A data Subject Access Request ("SAR") is an Employer / Business Owner worst nightmare: the time , the effort, what information to share , what not to share and so on.
Unfortunately this is about to get worst due to the Court of Appeal and its recent verdict on how far a data controller (employer ) needs to go to comply with a data subject access request which in blatant terms says - far, pretty far ...
Even worse, the motive of the data subject (employee) in making the request is irrelevant and evidence must be put forward to rely on "disproportionate effort". For businesses receiving all sorts of requests from individuals seeking to obtain documents for litigation purposes this judgement is for sure a disappointment.
There is only a tiny benefit, which is contrary to the Information Commission's ("ICO's") Subject Access Code of Practice
, e.g. the disproportionate effort ground may apply to searches for personal data, not just in providing copies of data.
The above relates to the Dawson-Damer v Taylor Wessing LLP
In 2014, Mrs Dawson-Damer and children, the data subjects and beneficiaries of a Bahamian trust, served a subject access request under the Data Protection Act ( DPA) on Taylor Wessing, the data controller and solicitors for the trust. The request was made because of an on-going trust dispute in the Bahamas.
Taylor Wessing relayed on the legal professional privilege (LLP) exemption under the DPA and consequently declined the request and withheld the relevant personal data.
Originally the High Court ruled that the law firm had not breached the Data Protection Act 1998 by refusing to carry out searches on grounds of proportionality, legal privilege and improper purpose.
The Court of Appeal however overturned the decision and ruled that LPP Exemption only applies to information which would attract LPP as a matter of English law and therefore Taylor Wessing could not refuse to provide information on the basis that any search for non-LPP material would require disproportionate effort, and the judge was wrong to hold otherwise. The fact that the purpose of Mrs Dawson-Damer’s SAR was to obtain information for use in her Bahamian litigation against the Trustee was not a ground to refuse.
The use of subject access requests ( relating this in simple speak not in legalese for employers/business owners - employees asking to see the data held on them) has become more common and is now often used as a litigation tactic ; dealing with SARs is often complex, cumbersome, and costly and the process can be open to abuse.
Subject access requests can be disproportionate and with this decision (leaving aside the Trustee/LLP specifics of this case and consequent implications in this field), the proportionality principle holds but the burden will be on the data controller (employer) to demonstrate that it has carried out a proportionate response to the request.
Please do note though that data subjects are only entitled to obtain access to and copies of their own personal data, and information about how and why that data is being processed. They are not entitled to obtain documents which could potentially lead to/permit data controllers/employers extracting data from documents and disclosing it separately to avoid giving an advantage in future litigation/s.
So what now for employers?
If/when receiving a request:
- Take steps to carry out adequate searches for the personal data requested.
- If the search/es would involve disproportionate effort, get ready to argue this point and produce strong evidence( please seek advise on this before rather than after to avoid costly consequences).
In anticipation of the General Data Protection Regulations updates ( read my blog Employment Law Spring round up
to know more about this ) with extended and new data subject rights now is the time for employers/business owners to make sure they have their house is in order and:
- train staff;
- ensure policies and procedures to deal with SARs are in place;
- make sure you have systems that can deal with requests (e.g. you are able to run searches , locate, review and redact data ).
We shall wait and see if this can/will be revisited post-Brexit with the Big Repeal and a potential re-evaluation of how much of the General Data Protection Regulation is retained in English law.
If in doubt now, seek advice .