As you know, governments make laws and the courts interpret and apply them. This is demonstrated by some significant decisions recently handed down which impact how data controllers (such as employers) respond to SARs (subject access requests). These decisions considered key practical issues, such as the extent of data controllers’ obligations to conduct searches for data and what documents may be exempt due to legal privilege
In four separate cases (see end of this article) the court compared the right of access, the extent to which a data controller is discharged from complying with a SAR where an ulterior motive was at play, or where a data controller had already conducted reasonable and proportionate searches in order to locate personal data. The following principles can be drawn from the decisions:
The obligation is to carry out a proportionate search
The Data Protection Act 1998 (DPA) allows that a SAR request can be refused if a “disproportionate effort” would be involved in meeting it.
The courts applied this principle to all aspects of a data controller’s efforts to respond to a SAR, including the often onerous task of searching for the individual’s personal data.
It was recognised that even where a data controller is able to conduct electronic searches using keywords etc., human intervention is always needed to evaluate whether particular personal data should be disclosed. The courts decision now makes clear that data controllers can consider issues such as time and cost to determine what amounts to a proportionate response to a SAR.
It is irrelevant if the requestor has an ulterior motive
The courts considered the arguments for and against a data controller being able to take account of an individual’s reason for submitting a SAR, particularly where separate legal proceedings between the parties were underway.
The courts were persuaded by the fact that the Data Protection Act 1998 does not qualify the right to make a SAR by reference to the individual’s motive, i.e. the right is ‘purpose blind’.
There is a distinction between data processed by an individual on behalf of their employer and in a personal capacity
In one of these cases the SARs submitted were far-reaching in nature, and sought the disclosure of e-mails processed in private (as opposed to corporate) e-mail accounts. The courts underlined the principle that individual employees and directors are not data controllers in their own right, and a SAR can only properly extend to their activities carried out on behalf of their employer.
This would exclude any obligation to search personal e-mail accounts of employees and directors, unless there was clear evidence that these accounts had been used for work related purposes.
The decisions are a mixed bag for data controllers when dealing with SARs. The clarification that data controllers are obliged to carry out only proportionate searches is very welcome, and this provides a solid basis to push back on SARs which are too far-reaching in nature.
On the other hand, the courts’ reluctance to limit the right where the SAR is made for a collateral purpose will increase the burden on data controllers to comply with SARs regardless of any broader context, for example even where this results in a costly overlap with disclosure searches for the purposes of litigation.
With effect from May 2018, the SAR regime will be subject to further changes as a result of the implementation of the General Data Protection Regulation (GDPR). These changes include the abolition of the maximum £10 fee and a reduction in the period for compliance from 40 days to one month.
The cases are:
- Holyoake v Candy
- Dawson-Damer v Taylor Wessing LLP
- Ittihadieh v Cheyne
- Deer v Oxford University