Data subject access requests: Lessons from recent casesPrint publication
In the current climate, and emboldened by the EU General Data Protection Regulation (GDPR), individuals have become increasingly aware of, and are exercising, their rights as data subjects. This includes the right to access their personal data, to find out what data is held and how it is used, by making a data subject access request (DSAR) to the data controller or processor. In this briefing, Walker Morris data protection and privacy experts Jeanette Burgess and Andrew Northage consider two recent cases providing useful guidance on the handling of DSARs and the courts’ approach. While both cases concern the right of access under the old data protection regime, they are nevertheless likely to be relevant post-GDPR.
The decision in Rudd v Bridle
In Rudd v Bridle & Anor , the claimant was a medical expert on the science of exposure to asbestos and acted as claimant expert witness in damages actions for disease attributed to such exposure. He pleaded that the defendant, who was a campaigner for the asbestos industry, had been engaged with other unknown parties in a calculated attempt to discredit and intimidate him. This included a complaint made to the General Medical Council (GMC). The claimant was said to have been party to a massive fraud on the courts and innocent businesses by falsely claiming expertise and falsifying evidence. DSARs and “cease and desist” notices were sent to the defendant and later to a company controlled by the defendant and his son.
The defendant asserted that all relevant activities were undertaken by him on behalf of the company, in his capacity as director, and that the company was the data controller. He also sought to rely on journalism, regulatory activity and legal professional privilege exemptions. The claimant submitted, among other things, that the defendant’s disclosure failed to identify the source or the recipients of the personal data. The court upheld the claimant’s claim that the defendant’s responses were inadequate, and ordered the defendant to provide further information.
The following key points arise from the judgment:
- A reminder that the data subject’s right is to the provision of information, not documents.
- The claimant was entitled to be provided with a description of the recipients of his personal data, but not their identities. If disclosure has been or will be made to a class, a description of the class will suffice (e.g. “the readership of the Daily Globe”), but if there is a single recipient, the data controller must describe that recipient (e.g. “a medical practitioner”). Here, there was no indication of the nature or status of the person, firm or company to whom emails in question were sent.
- On a separate but related point, the identities of third parties presented in the personal data as collaborators or partners in, or victims of the claimant’s alleged fraud, formed an integral part of the claimant’s personal data. In contrast, the identities of those who received the personal data did not qualify as part of the claimant’s personal data because this was not information relating to him.
- Decisions on whether to disclose individuals’ third-party data must be made on a case-by-case, not blanket, basis. Here, there was no evidence or indication that the relevant analysis had been conducted.
- Information as to the identity of the source of the claimant’s personal data held or otherwise processed by the defendant did not form part of that personal data. The information did not relate to the claimant.
- Separate from the issue as to whether source information counts as personal data, controllers are required to provide to the data subject any information available to them as to the source of the personal data being processed. It was clear on the face of the evidence and the disclosure provided, that the defendant had information as to the sources of the claimant’s personal data, which had not been disclosed. The judge gave the example of the defendant having been provided by lawyers with copies of the claimant’s expert witness reports. He said that the defendant “must know who those lawyers are”. It is not clear from the judgment whether disclosure would have extended to the names of individual lawyers (subject to the usual considerations as to disclosure of individuals’ third-party data), or whether the name of the law firm would suffice to meet the requirements.
- Information can be presented in “intelligible form” without the need to provide its full context, or even the whole of the sentence in which it appears.
- The requirement to provide a description of the purposes of the processing does not mean that it has to be done on a document-by-document or item-by-item basis. The essence of the right is to know what the data controller is doing or intends to do with personal data relating to the data subject.
- There was no evidence capable of supporting the claim to the journalism exemption. Journalism is a broad concept but it does not extend to every activity to do with conveying information or opinions. A short passage in the defendant’s witness statement did not address the essential requirements and it was not sufficient to say that the defendant’s solicitors had concluded that the material was covered by the exemption. In addition, the solicitor who concluded that the exemption was applicable must have relied on the defendant, who was found by the court to be an unreliable witness.
- The defendant failed to make out the case for applying the regulatory activity exemption. While it was not necessary for him to resolve the issue, the judge was inclined to think that the wording indicated that only processing by a regulatory body itself was covered. No explanation was offered as to why compliance with the DSAR would be prejudicial to the proper discharge of the GMC’s functions. It was difficult to see how the argument could be sustained over three years after the GMC rejected the complaint against the claimant. In other circumstances, if appropriately verified by the court, the fact that the defendant’s solicitors had reviewed and assessed the underlying material, before concluding that reliance could be placed on the exemption, might lead to the conclusion that it was made out. However, the solicitor concerned was dependent on instructions from the defendant (who was unreliable) and there was very limited evidence about the assessment process carried out.
- The evidence, although sparse, was sufficient to justify a claim to legal advice privilege, but did not satisfy the judge that the relevant principles had been applied in relation to a claim to litigation privilege . The defendant’s evidence failed to address any of the relevant criteria, and the defendant’s solicitors’ evidence did not explain how the solicitor concerned reached the conclusion that the relevant tests were satisfied. Again, the judge inferred that the solicitor relied on the defendant, who was an unreliable source.
- As to whether the data controller was the defendant or the company, at the material times the defendant controlled what was being done with the data and why. The claimant’s personal data was not in reality being held by or dealt with by the company, or for the company’s purposes, at the direction or under the control of the defendant as director. It was held, used and disclosed under the control of the defendant acting in a different capacity, for purposes that were not aspects of the company’s commercial activity.
- Finally, when determining what issues could fairly and properly be tried, the judge said it was “a matter for dismay” that the parties had “generated such a procedural muddle”. Among other things, the pleaded case did not raise the question of whether and if so why the processing of the claimant’s personal data was unwarranted. In addition, although the claimant asserted a claim for compensation, the particulars of claim contained no factual assertions capable of supporting such a claim.
Dawson-Damer v Taylor Wessing revisited
We reported in an earlier briefing on the Court of Appeal decision in Dawson-Damer & Ors v Taylor Wessing LLP  concerning the claimants’ application to compel the defendant law firm to comply with a DSAR. The defendant’s client was trustee of a number of Bahamian trusts and the DSAR was made in the context of an ongoing dispute between that client and the beneficiaries. The Court of Appeal decided a number of issues, but the case went back to the High Court for resolution of certain other issues . The following key points arise from the judgment.
‘Relevant filing system’
The defendant agreed to review nine paper files for personal data relating to the claimants, but refused to search, among others, a further 35 paper files which were in chronological order on the grounds that they fell outside the definition of a “relevant filing system” under data protection legislation. Following a decision of the Court of Justice of the European Union (CJEU) , the court agreed that three separate and cumulative elements are required: the data must be structured by reference to specific criteria; the criteria must be “related to individuals”; and the specific criteria must enable the data to be easily retrieved.
Here, the client description used on the 35 files clearly related to trusts in which one or all of the claimants were potential beneficiaries, and was a criterion allowing access to personal data. This was also sufficient to satisfy the second element. As to whether the criteria enabled the data to be easily retrieved, it was not unduly onerous for someone to turn the pages of the files in order to locate the personal data. The defendant had already performed exactly the same exercise in relation to files it had already examined. In addition, as the defendant had been able to sufficiently identify the personal data relating to the claimants within the paper files to advance a claim for legal professional privilege in relation to the majority of documents containing it, the retrievability of the data must have been a feature of the filing system.
It is important to note that the CJEU decision concerned the application of the Data Protection Directive, the predecessor to GDPR. It is possible that, applying the GDPR wording, it will not be necessary to apply the same elements. In any case, the judge in Dawson-Damer was conscious of the purpose of the Directive as a whole, which was to provide a high level of protection to the right of privacy in respect of the management of personal data by data controllers. He also noted that, since the right to the protection of personal data became enshrined as a fundamental right in EU law by the Charter of Fundamental Rights of the European Union (given legal effect in 2009), the focus is on the need for protection of the data subject, as opposed to the burden on the data controller. That focus is only likely to increase further under GDPR.
When the defendant’s client instructed the defendant to provide legal advice and received it, those communications were subject to legal professional privilege as a matter of English law. The first claimant argued that such privilege was a joint privilege between a beneficiary and a trustee under English law. The court agreed. However, it was common ground that Bahamian law governed the trust and the court found that this was the relevant law on which to consider whether the first claimant had a joint privilege. The court accepted the defendant’s submissions that, under the provisions of the relevant trust legislation, where Bahamian law applies to a trust, a beneficiary has no automatic right to see the legal advice to a trustee prior to any threatened litigation and no proprietary right to documents containing that advice, and so no joint privilege can exist under that law. The first claimant did not have any trust law rights which cut across, limited or qualified the trustee’s claim to legal professional privilege and the defendant could rely on the exemption. This is a discrete point which will be welcomed by offshore trustees.
The claimants sought a number of further searches. The defendant maintained that no further searches should be ordered to be conducted because this would involve disproportionate effort. In relation to a search for the claimants’ personal data in documents referred to in documents which had already been disclosed, the court agreed that the defendant had not served any evidence setting out the time and cost involved in conducting such a search. The claimants had requested a targeted search of identified documents and the defendant had not discharged its burden of showing it would be disproportionate. The defendant was ordered to carry out the search.
In relation to a search of electronic documents using seven additional search terms, the court agreed with the claimants that there was no evidence before it to show the number of hits or the proportions of new and potentially relevant documents. The defendant submitted that the additional search terms were too wide. By the time of the hearing, it had run the new search terms yielding just over 900 new documents. This did not establish that the requested search terms were too wide. No indication of the cost or time involved in reviewing the new documents was given and the defendant was ordered to carry out the search.
However, in relation to a search of the Mimecast platform (through which emails not saved to the defendant’s document management system could be retrieved), the court agreed that it would be disproportionate to require the defendant to do this work, given that Mimecast was only a backup system and the risks that the proposed searches would disclose confidential information or personal data about the defendant’s employees or other unrelated clients. It would also be disproportionate to require searches of ex-employees’ personal spaces for saving documents and emails, but a similar search was ordered in relation to currently employed relevant fee earners.
Note that the wording is different under GDPR and is arguably a higher bar for the controller to overcome. Where a request from a data subject is “manifestly unfounded or excessive”, in particular because of its repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
These are lengthy and detailed judgments demonstrating some of the complexities involved in responding to (and making) DSARs and providing helpful guidance on the courts’ approach. They serve as a timely reminder of the importance of having appropriate internal policies and procedures in place to deal with DSARs effectively and efficiently, and to ensure that staff are trained to recognise and escalate DSARs accordingly within the organisation. This is essential given that the time limit for complying with a DSAR is at the latest within one month of receipt. Consideration should be given to data systems, file management and document classification practices, and data controllers seeking to rely on exemptions or grounds for refusing to comply with a request will need to ensure that they can justify those decisions, with supporting evidence. The fact that DSARs are being used tactically, both prior to and alongside the litigation process, adds a further layer of complexity. In many cases it will be advisable to take urgent specialist advice to navigate the various risks involved.
Should you have any queries arising from the points covered in this briefing, or require any assistance, please do not hesitate to contact Jeanette or Andrew, who will be very happy to help.
  EWHC 893 (QB)
 The judgment refers to the approach to be taken to claims for litigation privilege as summarised by Hamblen J in Starbev GP Ltd v Interbrew Central European Holdings  EWHC 4048 (Comm)  and . For further information on the different types of legal professional privilege and practical tips, see the Privilege chapter from our little green book of dispute resolution.
  EWCA Civ 74
  EWHC 1258 (Ch)
 re Tietosuojavaltuutettu (Case C-25/17)