Subject Access Requests: proportionality, collateral purposes and legal privilege
In the Big Data Society of the 21st Century, the difficulties in responding to subject access requests (SARs) have increased exponentially.
However, in the past 12 months the Courts have handed down a number of important judgements around SARs. These decisions provide welcome clarification as to the limits of SARs and the extent of data controllers’ obligations, in particular that a proportionate search is sufficient to locate a person’s information, but also that ulterior motives are irrelevant and application of the Legal Professional Privilege (LPP) exemption is limited.
The cases provide useful guidance for businesses facing SARs. The key practical points are summarised below.
Under the under the Data Protection Act 1998 (DPA) data controllers are obliged to provide individuals (data subjects), on request with specified information about the individuals, unless a relevant exemption applies. The right of access is considered a cornerstone of data protection law, enabling individuals to exercise a certain amount of control over the use of their personal data by organisations.
On receipt of a valid SAR, the data controller must locate that person’s information and respond with the requisite information within 40 days. The data controller may charge a maximum fee of £10.
Recent Case Decisions
Four key cases have recently clarified the law around SAR.
Holyoake v Candy  EWHC 52 (QB) considered the extent of the obligation to search for the data, and application of the legal professional privilege (LPP).
Dawson-Damer v Taylor Wessing LLP  EWCA Civ 74, also considered the extent of the LPP exemption; whether the data controller could refuse to comply with a SAR where the information was required for a collateral purpose, namely proceedings in a separate jurisdiction; and whether searches requiring disproportionate effort would justify not ordering further enforcement.
In the conjoined cases of Ittihadieh v Cheyne and Deer v Oxford University  EWCA Civ 121, the Court of Appeal considered collateral purposes and whether the individual was entitled to access information held in private email accounts.
Four Key Principles
- Data controllers must carry out a proportionate search – under the DPA data controllers are not obliged to provide a copy of the information where to do so would require disproportionate effort. There is no explicit limitation under the DPA to the searches the data controller must undertake to locate the data. However, these decisions show that the Courts are prepared to stretch the proportionality principle to apply to the searches that the organisation must undertake. Where a proportionate search has duly been carried out, the Court will be unwilling to further enforce an SAR. However, it is for the data controller to provide conclusive evidence that further searches would be disproportionate and unreasonable;
- Ulterior motives are irrelevant: the right of SAR is ‘purpose blind’ – In Dawson-Damer, there was concern that the applicant intended to use the information in proceedings in the Bahamas and, at first instance, this was held to be sufficient grounds for the SAR to be refused. However, the Court of Appeal held that the ulterior motive should not be a deciding factor and the SAR could not be declined on that basis. In Ittihadieh, this was reiterated and it was held that ‘s.7 of the DPA is not subject to any express purpose or motive test’. Earlier case law on this point (in particular, Durant v FSA) must now be disregarded. That said, however, the Court may exercise its discretion not to order compliance on the grounds that the SAR is an abuse of process. The fact of a collateral purpose (such as to obtain evidence in advance of litigation) would not amount to an abuse, but an intent purely to antagonise may be. The motive for making the request may also be taken into account when making a costs order;
- The LPP exemption should be applied narrowly –There is an exemption under DPA for information subject to LPP. In Dawson-Damer Arden LJ found that this should be interpreted as applying legal proceedings within the United Kingdom. Therefore, the exemption only relieves a data controller from complying with a SAR with regards to data privileged under UK law. On a related point, the Court did not accept the assertion of legal privilege by a law firm over all documents held on behalf of their client. Any assertion of privilege must be targeted and not general in nature; and
- Information processed data by an individual (for personal reasons) must be differentiated from information processed on an employer’s behalf – Both Holyoake and Ittihadieh concerned far-reaching SARs, including information held in private (as opposed to corporate) accounts. Individual employees and directors are not data controllers in their own right, and a SAR can only properly extend to their activities carried out on behalf of their employer. Where an employee has used his personal account for work, it is not unreasonable for the SAR to include a search of that account. However, there would need to be significant evidence that this was the case and a company would not have a general right to access an employee or director’s private account.
Overall, these decisions provide important clarification for data controllers. The clarification that data controllers are obliged to carry out proportionate searches, and that these are (usually) limited to corporate accounts, is very welcome, and reduces the possibility of overly onerous SARs.
However, by confirming that ulterior motives are irrelevant, the Courts have potentially allowed for more SARs, regardless of their broader context and relevance. Employers that routinely resist SARs on the basis that they are a ‘fishing expedition’ for tribunal claims will need to rethink their approach.
It will be interesting to see how this clarifications are implemented in future cases, and if the interpretation of the UK Courts will remain good law once the General Data Protection Regulation (GDPR) is introduced in May 2018. Under the GDPR the SAR regime will be subject to further changes including the abolition of the £10 fee for compliance, and the reduction in the period for responding from 40 days to one month.