A recent decision of the High Court has highlighted the difference in approach taken by the Court and the ICO in respect of compliance with subject access requests.
The Data Protection Act 1998 gives individuals the right to request that data controllers provide them with a copy of any personal data held about them, subject to certain exemptions. The intended purpose of a subject access request is to enable the individual to verify the personal data held about them and the lawfulness of the processing of that data.
In Dawson-Damer v Taylor Wessing subject access requests were made by three family members against law firm Taylor Wessing, the data controller. One of the family members was involved in litigation in the Bahamas with Taylor Wessing’s client which was the Bahamian trustee of the family’s trust fund. Taylor Wessing did not comply with the subject access requests, claiming to be entitled to the exemption for legal professional privilege. As a result, the family members submitted an application to the court to make an order for compliance with the subject access requests.
The judge refused the application holding that, amongst other points:
(i) whilst there was no direct evidence of the motives in making the subject access requests, in the judge’s view, the real purpose of the subject access requests was to obtain information that may assist in connection with the litigation in the Bahamas. Such purpose was not a proper purpose for submitting a subject access request. This follows the decision of the County Court in 2012 in Elliott v Lloyds TSB Bank Plc & Anor which decided that if it could be shown that “but for” the litigation the subject access request would not have been made, such request would be an abuse of process.
However, in contrast, the ICO’s subject access code of practice provides that data subjects do not have to inform the data controller their reason for making the subject access request, nor what they intend to do with the information requested.
(ii) It was not reasonable or proportionate on the facts of the case for Taylor Wessing to carry out the necessary search to determine if any particular document was covered by legal professional privilege. In the circumstances, whether or not a document was protected by privilege depended on Bahamian law. As such, deciding whether a document was protected by privilege would be time consuming (and hence costly) and require consideration from skilled lawyers.
This reasoning is in contrast to the ICO’s view that a data controller need only supply such data as is found after a reasonable and proportionate search. The ICO’s guidance suggests that data controllers cannot refuse to deal with a subject access request simply because it will be an onerous task and time consuming to do so.
Employers as data controllers which have received subject access requests will be aware that such a request will be an administrative burden on the business. The decision in Dawson-Damer v Taylor Wessing is therefore likely to be welcomed by data controllers. However, the decision is at odds with the ICO’s guidance which suggests that data controllers should be prepared to make extensive efforts to find and retrieve the requested information, and even if a data controller can show that supplying a copy of information in permanent form would involve disproportionate effort, the data controller must still comply with the request in some other way.
It remains to be seen whether the ICO will revise its guidance in light of the court decisions. However, the ICO is unlikely to do so in the near future given that the judge acknowledged that the Court of Appeal might take a different view to that decided in Dawson-Damer v Taylor Wessing and granted permission to appeal. In the meantime, employers should take a cautious approach in following the decision of the High Court.