Member Article

Subject Access Requests

With Watson Burton LLP Law Firm

The Data Protection Act 1998 (“the Act”) governs the right of individuals to access information about them and imposes obligations on anyone who may hold personal information to process such information in a proper manner. Compliance the Act is vital if it is data from which (or, when taken together with other information) an individual may be identified.

Under the Act individuals have the ability to make a Subject Access Request (“SAR”). This entitles them to be told by the data controller (who determines the purposes for and the manner in which any personal data are, or are to be, processed) whether their personal data is being processed. If this is the case, they have a right to a description of what that data covers, including the purpose of the processing, the recipient or classes of recipient to which the data may be disclosed, the information which comprises the personal data and information regarding the source of the data. There is a 40 day time limit within which such information must be provided in a permanent form, unless this is not possible or it would be disproportionate to do so.

In the case of Ezsias v The Welsh Ministers an employee claimed he had been unfairly dismissed. He had written extensively to the Welsh National Assembly (“WNA”) detailing concerns he had with his employer and the way these had been dealt with. To support his claim against his employer he made numerous SARs to the WNA, including a broadly worded, seemingly “catch all” request. The claimant was not satisfied with the WNA’s response to his requests and applied to the High Court, seeking (i) a declaration that the WNA had failed to make appropriate and timely disclosures, (ii) an order that it should comply with the SARs and (iii) damages.

The High Court held that:

• the WNA’s search for personal data disclosable to the claimant was reasonable and proportionate. To assist it in coming to this decision the court ordered the WNA to identify the documents which it had disclosed, list the documents it intended to withhold and file copies of those documents so that the court could decide whether or not they should be disclosed. It further required an affidavit to be filed confirming the WNA’s compliance with the orders and the steps it had taken to identify and disclose the data which were subject to the SARs;
• although the 40 day disclosure time limit had not been complied with, this had not caused the claimant any damage or prejudice;
• the Act does not entitle an individual whose personal data is being processed (“data subject”) to have copies of, or access to, the documents containing that data. It is not the purpose of the SAR procedure to assist a data subject in obtaining disclosure of documents to assist in litigation or with complaints against third parties;
• courts have discretion in deciding whether to order a data controller to comply with a SAR. The Civil Procedure Rules are the more appropriate method of seeking required information where separate legal proceedings are likely or are in progress. The SAR procedure under the Act is not the equivalent of a right to disclosure of documents;
• the steps taken by the WNA in response to the claimant’s SARs were reasonable and proportionate given that much of the data sought by the claimant were held in an unstructured form and that it was unlikely that departments or agencies other than those approached by the WNA held any personal data about the claimant;
• the documents which had not been disclosed and the redacted parts of documents which had been disclosed did not include “personal data” as defined by the Court of Appeal in Durant v Financial Services Authority; and
• no damages were payable to the claimant. Any loss he suffered did not flow from any failure of the WNA to provide data under the Act.

Although this decision does shed some light on the extent of a data controller’s obligations under the Act in relation to SARs, the narrow test in Durant was relied on to define “personal data”. The Information Commissioner’s Office guidance, however, seems to suggest that a wider definition is preferable.

Given the lack of consensus as to the meaning of “personal data” it may be wise for data controllers to err on the side of caution when considering whether or the extent to which to comply with a SAR. Until this issue is resolved with certainty, adhering to a wider interpretation of “personal data” will help ensure that all relevant data is captured.

If you have any comments or questions about this article or any other Intellectual Property related matters please contact Sarah Barratt by email at sarah.barratt@watsonburton.com.

This was posted in Bdaily's Members' News section by Ruth Mitchell .