Protection Act 1998 (“DPA”).
Should you have any SAR, GDPR and Data Protection queries please contact our data protection team.