A fundamental principle of the Data Protection Directive 95/46/EC (implemented in the UK by the Data Protection Act (DPA)) is that an individual has the right to make a data subject access request (SAR) to find out what information a data controller holds about them.
In Durant v Financial Services Authority, the Court of Appeal held that the main purpose of subject access rights is to enable an individual to check whether their data is being processed unlawfully, in a way which infringes their privacy.
In this case, the following sections of the DPA are relevant:
-section 7(9) which provides that individuals may make an application to court alleging breach of the SAR rules and seeking an order for compliance;
-section 8(2) which provides that the information should be provided in an intelligible and permanent form, unless that is not possible or would involve disproportionate effort; and
-paragraph 10 of schedule 7 which provides that data controllers are exempt from the requirement to provide personal data in response to a SAR where a claim of legal professional privilege could be maintained in respect of the data.
An application to court under section 7(9) of the DPA was made by family members involved in ongoing litigation in the Bahamas brought by them against a Bahamian trustee company, which was a client of an international law firm (the Firm). SARs had been made by a mother and her two children for all data held about them by the Firm, as the litigation involved the Firm’s client’s actions in relation to the trust.
However, the Firm had not complied with the SARs, claiming that they were entitled to a blanket exemption for legal professional privilege under section 10, Schedule 7 of the DPA. The Firm had also claimed that some of the information held was contained in unstructured manual files which were not a ‘relevant filing system’ for the purposes of the DPA, and, therefore, not relevant to the requests.
The High Court refused to make an order for compliance with the SARs.
Under the disproportionate effort exemption in section 8(2) of the DPA, and applying that exemption to the facts of this case, the High Court held that it was not reasonable or proportionate for the Firm to search files dating back at least 30 years. The Court held that the Firm should not have to carry out lengthy and costly searches to determine whether the information requested was protected by legal professional privilege in order to comply.
The Court also held that the legal professional privilege exemption in paragraph 10, Schedule 7 of the DPA should not be interpreted to provide the claimants with information or documents which may assist them in litigation.
The Court made further comments in relation to considerations in exercising discretion to order compliance with a SAR under section 7(9) of the DPA, abuse of process in bringing subject access requests and DPA relevant filing systems.
For example, in relation to exercising discretion to order compliance with a SAR under section 7(9) of the DPA, the Court applied Durant and held that the purpose of SARs under the DPA is to enable a data subject to check whether the data processing unlawfully infringes their privacy and allow them to take steps to protect it. It is not designed to enable data subjects to obtain discovery of documents that may assist them in litigation against third parties.
Also, although it was not necessary to make a finding on this point, the Court indicated that it would most likely have found that the Firm’s manual filing system which existed pre-2005 (when the Firm implemented its electronic filing system) would not have been a relevant filing system under the DPA. This was because the Firm had suggested that some of the information in their manual files was held loose-leaf in boxes containing lots of different categories of information that were unstructured in relation to individuals and not all filed chronologically.
This is a welcome decision for employers, as it has the potential to reduce the burden of responding to SARs. In particular, the decision opens the door for recipients of SARs to argue that they need not respond to a SAR if:
-there is ongoing or threatened legal proceedings in connection with the information that may be covered by the SAR (i.e. on the grounds that the SAR is an abuse of process); and/or
-the search for the information covered by the SAR is likely to be onerous (i.e. on the basis that the disproportionate exemption under s8(2) DPA applies).
Although either or both of these positions might be challenged, employers may consider that the risk of an applicant bringing a challenge outweighs the time and costs savings by not responding to the SAR initially.
However, it is worth being aware that the concept of “disproportionate effort” is not included in the Directive and there is no right for the member state to limit the scope of a SAR in this way. Therefore, as the Directive only allows restrictions on the usual public policy grounds (such as national security) and “for the protection of the rights of others”, there is an argument that section 8(2) of the DPA (the disproportionate exemption) does not comply with EU law.
Further, employers should remember that individuals can refer a failure to comply with a SAR to the Information Commissioner’s Office, where the response may well be more favourable to an SAR applicant than a SAR recipient.
The High Court’s decision has since been appealed and the Judge has indicated that the Court of Appeal may take a different view on the points of law discussed. The appeal is due to be heard by 31 October 2016.
Dawson-Damer & Ors v Taylor Wessing Ltd & Ors (2015), EWHC