Subject access requests under the Data Protection Act 1998

In early 2017 three judgments have been handed down which provide useful clarification and guidance on the law relating to SARs. Read our analysis here.

Subject Access Requests (SARs) are requests made under Section 7 of the Data Protection Act 1998 (DPA) by individuals (data subjects) wishing to access their personal data. A data subject who makes a written request and pays a fee (currently £10) to a data controller is entitled to be told (among other things) whether any personal data is being processed; to be given a description of the personal data, and to receive a copy of the information comprising the data. SARs can be onerous for data controllers to comply with, and it is not uncommon for data subjects to seek to use them to obtain disclosure in aid of proceedings or contemplated proceedings against the data processor.

The right of the data subject is not absolute, however. There are a number of exemptions on which the data controller can rely, including (under section 36 of the DPA) if the data being processed is processed only for the purposes of personal, family or household affairs.

If however the data processor cannot rely on an exemption and fails to comply with a SAR, the data subject has a right to apply to court for an order that the data controller complies with the SAR. The court's discretionary power to make such an order arises under section 7(9) of the DPA.

In early 2017 three judgments have been handed down which provide useful clarification and guidance on the law relating to SARs. They confirm that data controllers are only required to do what is "reasonable and proportionate" in complying with a SAR, but are also good news for data subjects, indicating a general presumption in favour of disclosure.

The most significant of the three cases is the combined appeals of Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Deer v University of Oxford (3 March 2017), in which the Court of Appeal clarified a number of points in relation to SARs:

• The "reasonable and proportionate" limitation means that a data controller is not under an obligation "to leave no stone unturned".
• The court's discretion to grant relief under section 7(9) DPA is qualified in various ways: the court must have regard to the principle of proportionality, and also a number of other factors, including the "reason for the request". However, discretion will usually be exercised in the data subject's favour if there are no material factors other than a SAR in valid form and a breach of the data controller's obligation to conduct a proportionate search.
• Neither payment of a fee nor an inquiry of the data controller about what fee (if any) he might require is a pre-condition of the making of a valid SAR. It is up to the data controller to require a fee if he chooses to do so.
• The exemption under section 36 DPA (whereby data processed by an individual only for the purposes of his or her personal, family or household affairs are exempt from the data protection principles) should be approached widely and will not necessarily be limited to matters relating to the data controller's own household.
• Company directors who make decisions about how and why personal data are processed as agents of the company are themselves not data controllers.

In Dawson-Damer v Taylor Wessing LLP (16 February 2017), the Court of Appeal held that it is for the data controller to show that complying with a request would involve disproportionate effort, and SARs should be enforced in so far as possible. The Court confirmed that the DPA does not permit a data controller to withhold personal data based on the reasons for the request, including where the data subject intends to use the data for the purpose of litigation proceedings. Having a collateral purpose will not usually amount to an abuse of process. The Court also confirmed that the legal professional privilege exception under the DPA applies only to documents covered by legal professional privilege under English law, and not to those covered by foreign law disclosure protections.

There is a recent example of what is "reasonable and proportionate" in Holyoake v Candy (24 January 2017), in which Warby J decided that the (very extensive) searches carried out satisfied this requirement. Over 17,000 individual documents had been reviewed and lawyer or litigation support time charges in excess of £37,000 had been incurred. The judge confirmed that a company is not required to ask its directors whether they use a personal email account for corporate business unless there is "some sufficient reason to do so", and that there would need to be strong prima facie evidence of wrongdoing to justify any inspection of privileged documents.