The last couple of years has seen a steady increase in enforcement action and prominent court cases involving subject access requests (“SARs”) under the Data Protection Act 1998 (“DPA”). These include:
Organisations are also starting to prepare for the new EU General Data Protection Regulation (“GDPR”), which will change some key aspects of how SARs need to be handled as from May 2018.
My last article on this topic was all the way back in 2013 (see Subject Access Requests – recent developments), so it also seems about time for me to provide an update!
This article therefore provides a summary of the recent cases and the upcoming GDPR changes, with some guidance to assist data controllers in deciding how to deal with some of the tricky issues arising.
It is well-established that:
However, in considering the application of the SAR right in practice, and their discretion on whether to order compliance with a SAR (under section 7(9) DPA), the Courts have considered the purposes of having the SAR right2, and whether, in the context of the particular case, it may be unreasonable or disproportionate for the data controller to take particular actions in response to the SAR.
Recent High Court cases include the following.
An individual with a conviction in Kenya (and sentenced to the death penalty) sought access to personal data held by the Commissioner of Police for the Metropolis (“MPS”). The Court looked at the purpose behind the SAR in deciding whether to exercise its discretion under section 7(9) DPA to enforce it. The MPS claimed that the SAR had been an abuse of process as an attempt to circumvent the provisions of a separate (crime-related) statute.
The Court found that there had been no such abuse of process but, if there had, it would have refused to order compliance with the SAR using its discretion. In the context, however, the Court considered that the individual had a proper statutory purpose to make the SAR, which was to determine whether there were inaccuracies in the data held. Given that the individual had been sentenced to death, ordering the MPS to comply with the SAR under section 7(9) DPA was proportionate.
Two individuals facing charges in Thailand sought access to personal data held by the Commissioner of Police for the Metropolis (“MPS”). MPS sought to rely on the SARs exemption under section 29 DPA, on the basis that the disclosure would be likely to prejudice the prevention or detection of crime and/or the apprehension or prosecution of offenders.
A lot of the Court’s deliberations focused on the application of section 29, the burden and standard of proof required, and the assessment of proportionality in its application. However, it also raised issues concerning the scope of the Court’s discretion to enforce a SAR under section 29 DPA. It must make its decision based on the principles of the DPA (in this case, with regard to the scope of the exemption under section 29) and the relevant background principles of the EU Directive and the European Convention on Human Rights, rather than having a broader unfettered discretion. In the context, the Court found in favour of MPS, and considered that it had applied section 29 correctly.
The claimant sought to obtain access to personal data held by a law firm in connection with legal proceedings in the Bahamas against one of the law firm’s clients. The law firm sought to apply the exemption under paragraph 10 of Schedule 7 DPA, on the basis that the relevant data was protected by legal professional privilege. The claimant argued that it wouldn’t all be covered by privilege, and that the law firm should go through all the documents to work out what was covered by privilege and what was not.
The Court considered that it would not be reasonable and proportionate to carry out this search (also bearing in mind the “modest” fee of £10 for the SAR). It raised that the purpose of the SAR right is not to enable discovery of documents that may assist in litigation; what is discoverable and what is not is more appropriately determined within the relevant litigation proceedings. As also raised in the Kololo case (see above), if the SAR is an abuse of process, this will be an important factor in the exercise of the Court’s discretion (under section 7(9) DPA) on whether to enforce a SAR. The Court therefore dismissed the SAR application, (although the case is now under appeal).
Two individuals made an application to the Court to require a private investigator to comply with a SAR. With similarities to the Dawson-Damer case (see above), the defendant argued that:
However, in the context of this case, the Court found that it would not be disproportionate for the defendant to assess the application of legal professional privilege (and also the crime exemption under section 29 DPA). In relation to the exercise of its discretion, the judge raised several points:
The Court therefore found in favour of the claimants and did not consider that the SAR represented an abuse of the SAR right or an abuse of process.
These cases do not create an entirely clear position for data controllers! They give some scope for organisations to argue that the Court should not order compliance with a SAR where:
However, it is clear that the threshold to meet these criteria will be high, and a Court may in any case decide (in context) to require further steps to be taken to comply with the SAR. Whilst in extreme cases the above arguments may assist in court proceedings, an organisation’s SAR process should primarily seek to apply the statutory provisions of the DPA; in other words carrying out proper searches and fully assessing the application of exemptions, regardless of the scope or purpose of the request which has been made.
Under section 7(4) DPA, a data controller is not obliged to provide information in response to a SAR if it cannot do so without disclosing information relating to another individual, unless that other individual has consented or it is “reasonable in all the circumstances” to do so. Whilst the “not obliged” wording indicates the data controller has a choice whether to apply it, if such third party information is disclosed without consent or an assessment of reasonableness, the disclosure may constitute an unlawful disclosure of personal data relating to the third party individual, in breach of other DPA requirements. This section therefore needs to be carefully applied in the context of each case.
The following monetary penalty from the ICO demonstrates that failure to apply the third party information rules correctly can constitute a serious breach of the DPA.
The ICO issued a monetary penalty of £40,000 against a GP surgery on 8 August 2016 for revealing confidential third party information in response to a SAR. The requestor was the father of a five year-old child for whom he indicated he had parental responsibility (as evidenced by a court order). All of the child’s records were sent to the father in response to the SAR, which included confidential and sensitive information about the mother (from whom the father was divorced), the child, and another child who was not blood-related to the father. The mother had previously requested that the surgery not inform the father of their whereabouts.
The ICO found that the surgery did not have an appropriate procedure for SARs, nor did it apply appropriate supervision and experience, in particular in light of the highly sensitive information involving the mother and two children in vulnerable circumstances. This was deemed a serious breach of principle 7 of the DPA (organisational security).
This year, there has been a wealth of enforcement notices from the ICO requiring data controllers to comply with SARs:
Article 15 of the GDPR provides a similar right of access to personal data as under the DPA, but changes the detail of the process. In particular:
It is also worth noting that, in addition to the SAR right, Article 20 of the GDPR provides a right to data portability where the data is held electronically, and the processing is based on consent or necessity for a contract. This gives individuals the right to receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance.
Organisations may not want to jump in and change their SAR processes to comply with these (more stringent) requirements before they are needed. However, as with other GDPR requirements, it may be beneficial to start assessing the impact of these changes on procedures, budget and resources, and deciding on the steps to take to ensure compliance as of May 2018.
Olivia Whitcroft, principal of OBEP, 10 November 2016
1 The “disproportionate effort” exemption under section 8(2)(a) DPA applies to providing a copy of the requested information in a permanent form; it is not generally considered to exempt data controllers from providing the requested information in another way. Although some of the cases referred to in this article may give scope for a wider interpretation.
2 To enable individuals to understand what data is being held about them, to check it does not unlawfully affect their privacy, and, if required, to request correction of the information or take action to prevent damage or distress.
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details