Subject access requests – recent developments

Subject access requests or ‘SARs’ create headaches for a lot of organisations. Hours or days of time and expense can be incurred for each one (for the princely sum of £10 recoverable from the data subject). SARs go to the heart of what data protection is all about – to provide individuals with the ability to understand how data about them is being used. They remained the top reason for complaints to the regulator (the ICO) in the last year, demonstrating they are being widely used by individuals, and are taking up significant time and expense for the regulator as well as organisations.

Whilst publicity on data protection matters is commonly packed full of data security breaches and the associated monetary penalties, August 2013 was a month for interesting developments in relation to subject access requests. So, stepping aside from the favourite security topic, this article is a catch up on SARs.

  • On 8 August, the ICO published its new ‘Subject Access Code of Practice – Dealing with requests for individuals for personal information under the Data Protection Act 1998’. The Code provides useful guidance on the key requirements and elements of SARs, and encourages taking a positive approach to managing and handling requests.
  • On the same day, the High Court published its judgment In the matter of Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch). This case considered whether a liquidator has responsibilities to respond to subject access requests from customers of the company in liquidation, and to retain data for such purposes. It was decided that a liquidator acts as an agent of the company and is not a separate data controller in its handling of the customers’ data. Further, it has no obligation to retain data solely for the purpose of SARs; indeed data protection obligations require it to dispose of personal data which is non longer needed for the business of the company. The judgment also has some interesting commentary on common SAR concerns.
  • On 28 August 2013, the ICO published details of an Undertaking given by Cardiff City Council to comply with subject access request requirements. Following a complaint by an individual that an SAR had not been dealt with in the 40 day time limit, the ICO investigated and found systemic failures to comply with SAR rights.

I have picked on a few common themes arising from these developments; topics which also arise frequently in SAR matters on which I advise.

  • Data not documents: The Code of Practice emphasises that the right of subject access is a right to see data rather than a right to see documents containing data. Relevant personal data can be extracted from a document to be provided to individuals as an alternative to providing a copy of the document itself. In the Southern Pacific case, a lot of the requests received were for full copies of documents. As the High Court observed, the data controller may decide to provide a copy of the document as the most practical way to provide the data, but there is no obligation to provide it.
  • Reason behind a request: The leading case of Durant v Financial Services Authority is not authority for allowing an organisation to refuse to comply with a subject access request because the purpose of the request goes beyond the core intention of the SAR right. Indeed the data subject need not specify any reason for the request. Both the Code of Practice and the Southern Pacific judgment highlight that SARs are often made to an organisation as a tool to obtain information for actual or contemplated litigation against that organisation (in the case of Southern Pacific, claims in respect of possible PPI mis-selling). A data controller is not exempted from the SAR obligation on this basis. However, the courts may exercise their discretion not to enforce the SAR in such circumstances, particularly where the Civil Procedure Rules may more appropriately determine the information to be disclosed. See also below in relation to the ICO’s discretion on enforcement.
  • Disproportionate effort: Organisations must make extensive efforts to search for and retrieve required data; the frequently quoted ‘disproportionate effort’ provision in the Data Protection Act does not affect this. Both the Code of Practice and the High Court highlight that this provision exempts the supply of the data in a permanent form, i.e. another form of providing data may be permitted where a disproportionate effort is involved to produce a permanent copy. Having said that, the ICO separately refers to the concept of ‘disproportionate’ in relation to its approach to enforcement – see next bullet point.
  • ICO enforcement: The Code of Practice contains some useful information on the ICO’s approach to enforcement. The ICO has discretion when to enforce and when not to enforce the provisions of the Data Protection Act. In several parts of the Code, there are hints as to circumstances where the ICO may consider it unreasonable to take enforcement action. Further the Code indicates that organisations “are not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information.

    This may assist organisations where a data subject makes an unreasonable request for information beyond that which assists him to understand what is held about him, check it is accurate and not likely to cause him damage or distress, and ensure is not otherwise infringing on his privacy. However, caution should be exercised – as noted above, the reason behind a request does not affect the right of access, and individuals also have the option of taking matters to the court to enforce their rights.

    Finally, the fact that the ICO has the discretion not to enforce does not mean that a seemingly minor breach (such as slipping over the 40 day time limit to respond to a single SAR) will be swept under the carpet. As the Cardiff City Council Undertaking highlights, when the ICO investigates a complaint, it does not limit its investigations to the specific matter in question. The failure to respond within 40 days led to wider investigations into how SARs were handled, and regulatory action was subsequently taken.

Olivia Whitcroft, principal of OBEP, 21 September 2013

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details