Help me, Am I in Trouble? DPA & SRA, a nightmare in progress

  • By The Alchemist About Town
  • 18 May, 2017

Watch out: Court of Appeal decision is out

A data Subject Access Request ("SAR") is an Employer / Business Owner worst nightmare: the time , the effort, what information to share , what not to share and so on. 

Unfortunately this is about to get worst due to the Court of Appeal and its recent verdict on how far a data controller (employer ) needs to go to comply with a data subject access request which in blatant terms says - far, pretty far ...
Even worse, the motive of the data subject (employee) in making the request is irrelevant and evidence must be put forward to rely on "disproportionate effort". For businesses receiving all sorts of requests from individuals seeking to obtain documents for litigation purposes this judgement is for sure a disappointment.

There is only a tiny benefit, which is contrary to the Information Commission's ("ICO's") Subject Access Code of Practice , e.g. the disproportionate effort ground may apply to searches for personal data, not just in providing copies of data.

The above relates to the  Dawson-Damer v Taylor Wessing LLP case:
In 2014, Mrs Dawson-Damer and children, the data subjects and beneficiaries of a Bahamian trust, served a subject access request under the Data Protection Act ( DPA) on Taylor Wessing, the data controller and solicitors for the trust. The request was made because of an on-going trust dispute in the Bahamas.
Taylor Wessing relayed on the legal professional privilege (LLP) exemption under the DPA and consequently declined the request and withheld the relevant personal data.

Originally the High Court ruled that the law firm had not breached the Data Protection Act 1998 by refusing to carry out searches on grounds of proportionality, legal privilege and improper purpose.
The Court of Appeal however overturned the decision and ruled that LPP Exemption only applies to information which would attract LPP as a matter of English law and therefore Taylor Wessing could not refuse to provide information on the basis that any search for non-LPP material would require disproportionate effort, and the judge was wrong to hold otherwise. The fact that the purpose of Mrs Dawson-Damer’s SAR was to obtain information for use in her Bahamian litigation against the Trustee was not a ground to refuse.

The use of subject access requests ( relating this in simple speak not in legalese for employers/business owners - employees asking to see the data held on them) has become more common and is now often used as a litigation tactic ; dealing with SARs is often complex, cumbersome, and costly and the process can be open to abuse.
Subject access requests can be disproportionate and with this decision (leaving aside the Trustee/LLP specifics of this case and consequent implications in this field), the proportionality principle holds but the burden will be on the data controller (employer) to demonstrate that it has carried out a proportionate response to the request.

Please do note though that data subjects are only entitled to obtain access to and copies of their own personal data, and information about how and why that data is being processed. They are not entitled  to obtain documents which could potentially lead to/permit data controllers/employers extracting data from documents and disclosing it separately to avoid giving an advantage in future litigation/s.

So what now for employers?

If/when receiving a request:
  1. Take steps to carry out adequate searches for the personal data requested. 
  2. If the search/es would involve disproportionate effort, get ready to argue this point and produce strong evidence( please seek advise on this before rather than after to avoid costly consequences).

In anticipation of the General Data Protection Regulations updates ( read my blog Employment Law Spring round up to know more about this ) with extended and new data subject rights now is the time for employers/business owners to make sure they have their house is in order and:
  1. train staff;
  2. ensure policies and procedures to deal with SARs are in place; 
  3. make sure you have systems that can deal with requests (e.g. you are able to run searches , locate, review and redact data ).

We shall wait and see if this can/will be revisited post-Brexit with the Big Repeal and a potential re-evaluation of  how much of the General Data Protection Regulation is retained in English law.
If in doubt now, seek advice .

The People Alchemist Blog

By The Alchemist About Town 22 Sep, 2017
I am so utterly delighted that my book is now out, available to order both on paperback and on Kindle edition just in time for Business Women's Day - YES!!!!!! :-) 

STOP IT! It's all in your head   is my labour of love and my way to encourage, inspire and empower women to achieve what they want professionally and not be confined by societal, religious, family paradigms of what " women should do/are like" and, most importantly, the restrictions in their head.
If that is being CEO of a Global Company or a stay-at-mum or Director of Paperclip ( whatever grabs your fancy) so be it.

Writing this book was also a personal challenge ( the 30 days thingy) which confirmed to me once and for all that you can really do whatever you set your mind to, if you really want to that is.

Couple of tips for writing a book from me:
  • write about what you are passionate about, you know more than you think.
  • free-write about the parts/chapters in the book you like the most and you are most interested in first - that will give you a great boost at the beginning - you can edit and add the boring bits later - by then most of the book will be almost there
  • keep your own voice - write as you speak so to speak ( people do need to understand you though..)
  • keep an open mind, ideas will flow into you mid-way through the project
  • a deadline and going public is good to beat procrastination ( but if that stresses you out too much don't do it) - the deadline certainly helped me.
You can do it too!!!

If anyone would like to be part of the book launch, the event is live on Eventbrite and you can buy an Early Bird ticket now:
SMASH YOUR CEILING - #STOPITBookLaunch 
Thursday 12 October at 18.30
Business Design Centre
Islington
London

To pre- e-meet other super fab women in business attending the event, please use the following hashtags:
#SMASHYOURCEILING
#STOPITBookLaunch
#BDCWorks

I'm so excited about this book and I genuinely hope you will like it- I hope to meet you soon, in person or through the pages of my book.

Laura x


#Hustle #GirlBoss #SmashThatCeiling
  #SmashYourCeiling
STOP IT! It's all in your head 
#dreambig #believe #youcan



By The Alchemist About Town 19 Sep, 2017
The time is getting closer and closer to the release of   STOP IT, It's all in your head   my new book ( 22 September for Business Women's Day - US) .

I have now  received the proof copy of the paperback which looks absolutely fabulous: a couple of things to correct but overall I am super happy with the result.
A lot of marketing to do now between Facebook, Twitter, Instagram and Google+ ( which is PS: looking like more work than the actual writing of the book).

The book event/launch/talk is live on Eventbrite and you can buy an Early Bird ticket now:
SMASH YOUR CEILING - #STOPITBookLaunch 
Thursday 12 October at 18.30
Business Design Centre
Islington
London

To pre- e-meet other super fab women in business attending the event, please use the following hashtags:
#SMASHYOURCEILING
#STOPITBookLaunch
#BDCWorks

I'm so excited about this book and I genuinely hope you will like it.

Laura x


#Hustle #GirlBoss #SmashThatCeiling
  #SmashYourCeiling
STOP IT! It's all in your head 
#dreambig #believe #youcan



More Posts
Share by: