Data subject access requests: Latest essential advicePrint publication
The extent of a data controller’s obligations to respond to data subject access requests (DSARs), and in particular the interaction with legal privilege and litigation, has featured in a number of recent high profile cases. DSARs are increasingly being used tactically, both prior to and alongside the litigation process. As responsible data controllers handling often highly sensitive personal data, it is vitally important that all those operating in the retail financial services industry deal promptly and properly with DSARs.
Walker Morris’ Partner Louise Power, a specialist in retail financial services litigation and non-executive director of a local building society, reviews recent key DSAR judgments and offers her top tips for managing firms’ increasingly important risks and responsibilities.
DSARs – The rights in issue
The Data Protection Act 1998 (DPA) places an obligation on any data controller receiving a DSAR to provide individuals (or, data subjects) with a copy of their personal data and related information unless that is not possible or would involve disproportionate effort, or unless the data sought is privileged (or falls within another of the few limited exemptions). Data controllers may charge a maximum fee of £10 to cover the administration involved in complying with a DSAR and they must comply within 40 calendar days .
The extent of the data controller’s obligations when it comes to complying with DSARs has, however, been the source of some debate within the courts. The following key issues have now been addressed in recent cases:
- proportionality of searches and the ‘disproportionality exemption’;
- the extent and application of the ‘privilege exemption’;
- the relevance (or not) of the motive for making the DSAR; and
- the court’s discretion to compel compliance with a DSAR.
In Dawson-Damer & Ors v Taylor Wessing LLP  the claimants asked the court to compel the defendant law firm (TW) to comply with a DSAR made by the beneficiaries of a Bahamian trust. (The firm’s client was a trustee company and the DSAR was made in the context of an ongoing dispute between TW’s client and the beneficiaries.) Following a review of its files TW had refused to comply, simply citing that the data sought was subject to legal professional privilege.
Clarifying that the proportionality test applies not only to the actual copying and supply of information and documentation, but also to the level of the search that would be involved, the Court of Appeal stated that “the correct approach is to examine what steps a data controller has taken, and then to ask if it would be disproportionate to require further steps to be taken to comply with the individual’s right of access. The burden of proof is on the data controller to show that it has taken all reasonable steps to comply with a SAR request, and that it can rely on any specific exemptions to refuse to provide data“.
Finding for the claimants, the court also confirmed that there are substantial public policy reasons underpinning individuals’ DPA rights so that, where and so far as possible, DSARs should be enforced. The court stated that most data controllers are expected to understand their obligations to comply with DSARs and should have designed their systems to enable them to carry out searches to comply with DSARs relatively easily.
The Court of Appeal therefore indicated that it is likely to be a rare case in which the disproportionality exemption would apply.
In particular, in this case it was not sufficient for the data controller to simply make a blanket assertion of legal privilege in relation to its files; nor was it sufficient to assert that it was too difficult, costly or time-consuming to search through voluminous papers. TW had not provided evidence of the effort that it had carried out, nor the time, cost or indeed any plan of action that would be involved in complying with the DSAR. Neither had TW evidenced the basis on which it had reached its conclusions that the privilege exemption applied. The court held that TW had therefore failed to discharge its obligations as a data controller.
Also in Dawson-Damer, TW tried to establish a wide, interpretation of the DPA’s privilege exemption. TW argued that the privilege exemption  applied not just to documents that were privileged under English law but also, by analogy, to those documents held by it which were restricted from disclosure by virtue of the governing law of the trust document in dispute (that was, in this case, Bahamian trust law). TW submitted that the substantive effect of the relevant Bahamian law was the same as legal professional privilege, even though it was not actually legal professional privilege.
Rejecting this wide, purposive construction of the DPA, the Court of Appeal concluded that the privilege exception relieves a data controller from complying with a DSAR only if a claim to legal professional privilege can be maintained according to the law of any part of the UK. (For further detail and practical advice relating to privilege generally, please see our earlier article.)
Another aspect of the privilege exemption has also been clarified recently in Holyoake v Candy & Anor . Mr Holyoake claimed that Mr Candy had illegitimately relied on the privilege exemption to avoid a full response to Mr Holyoake’s DSARs (which were made in the context of an underlying dispute). Mr Holyoake attempted to rely on the ‘iniquity principle’ – that is, the principle that legal professional privilege may be disapplied if it is being used as cloak for crime or fraud.
Mr Holyoake alleged that the data/documents sought by him related to surveillance activities which Mr Candy had carried out against him which were tainted by criminal conduct, in that they breached Mr Holyoake’s data protection rights and/or his fundamental human right to privacy. Mr Holyoake argued that the alleged criminal conduct should prevent Mr Candy from invoking the privilege exemption.
Whilst the court acknowledged that the iniquity principle might validly displace the privilege exception as a means of avoiding the obligation to respond to a DSAR in the right circumstances, Mr Holyoake’s case floundered on its facts. The High Court confirmed that a claim to privilege will not be set aside on the basis of the iniquity principle unless there is at least a prima facie case of wrongdoing. The High Court decided that the facts of the case did not support Mr Holyoake’s allegation that a crime had been committed by way of DPA breaches. It further held that to extend the iniquity principle to cover potential breaches of human rights laws as per Mr Holyoake’s alternative case would be too radical and was not supported by any existing authority.
Motive for making a DSAR
In 2004 the Court of Appeal commented in the Durant  case that the purpose of the data subject access rights in the DPA was not to assist a person to obtain documents that may help him or her in litigation or complaints against others. That comment has since been cited as authority for the proposition that a DSAR would be invalid if it was made for the collateral purpose of assisting with litigation, or indeed for any purpose other than solely the verification of personal data.
In Dawson-Damer, however, the Court of Appeal has emphasised that neither the DPA, nor the EU Data Protection Directive (95/46/EC) from which it derives, limit the purpose for which a DSAR may be made. On the contrary, the DSAR regime is ‘purpose-blind’ and the court acknowledged that, in reality, it would be “odd” for there to be no collateral purpose behind the making of a DSAR. As a result, Dawson-Damer would therefore now seem to be reliable authority that (in the absence of abuse of process, at least) the motive behind the making of any DSAR should not matter and should not impact upon the data controller’s obligation to comply.
Firms should note, however, that that is not the end of the story…
…In the even more recent Deer case , a differently constituted Court of Appeal has considered the additional point that, under section 7 (9) DPA, the court has a discretion whether to compel a data controller to comply with a DSAR. The court’s focus on that discretion in Deer may have the effect of diluting slightly some of the conclusions reached in Dawson-Damer.
The Court of Appeal in Deer noted that the court must have regard to the general principle of proportionality which runs through EU law when exercising its section 7 (9) discretion, with a view to ensuring a fair balance between the right of the individual to have access to his personal data on the one hand, and the interests of the data controller faced with a DSAR on the other. The court decided that some of the (non-exhaustive) factors which can be taken into account include:
- whether there is a more appropriate route to obtaining the requested information (such as disclosure in legal proceedings);
- the nature and gravity of the breach and/or the level of prejudice suffered by the data subject;
- the reason for making the DSAR;
- whether the making of the DSAR amounts to an abuse of rights or procedural abuse;
- whether the request is really for documents rather than personal data;
- the potential benefit to the data subject.
Dawson-Damer is good news for data controllers to the extent that it confirms that proportionality can be taken into account when it comes to considering the time, cost and effort involved in not only copying and supplying information to a data subject, but also in conducting the search for data in the first place.
Less favourable is the authoritative confirmation that, if a data controller is going to refuse to comply with a DSAR, it will have to provide an explanation, and to adduce evidence, to support its claims to the disproportionality and privilege exemptions.
Otherwise, Dawson-Damer is a largely data subject-friendly decision. It confirms an expectation that data controllers will be aware of, and have systems in place to deal with, DSAR obligations, and suggests that, in the majority of cases, data controllers receiving DSARs will have to comply.
The judgment in Deer is cast in terms which largely mirror and support Dawson-Damer, with the court concluding paragraph 110 with the statement that “[i]f there are no material factors other than a [D]SAR in valid form and a breach of the data controller’s obligation to conduct a proportionate search, then the [court’s section 7 (9)] discretion will ordinarily be exercised in favour of the data subject“. However, in practice, Deer is likely to give data controllers some more ‘wiggle room’ when it comes to their decisions of whether, and how, to respond to DSARs.
DSARs are increasingly being used tactically, both prior to and alongside the litigation process. Here are our top tips for managing firms’ important risks and responsibilities:
- Education is essential. Apart from understanding the legal implications of a DSAR, staff should be trained to recognise, and respond appropriately to, receipt of a DSAR.
- The maximum administration charge that can be levied for dealing with a DSAR is £10. Firms must be aware of this, and may wish to build into their business planning and projections some lee-way for the irrecoverable time and cost that responding to DSARs is likely to involve.
- Firms should ascertain all of the various sources within which they hold or control personal data. They should then assess whether the data systems that they already operate are sufficiently quickly and easily searchable, so that responding to DSARs can be as cost-effective as possible.
- File management and document classification practices should be reviewed to see whether changes can be made, which may then assist whenever a ‘privilege exemption’ assessment is carried out. This might be particularly relevant for firms with in-house legal teams.
- The time limit for complying with a DSAR is 40 calendar days. Firms must be aware of this and ensure that their receipt and response protocols take account of this very tight timescale.
- Data controllers do have the option to request further information to clarify DSARs. Where possible, data controllers should make use of this option.
- Whenever a data controller wishes to rely on the disproportionality or the privilege exemption, it should be prepared to justify that decision, with evidence in support. To do that, an initial critical review of data held will need to be undertaken and recorded – a blanket assertion of privilege or that it would be too difficult, costly or time-consuming to search through voluminous papers will not suffice.
- Firms may also wish to assess DSARs received against the factors set out in Deer when deciding whether and how to respond (albeit noting that, if an institution gets its assessment wrong, it could face intervention from the Information Commissioner’s Office (ICO) and possible sanctions).
- In many cases it will be advisable for data controllers to take urgent specialist advice immediately upon receipt of a DSAR. This will be particularly important where there is any ongoing or underlying dispute, which may involve associated legal and tactical risks.
 of receipt of the request or, if later, of receipt of the fee and any further information which the data controller has reasonably requested in order to allow him to identify the person making the request and to locate the information sought
  EWCA Civ 74
 set out in paragraph 10, Schedule 7, DPA
  EWHC 52 (QB)
 Durant v Financial Services Authority  FSR 573
 Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors  EWCA Civ 121