ThePeopleAlchemist Edit: HR, Business and SAR – HELP ME, AM I IN TROUBLE?
A data Subject Access Request (“SAR”) is an Employer / Business Owner’s worst nightmare. The time, the effort, what information to share, what not to share and so on.
Unfortunately, this is about to get worst due to the Court of Appeal and its recent verdict on how far a data controller (employer ) needs to go to comply with a data subject access request which in blatant terms says – far, pretty far …
Even worse, the motive of the data subject (employee) in making the request is irrelevant. Evidence must be put forward to rely on “disproportionate effort”. For businesses receiving all sorts of requests from individuals seeking to obtain documents for litigation purposes, this judgment is a disappointment.
There is only a tiny benefit, contrary to the Information Commission’s (“ICO’s”) Subject Access Code of Practice, e.g. the disproportionate effort ground may apply to searches for personal data. Not just in providing copies of data.
The above relates to the Dawson-Damer v Taylor Wessing LLP case. In 2014, Mrs Dawson-Damer and children, the data subjects and beneficiaries of a Bahamian trust, served a subject access request under the Data Protection Act ( DPA) on Taylor Wessing, the data controller and solicitors for the trust. The request was made because of an ongoing trust dispute in the Bahamas.
Taylor Wessing relayed on the legal professional privilege (LLP) exemption under the DPA. They consequently declined the request and withheld the relevant personal data.
Initially, the High Court ruled that the law firm had not breached the Data Protection Act 1998 by refusing to carry out searches on proportionality, legal privilege and improper purpose.
However, the Court of Appeal overturned the decision and ruled that LPP Exemption only applies to information that would attract LPP as a matter of English law. Therefore Taylor Wessing could not refuse to provide information because any search for non-LPP material would require a disproportionate effort. And the judge was wrong to hold otherwise. The fact that the purpose of Mrs Dawson-Damer’s SAR was to obtain information for use in her Bahamian litigation against the Trustee was not a ground to refuse.
THE USE OF SAR
The use of subject access requests (relating this in simple speak, not in legalese for employers/business owners – employees asking to see the data held on them) has become more common. It is now often used as a litigation tactic. Dealing with SARs is often complex, cumbersome, and costly. In addition, the process can be open to abuse.
Subject access requests can be disproportionate. With this decision (leaving aside the Trustee/LLP specifics of this case and consequent implications in this field), the proportionality principle hold. But the burden will be on the data controller (employer) to demonstrate that it has carried out a proportionate response to the request.
Please do note that data subjects are only entitled to obtain access to and copies of their data. And information about how and why that data is being processed. They are not entitled to receive documents which could potentially lead to/permit data controllers/employers to extract data from documents and disclose it separately to avoid giving an advantage in future litigation/s.
So what now for employers?
If/when receiving a request:
- Take steps to carry out adequate searches for the personal data requested.
- If the search/es would involve disproportionate effort, get ready to argue this point and produce strong evidence. Please seek advice on this before rather than after to avoid costly consequences.
In anticipation of the General Data Protection Regulations updates with extended and new data subject rights, now is the time for employers/business owners to make sure they have their house in order.
- train staff.
- ensure policies and procedures to deal with SARs are in place.
- make sure you have systems that can deal with requests. E.g. you can run searches, locate, review and redact data.
We shall wait and see if this can/will be revisited post-Brexit with the Big Repeal and a potential re-evaluation of how much of the General Data Protection Regulation is retained in English law.
If in doubt now, seek advice.