Home
Publications
Data protection update: GDPR one year on, data subject access requests and the data protection fee

Data protection update: GDPR one year on, data subject access requests and the data protection fee

Abstract Technology background.Security concept with padlock icon

Print newsletter

One year on, are you still GDPR-ready?

The EU General Data Protection Regulation (GDPR) arrived with much fanfare just over a year […]

The EU General Data Protection Regulation (GDPR) arrived with much fanfare just over a year ago, introducing – among other things – new and enhanced rights for individuals in relation to their personal data. The UK’s Information Commissioner had this to say in her recent blog post GDPR – one year on:

“People have woken up to the new rights the GDPR delivers, with increased protection for the public and increased obligations for organisations. But there is much more still to do to build the public’s trust and confidence. With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes.”

As we move into the second year of GDPR, the Commissioner says that the focus must be “beyond baseline compliance”:

“…organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs [data protection officers] are central to effective accountability. Strong accountability frameworks are the backbone of formalising the move of our profession away from box ticking. They reflect that people increasingly demand to be shown how their data is being used, and how it is being looked after. They are an opportunity for data protection to be an enabler of growth and innovation whilst building people’s trust and confidence in the way their information is handled.”

Specific requirements in relation to documentation and record-keeping are one part of this universal principle of accountability under the new regime. It is about being proactive, organised, evidencing the steps taken to ensure compliance and adopting a ‘data protection by design and by default’ approach – moving away from box ticking and embedding data protection considerations into the organisation’s operations.

Much of the focus and commentary has been on the eye-watering level of fines which data protection regulators can impose under GDPR – up to 4 per cent of annual global turnover or €20 million, whichever is the greater, for violations relating to fundamental failings, such as breaches of any of the basic principles for processing personal data and breaches of data subjects’ rights.

To date, the only financial penalty to meet those expectations is the record €50 million fine handed to Google LLC by France’s national data protection regulator in relation to complaints over the issue of forced consent. The company was fined for lack of transparency, inadequate information and lack of valid consent regarding ad personalisation. However, the indications are that we will soon see the first wave of post-GDPR enforcement action emerging as Europe’s data protection regulators start to complete the many investigations they have been working on over the past year.

The UK’s Information Commissioner also stresses in her more detailed update that enforcing GDPR is not just about big fines, but about using all the tools set out in the Regulatory Action Policy of the Information Commissioner’s Office’s (ICO). One of the ICO’s stated objectives is to be effective, proportionate, dissuasive and consistent in its application of sanctions, targeting its most significant powers on organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.

In the rest of this newsletter, which is relevant for all data controllers, we take a look at two recent cases providing useful guidance on the handling of data subject access requests and the courts’ approach. We also highlight the recent dismissal of Farrow & Ball’s appeal against a penalty notice for failure to pay its data protection fee, which sets a robust tone for the enforcement of penalty notices.

Now would be a good time for organisations of all sizes to take stock, to review their policies, procedures and customer/supplier contracts, and to refresh staff training, incorporating any learning points from the past year to ensure continued GDPR compliance.

Should you have any queries or require any assistance in relation to any aspect of GDPR compliance, including conducting a data protection audit, please do not hesitate to contact Jeanette or Andrew.

Data subject access requests: Lessons from recent cases

In the current climate, and emboldened by the EU General Data Protection Regulation (GDPR), individuals […]

In the current climate, and emboldened by the EU General Data Protection Regulation (GDPR), individuals have become increasingly aware of, and are exercising, their rights as data subjects. This includes the right to access their personal data, to find out what data is held and how it is used, by making a data subject access request (DSAR) to the data controller or processor. In this briefing, Walker Morris data protection and privacy experts Jeanette Burgess and Andrew Northage consider two recent cases providing useful guidance on the handling of DSARs and the courts’ approach. While both cases concern the right of access under the old data protection regime, they are nevertheless likely to be relevant post-GDPR.

The decision in Rudd v Bridle

In Rudd v Bridle & Anor [1], the claimant was a medical expert on the science of exposure to asbestos and acted as claimant expert witness in damages actions for disease attributed to such exposure. He pleaded that the defendant, who was a campaigner for the asbestos industry, had been engaged with other unknown parties in a calculated attempt to discredit and intimidate him. This included a complaint made to the General Medical Council (GMC). The claimant was said to have been party to a massive fraud on the courts and innocent businesses by falsely claiming expertise and falsifying evidence. DSARs and “cease and desist” notices were sent to the defendant and later to a company controlled by the defendant and his son.

The defendant asserted that all relevant activities were undertaken by him on behalf of the company, in his capacity as director, and that the company was the data controller. He also sought to rely on journalism, regulatory activity and legal professional privilege exemptions. The claimant submitted, among other things, that the defendant’s disclosure failed to identify the source or the recipients of the personal data. The court upheld the claimant’s claim that the defendant’s responses were inadequate, and ordered the defendant to provide further information.

The following key points arise from the judgment:

A reminder that the data subject’s right is to the provision of information, not documents.
The claimant was entitled to be provided with a description of the recipients of his personal data, but not their identities. If disclosure has been or will be made to a class, a description of the class will suffice (e.g. “the readership of the Daily Globe”), but if there is a single recipient, the data controller must describe that recipient (e.g. “a medical practitioner”). Here, there was no indication of the nature or status of the person, firm or company to whom emails in question were sent.
On a separate but related point, the identities of third parties presented in the personal data as collaborators or partners in, or victims of the claimant’s alleged fraud, formed an integral part of the claimant’s personal data. In contrast, the identities of those who received the personal data did not qualify as part of the claimant’s personal data because this was not information relating to him.
Decisions on whether to disclose individuals’ third-party data must be made on a case-by-case, not blanket, basis. Here, there was no evidence or indication that the relevant analysis had been conducted.
Information as to the identity of the source of the claimant’s personal data held or otherwise processed by the defendant did not form part of that personal data. The information did not relate to the claimant.
Separate from the issue as to whether source information counts as personal data, controllers are required to provide to the data subject any information available to them as to the source of the personal data being processed. It was clear on the face of the evidence and the disclosure provided, that the defendant had information as to the sources of the claimant’s personal data, which had not been disclosed. The judge gave the example of the defendant having been provided by lawyers with copies of the claimant’s expert witness reports. He said that the defendant “must know who those lawyers are”. It is not clear from the judgment whether disclosure would have extended to the names of individual lawyers (subject to the usual considerations as to disclosure of individuals’ third-party data), or whether the name of the law firm would suffice to meet the requirements.
Information can be presented in “intelligible form” without the need to provide its full context, or even the whole of the sentence in which it appears.
The requirement to provide a description of the purposes of the processing does not mean that it has to be done on a document-by-document or item-by-item basis. The essence of the right is to know what the data controller is doing or intends to do with personal data relating to the data subject.
There was no evidence capable of supporting the claim to the journalism exemption. Journalism is a broad concept but it does not extend to every activity to do with conveying information or opinions. A short passage in the defendant’s witness statement did not address the essential requirements and it was not sufficient to say that the defendant’s solicitors had concluded that the material was covered by the exemption. In addition, the solicitor who concluded that the exemption was applicable must have relied on the defendant, who was found by the court to be an unreliable witness.
The defendant failed to make out the case for applying the regulatory activity exemption. While it was not necessary for him to resolve the issue, the judge was inclined to think that the wording indicated that only processing by a regulatory body itself was covered. No explanation was offered as to why compliance with the DSAR would be prejudicial to the proper discharge of the GMC’s functions. It was difficult to see how the argument could be sustained over three years after the GMC rejected the complaint against the claimant. In other circumstances, if appropriately verified by the court, the fact that the defendant’s solicitors had reviewed and assessed the underlying material, before concluding that reliance could be placed on the exemption, might lead to the conclusion that it was made out. However, the solicitor concerned was dependent on instructions from the defendant (who was unreliable) and there was very limited evidence about the assessment process carried out.
The evidence, although sparse, was sufficient to justify a claim to legal advice privilege, but did not satisfy the judge that the relevant principles had been applied in relation to a claim to litigation privilege [2]. The defendant’s evidence failed to address any of the relevant criteria, and the defendant’s solicitors’ evidence did not explain how the solicitor concerned reached the conclusion that the relevant tests were satisfied. Again, the judge inferred that the solicitor relied on the defendant, who was an unreliable source.
As to whether the data controller was the defendant or the company, at the material times the defendant controlled what was being done with the data and why. The claimant’s personal data was not in reality being held by or dealt with by the company, or for the company’s purposes, at the direction or under the control of the defendant as director. It was held, used and disclosed under the control of the defendant acting in a different capacity, for purposes that were not aspects of the company’s commercial activity.
Finally, when determining what issues could fairly and properly be tried, the judge said it was “a matter for dismay” that the parties had “generated such a procedural muddle”. Among other things, the pleaded case did not raise the question of whether and if so why the processing of the claimant’s personal data was unwarranted. In addition, although the claimant asserted a claim for compensation, the particulars of claim contained no factual assertions capable of supporting such a claim.

Dawson-Damer v Taylor Wessing revisited

We reported in an earlier briefing on the Court of Appeal decision in Dawson-Damer & Ors v Taylor Wessing LLP [3] concerning the claimants’ application to compel the defendant law firm to comply with a DSAR. The defendant’s client was trustee of a number of Bahamian trusts and the DSAR was made in the context of an ongoing dispute between that client and the beneficiaries. The Court of Appeal decided a number of issues, but the case went back to the High Court for resolution of certain other issues [4]. The following key points arise from the judgment.

‘Relevant filing system’

The defendant agreed to review nine paper files for personal data relating to the claimants, but refused to search, among others, a further 35 paper files which were in chronological order on the grounds that they fell outside the definition of a “relevant filing system” under data protection legislation. Following a decision of the Court of Justice of the European Union (CJEU) [5], the court agreed that three separate and cumulative elements are required: the data must be structured by reference to specific criteria; the criteria must be “related to individuals”; and the specific criteria must enable the data to be easily retrieved.

Here, the client description used on the 35 files clearly related to trusts in which one or all of the claimants were potential beneficiaries, and was a criterion allowing access to personal data. This was also sufficient to satisfy the second element. As to whether the criteria enabled the data to be easily retrieved, it was not unduly onerous for someone to turn the pages of the files in order to locate the personal data. The defendant had already performed exactly the same exercise in relation to files it had already examined. In addition, as the defendant had been able to sufficiently identify the personal data relating to the claimants within the paper files to advance a claim for legal professional privilege in relation to the majority of documents containing it, the retrievability of the data must have been a feature of the filing system.

It is important to note that the CJEU decision concerned the application of the Data Protection Directive, the predecessor to GDPR. It is possible that, applying the GDPR wording, it will not be necessary to apply the same elements. In any case, the judge in Dawson-Damer was conscious of the purpose of the Directive as a whole, which was to provide a high level of protection to the right of privacy in respect of the management of personal data by data controllers. He also noted that, since the right to the protection of personal data became enshrined as a fundamental right in EU law by the Charter of Fundamental Rights of the European Union (given legal effect in 2009), the focus is on the need for protection of the data subject, as opposed to the burden on the data controller. That focus is only likely to increase further under GDPR.

Privilege exemption

When the defendant’s client instructed the defendant to provide legal advice and received it, those communications were subject to legal professional privilege as a matter of English law. The first claimant argued that such privilege was a joint privilege between a beneficiary and a trustee under English law. The court agreed. However, it was common ground that Bahamian law governed the trust and the court found that this was the relevant law on which to consider whether the first claimant had a joint privilege. The court accepted the defendant’s submissions that, under the provisions of the relevant trust legislation, where Bahamian law applies to a trust, a beneficiary has no automatic right to see the legal advice to a trustee prior to any threatened litigation and no proprietary right to documents containing that advice, and so no joint privilege can exist under that law. The first claimant did not have any trust law rights which cut across, limited or qualified the trustee’s claim to legal professional privilege and the defendant could rely on the exemption. This is a discrete point which will be welcomed by offshore trustees.

‘Disproportionate effort’

The claimants sought a number of further searches. The defendant maintained that no further searches should be ordered to be conducted because this would involve disproportionate effort. In relation to a search for the claimants’ personal data in documents referred to in documents which had already been disclosed, the court agreed that the defendant had not served any evidence setting out the time and cost involved in conducting such a search. The claimants had requested a targeted search of identified documents and the defendant had not discharged its burden of showing it would be disproportionate. The defendant was ordered to carry out the search.

In relation to a search of electronic documents using seven additional search terms, the court agreed with the claimants that there was no evidence before it to show the number of hits or the proportions of new and potentially relevant documents. The defendant submitted that the additional search terms were too wide. By the time of the hearing, it had run the new search terms yielding just over 900 new documents. This did not establish that the requested search terms were too wide. No indication of the cost or time involved in reviewing the new documents was given and the defendant was ordered to carry out the search.

However, in relation to a search of the Mimecast platform (through which emails not saved to the defendant’s document management system could be retrieved), the court agreed that it would be disproportionate to require the defendant to do this work, given that Mimecast was only a backup system and the risks that the proposed searches would disclose confidential information or personal data about the defendant’s employees or other unrelated clients. It would also be disproportionate to require searches of ex-employees’ personal spaces for saving documents and emails, but a similar search was ordered in relation to currently employed relevant fee earners.

Note that the wording is different under GDPR and is arguably a higher bar for the controller to overcome. Where a request from a data subject is “manifestly unfounded or excessive”, in particular because of its repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

WM Comment

These are lengthy and detailed judgments demonstrating some of the complexities involved in responding to (and making) DSARs and providing helpful guidance on the courts’ approach. They serve as a timely reminder of the importance of having appropriate internal policies and procedures in place to deal with DSARs effectively and efficiently, and to ensure that staff are trained to recognise and escalate DSARs accordingly within the organisation. This is essential given that the time limit for complying with a DSAR is at the latest within one month of receipt. Consideration should be given to data systems, file management and document classification practices, and data controllers seeking to rely on exemptions or grounds for refusing to comply with a request will need to ensure that they can justify those decisions, with supporting evidence. The fact that DSARs are being used tactically, both prior to and alongside the litigation process, adds a further layer of complexity. In many cases it will be advisable to take urgent specialist advice to navigate the various risks involved.

Should you have any queries arising from the points covered in this briefing, or require any assistance, please do not hesitate to contact Jeanette or Andrew, who will be very happy to help.

_____________________

[1] [2019] EWHC 893 (QB)
[2] The judgment refers to the approach to be taken to claims for litigation privilege as summarised by Hamblen J in Starbev GP Ltd v Interbrew Central European Holdings [2013] EWHC 4048 (Comm) [11] and [12]. For further information on the different types of legal professional privilege and practical tips, see the Privilege chapter from our little green book of dispute resolution.
[3] [2017] EWCA Civ 74
[4] [2019] EWHC 1258 (Ch)
[5] re Tietosuojavaltuutettu (Case C-25/17)

Tribunal rejects administrative oversight excuse for failure to pay data protection fee

In the first decision of its kind, the information rights tribunal (the Tribunal) recently dismissed […]

In the first decision of its kind, the information rights tribunal (the Tribunal) recently dismissed an appeal against the £4,000 penalty notice issued to paint and wallpaper manufacturer Farrow & Ball for failure to pay the required data protection fee [1]. The Tribunal dismissed the company’s plea that the penalty should be waived, and held that administrative oversight was not a reasonable excuse for non-compliance with its obligations. Walker Morris data protection experts Jeanette Burgess and Andrew Northage explain.

Background

Changes to the way the Information Commissioner’s Office (ICO) is funded came into force at the same time as the EU General Data Protection Regulation on 25 May 2018. There is no longer a requirement to notify or register with the ICO on an annual basis, but there is a legal requirement for data controllers to pay the ICO an annual ‘data protection fee’ unless they are exempt [2]. There is a three tier structure based on number of staff, annual turnover, and whether the organisation is a public authority, charity or small occupational pension scheme. The new fees range from £40 at tier 1 to £2,900 at tier 3. The ICO will treat all controllers as eligible for tier 3 (‘large organisations’) unless and until told otherwise. Once the fee is paid, the organisation is added to the ICO’s register of data controllers. The ICO has the power to serve monetary penalties on those who fail to pay.

Facts and appeal

As a data controller, Farrow & Ball was required, within a set timescale, to provide the ICO with specified information including staff and turnover figures to determine the relevant fee, and to pay the tier 3 fee of £2,900. The company missed the compliance deadline of 9 August 2018, and failed to respond to a subsequent notice of intent served by the ICO, resulting in the ICO issuing it with a £4,000 fixed penalty notice on 28 November 2018.

Farrow & Ball appealed against the penalty on the grounds that failure to pay was an innocent mistake, and requested that the Tribunal waive the penalty notice. The company argued that: a reminder was sent while the company’s representative was on holiday and a further reminder should have been issued; the ICO wrote to the company secretary but the correspondence was not recognised as important internally; and the ICO was contacted promptly once the error was spotted and the fee paid immediately. It also argued that the Information Commissioner should have exercised her discretion differently in relation to the penalty amount.

The Information Commissioner resisted the appeal, submitting that the penalty regime was established by Parliament, there was no requirement to issue reminders and, while it was accepted that the company’s failure to comply was due to an oversight, imposing a penalty was appropriate in all the circumstances. The company was a data controller prior to the new legislation coming into force, had paid the relevant fees under the earlier legislation and so should have had relevant administrative systems in place.

The Tribunal’s decision

The Tribunal accepted that Farrow & Ball’s representative was on holiday at the relevant time, that correspondence was not identified by others in the office as important, and that payment of the fee was made promptly once the default was discovered. It noted that, in appeals against fixed penalty notices issued by another civil regulator, the pensions regulator, tribunal judges have frequently adopted the approach of asking whether the defaulting party has a “reasonable excuse” for their default. Applying that approach in this case, the Tribunal concluded that Farrow & Ball had not advanced a reasonable excuse for its failure to comply. A reasonable data controller would have systems in place to comply with the relevant legislation, and Farrow & Ball had pointed to no particular difficulty or misfortune which would explain its departure from the expected standards of a reasonable data controller.

The Tribunal also upheld the amount of the penalty, reasoning that reducing it would not incentivise greater compliance in the circumstances of this case, where human error appeared to have been the main factor. In addition, Farrow & Ball had not presented any evidence of financial hardship that could affect the penalty. The appeal was dismissed and the penalty notice confirmed.

WM Comment

This decision sets a robust tone for the enforcement of penalty notices. An argument that failure to pay was an innocent mistake due to administrative oversight is likely to be given short shrift on appeal. The decision underlines the importance of implementing appropriate internal procedures and staff training and awareness programmes to ensure straightforward deadlines and payments are not missed.

Aside from avoiding being served with a penalty notice and the reputational damage and adverse headlines that could follow, payment of the required data protection fee indicates to customers and those you do business with that you take your other data protection responsibilities seriously too, including how you treat their data. According to the ICO’s Deputy CEO, members of the public and other companies check the register of data controllers before they decide to do business. Note that earlier this year the ICO began listing those organisations issued with a penalty notice for non-payment.

Walker Morris has a highly experienced team which is able to advise on all aspects of data protection compliance. Should you have any queries arising from this briefing, or require any assistance with the creation of suitable internal policies and procedures, please contact Jeanette or Andrew, who will be very happy to help.

__________________

[1] Farrow & Ball Limited v The Information Commissioner (EA/2018/0269)
[2] The Data Protection (Charges and Information) Regulations 2018

Contacts

Jeanette Burgess, Partner, Regulatory & Compliance

Jeanette Burgess
Partner
Learn More

Andrew Northage
Partner
Learn More