Greater clarity on data subject access requests
30 March 2017
A recent Court of Appeal decision has given clarity to data controllers in terms of the grounds on which they may refuse a data subject access request (“DSAR”), although the position is not always a helpful one.
The judgment contains three significant points of legal interpretation in relation to DSARs, from the civil courts’ perspective:
- A DSAR will not be invalid even if it is made for the collateral purpose of obtaining documents for use in litigation.
- The exemption which relieves data controllers from complying with a DSAR if there is legal professional privilege in the relevant data will apply only where the privilege exists according to UK law. It will not be sufficient that a document may be privileged under the law of another jurisdiction.
- The exemption under the Data Protection Act 1998 (“DPA”) which states that it is not necessary to supply personal data if to do so would involve disproportionate effort (section 8(2)) applies both to the search for the data and the supply of copies.
The first finding will hamper data controllers who want to argue that they do not need to comply with a DSAR where the documents will be used for the purposes of litigation. Such an argument was fairly common following the case of Durant v Financial Services Authority  EWCA Civ 1746, although the Information Commissioner’s Office (“ICO”) has for some time made clear that this approach is not correct. Nonetheless, this contention has remained a fairly common practice (but one that we have generally advised against!)
The Court of Appeal has now reinterpreted the relevant comments in Durant, which will make this argument more difficult to run in future and one that data controllers should generally avoid. A further downside of the judgment is that litigants may feel even more empowered in using DSARs in litigation, furthering a practice that is already common in employment claims.
More helpful is the Court of Appeal’s treatment of the exemption in section 8(2) of the DPA. This states that a DSAR must be complied with by supplying the data subject with a copy of the information in permanent form, unless the supply of such a copy is not possible or would involve disproportionate effort. In considering this exemption, the ICO’s Code of Practice suggests a distinction between searching for the information and providing a copy of it. The Code indicates that a data controller may be able to argue that providing copies of the data is disproportionate, but it would not be able to make this argument in respect of carrying out the searches themselves.
Clearly, this is not ideal for data controllers, for whom searching for, assessing and redacting data can be hugely time-consuming and expensive – more so, indeed, than the act of supplying copies. The Court of Appeal did not make the distinction suggested in the ICO Code, meaning it should now be open to data controllers to argue – at least in the civil courts - that both searching for and supplying information is disproportionate.
Unfortunately, however, it looks like the bar may be high for such an argument. The Court of Appeal’s judgment emphasises that the burden of proof is on the data controller to show it has taken all reasonable steps to comply with the request. Noting that the potential benefit of the supply of data to the individual must be weighed against the burden imposed on the controller, the Court also stated that “there are substantial public policy reasons for giving people control over data maintained about them…which must mean that where and so far as possible, [DSARs] should be enforced”.
Nonetheless, while such an argument may not be easy to make, it is now clear that proportionality can be used to place bounds on a search. It remains to be seen how disproportionate a potential search really has to be for a data controller properly to avoid undertaking it under section 8(2).
Finally, it is worth noting that this case really only gives us an insight into how the courts themselves will deal with this issue and the ICO may continue to draw a distinction between searching for and supplying the information. Data controllers who use the proportionality argument to reduce the scope of a search may therefore still face the wrath of the ICO – another reason to proceed with caution, despite the Court of Appeal’s judgment.
Dawson-Damer and others vTaylor Wessing LLP  EWCA Civ 74 – judgment available here