Article: Subject Access Requests – recent cases and the GDPR

The last couple of years has seen a steady increase in enforcement action and prominent court cases involving subject access requests (“SARs”) under the Data Protection Act 1998 (“DPA”). These include:

  • several High Court decisions in 2015 and 2016 considering whether SARs are “reasonable and proportionate” and the scope of the Court’s discretion to enforce them;
  • the first monetary penalty from the Information Commissioner’s Office (“ICO”) for a SAR-related breach, in August 2016; and
  • seven ICO enforcement notices between January and September 2016 requiring companies to comply with SARs.

Organisations are also starting to prepare for the new EU General Data Protection Regulation (“GDPR”), which will change some key aspects of how SARs need to be handled as from May 2018.

My last article on this topic was all the way back in 2013 (see Subject Access Requests – recent developments), so it also seems about time for me to provide an update!

This article therefore provides a summary of the recent cases and the upcoming GDPR changes, with some guidance to assist data controllers in deciding how to deal with some of the tricky issues arising.

Reasons and reasonableness – High Court cases

It is well-established that:

  • an individual does not have to specify their reason for making a SAR, and the DPA does not set out different requirements based on the reason; and
  • there is no general SAR exemption under the DPA for unreasonable or disproportionate requests1.

However, in considering the application of the SAR right in practice, and their discretion on whether to order compliance with a SAR (under section 7(9) DPA), the Courts have considered the purposes of having the SAR right2, and whether, in the context of the particular case, it may be unreasonable or disproportionate for the data controller to take particular actions in response to the SAR.

Recent High Court cases include the following.

(a) Kololo v Commissioner of Police for the Metropolis [2015] EWHC 600 (QB) (9 March 2015)

An individual with a conviction in Kenya (and sentenced to the death penalty) sought access to personal data held by the Commissioner of Police for the Metropolis (“MPS”). The Court looked at the purpose behind the SAR in deciding whether to exercise its discretion under section 7(9) DPA to enforce it. The MPS claimed that the SAR had been an abuse of process as an attempt to circumvent the provisions of a separate (crime-related) statute.

The Court found that there had been no such abuse of process but, if there had, it would have refused to order compliance with the SAR using its discretion. In the context, however, the Court considered that the individual had a proper statutory purpose to make the SAR, which was to determine whether there were inaccuracies in the data held. Given that the individual had been sentenced to death, ordering the MPS to comply with the SAR under section 7(9) DPA was proportionate.

(b) Zaw Lin and Wai Phyo v Commissioner of Police for the Metropolis [2015] EWHC 2484 (25 August 2015)

Two individuals facing charges in Thailand sought access to personal data held by the Commissioner of Police for the Metropolis (“MPS”). MPS sought to rely on the SARs exemption under section 29 DPA, on the basis that the disclosure would be likely to prejudice the prevention or detection of crime and/or the apprehension or prosecution of offenders.

A lot of the Court’s deliberations focused on the application of section 29, the burden and standard of proof required, and the assessment of proportionality in its application. However, it also raised issues concerning the scope of the Court’s discretion to enforce a SAR under section 29 DPA. It must make its decision based on the principles of the DPA (in this case, with regard to the scope of the exemption under section 29) and the relevant background principles of the EU Directive and the European Convention on Human Rights, rather than having a broader unfettered discretion. In the context, the Court found in favour of MPS, and considered that it had applied section 29 correctly.

(c) Dawson-Damer & Ors v Taylor Wessing LLP & Ors [2015] EWHC 2366 (Ch) (06 August 2015)

The claimant sought to obtain access to personal data held by a law firm in connection with legal proceedings in the Bahamas against one of the law firm’s clients. The law firm sought to apply the exemption under paragraph 10 of Schedule 7 DPA, on the basis that the relevant data was protected by legal professional privilege. The claimant argued that it wouldn’t all be covered by privilege, and that the law firm should go through all the documents to work out what was covered by privilege and what was not.

The Court considered that it would not be reasonable and proportionate to carry out this search (also bearing in mind the “modest” fee of £10 for the SAR). It raised that the purpose of the SAR right is not to enable discovery of documents that may assist in litigation; what is discoverable and what is not is more appropriately determined within the relevant litigation proceedings. As also raised in the Kololo case (see above), if the SAR is an abuse of process, this will be an important factor in the exercise of the Court’s discretion (under section 7(9) DPA) on whether to enforce a SAR. The Court therefore dismissed the SAR application, (although the case is now under appeal).

(d) Gurieva & Anor v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB) (06 April 2016)

Two individuals made an application to the Court to require a private investigator to comply with a SAR. With similarities to the Dawson-Damer case (see above), the defendant argued that:

  • in considering the legal professional privilege exemption (under paragraph 10 of Schedule 7 DPA), it would be disproportionate to require it to seek legal advice on the application of the exemption in respect of each and every page it holds; and
  • the SAR represented a misuse of the DPA rights as a device to gain a procedural advantage in criminal proceedings in Cyprus. Therefore the Court should exercise its discretion (under section 7(9) DPA) not to enforce the SAR as it is an abuse of process.

However, in the context of this case, the Court found that it would not be disproportionate for the defendant to assess the application of legal professional privilege (and also the crime exemption under section 29 DPA). In relation to the exercise of its discretion, the judge raised several points:

  • in general terms, the Court should not enquire into or permit investigation of the purpose for which a SAR has been made;
  • the discretion will ordinarily be exercised in favour of a claimant who has made a valid SAR; and
  • it had difficulty with the notion that the use of a SAR for the purpose of obtaining early access to information that might otherwise be obtained via disclosure in litigation is inherently improper.

The Court therefore found in favour of the claimants and did not consider that the SAR represented an abuse of the SAR right or an abuse of process.

These cases do not create an entirely clear position for data controllers! They give some scope for organisations to argue that the Court should not order compliance with a SAR where:

  • the response requires overly extensive searches or assessment of exemptions which are “unreasonable or disproportionate”; or
  • the reason for the individual making the SAR falls outside the intended purposes of the SAR right, and are an abuse of the right and the Court process.

However, it is clear that the threshold to meet these criteria will be high, and a Court may in any case decide (in context) to require further steps to be taken to comply with the SAR. Whilst in extreme cases the above arguments may assist in court proceedings, an organisation’s SAR process should primarily seek to apply the statutory provisions of the DPA; in other words carrying out proper searches and fully assessing the application of exemptions, regardless of the scope or purpose of the request which has been made.

Third party information – ICO monetary penalty

Under section 7(4) DPA, a data controller is not obliged to provide information in response to a SAR if it cannot do so without disclosing information relating to another individual, unless that other individual has consented or it is “reasonable in all the circumstances” to do so. Whilst the “not obliged” wording indicates the data controller has a choice whether to apply it, if such third party information is disclosed without consent or an assessment of reasonableness, the disclosure may constitute an unlawful disclosure of personal data relating to the third party individual, in breach of other DPA requirements. This section therefore needs to be carefully applied in the context of each case.

The following monetary penalty from the ICO demonstrates that failure to apply the third party information rules correctly can constitute a serious breach of the DPA.

Regal Chambers Surgery monetary penalty notice (8 August 2016)

The ICO issued a monetary penalty of £40,000 against a GP surgery on 8 August 2016 for revealing confidential third party information in response to a SAR. The requestor was the father of a five year-old child for whom he indicated he had parental responsibility (as evidenced by a court order). All of the child’s records were sent to the father in response to the SAR, which included confidential and sensitive information about the mother (from whom the father was divorced), the child, and another child who was not blood-related to the father. The mother had previously requested that the surgery not inform the father of their whereabouts.

The ICO found that the surgery did not have an appropriate procedure for SARs, nor did it apply appropriate supervision and experience, in particular in light of the highly sensitive information involving the mother and two children in vulnerable circumstances. This was deemed a serious breach of principle 7 of the DPA (organisational security).

ICO enforcement notices

This year, there has been a wealth of enforcement notices from the ICO requiring data controllers to comply with SARs:

  • Martyn F Arthur Forensic Accountant Ltd (29 January 2016);
  • The Mint Condition Media Ltd trading as Hot Leads Factory (29 January 2016);
  • Wainwrights Estate Agents Limited (3 March 2016);
  • M I Wealth Management Limited (18 March 2016);
  • Debbie Urch t/a Kings Ransom (8 June 2016);
  • Consumer Finance Claims Ltd (7 July 2016); and
  • Poundstretcher Limited (5 September 2016).

GDPR SAR requirements

Article 15 of the GDPR provides a similar right of access to personal data as under the DPA, but changes the detail of the process. In particular:

  • The list of supporting information to be provided (in addition to a copy of the personal data itself) is more extensive than under the DPA. As well as the purpose, recipients, sources and logic behind automated decisions (as under section 7 DPA), the list includes the envisaged retention period, the existence of the various other rights of the data subject, and safeguards in relation to international data transfers.
  • The actions to respond to a SAR must be taken free of charge, unlike under the DPA which allows a fee of (in most cases) up to £10. However, a “reasonable fee” may be charged if the request is manifestly unfounded or excessive, or if further copies of personal data are requested.
  • The GDPR contemplates that requests may be made and responses given orally (provided the identity of the data subject is proven), unlike under the DPA which requires requests to be made in writing and the information to be provided in a permanent form.
  • The response must be provided without undue delay and in any event within one month, rather than giving up to 40 calendar days as under the DPA. However, the period may be extended for a further two months “when necessary”, taking into account the complexity and number of requests.
  • The requirements relating to the format in which information is provided go beyond those of the DPA. The information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If the request is made electronically, the response must be provided by electronic means and a commonly used electronic form. The recitals suggest remote access to a secure system where possible.

It is also worth noting that, in addition to the SAR right, Article 20 of the GDPR provides a right to data portability where the data is held electronically, and the processing is based on consent or necessity for a contract. This gives individuals the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance.

Organisations may not want to jump in and change their SAR processes to comply with these (more stringent) requirements before they are needed. However, as with other GDPR requirements, it may be beneficial to start assessing the impact of these changes on procedures, budget and resources, and deciding on the steps to take to ensure compliance as of May 2018.

Olivia Whitcroft, principal of OBEP, 10 November 2016

1 The “disproportionate effort” exemption under section 8(2)(a) DPA applies to providing a copy of the requested information in a permanent form; it is not generally considered to exempt data controllers from providing the requested information in another way. Although some of the cases referred to in this article may give scope for a wider interpretation.

2 To enable individuals to understand what data is being held about them, to check it does not unlawfully affect their privacy, and, if required, to request correction of the information or take action to prevent damage or distress.

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details