Court of Appeal sets some limits on requirement to comply with Subject Access Requests

12 July, 2017
by: Cripps

The amount of time and resources a business has to spend complying with a subject access request has long been one of the most contentious areas of data protection law, particularly given that most subject access requests (SARs) are made during the course of employment litigation where the relationship between data controller and data subject is already somewhat strained.  Two recent cases[1] seem to have swung the balance a little way back towards the data controller by suggesting there are some limits on the data search that needs to be undertaken following a SAR, but businesses need to be stepping up data protection compliance in advance of new tougher rules to come.

The Data Protection Act 1998 (the DPA) gives people the right to request a copy of their personal data from an organisation by making a SAR.

The DPA puts a legal obligation on organisations to supply “a copy of the information in permanent form” unless to do so is “not possible or would involve disproportionate effort.” So, the right to have a SAR met is balanced by the fact that an organisation does not have to go to any length to do so.

The “disproportionate effort” exemption has been considered by the Court of Appeal on two occasions this year. Prior to these cases it had been assumed that the exemption only applied to the effort involved in providing a copy of the information. However, the Court of Appeal said that it also applies to finding the information in the first place. Therefore, in some circumstances there may be a limit on the extent of the searches that an organisation has to make – but only if the effort outweighs the benefit to the requestor.

Organisations cannot rely upon the “disproportionate effort” exemption to refuse to make any search whatsoever and must remember that the threshold for their efforts remains high. Reasonable and proportionate steps must be taken to find and supply the information requested, even though every item of personal data might not necessarily be retrieved. In the words of the Court: “there may be things lurking beneath another stone which has not been turned over”. Nevertheless, each case will turn on its own facts, and at the end of the day an organisation may have to evidence that reasonable and proportionate steps have been taken to comply with the request.  The Courts have made it clear that, as far as possible, SARs should be actioned.

In June the Information Commissioner’s Office (ICO) updated its Subject Access Code of Practice to reflect the Court of Appeal’s decisions. The ICO has said: “Even if you can show that supplying a copy of information in permanent form would involve disproportionate effort, you must still try to comply with the request in some other way, if the applicant agrees” (see page 45 of the Code of Practice – https://ico.org.uk/media/for-organisations/documents/2014223/subject-access-code-of-practice.pdf).  

Will things change when the General Data Protection Regulation (GDPR) comes into force on 25 May 2018?

The GDPR grants new rights to data subjects which may require organisations to locate, and take action in respect of, personal data. SARs will have to be actioned in a shorter time frame. Data subjects will have new rights to have their inaccurate data rectified, their data erased completely (the “right to be forgotten”), and their data provided to them or other organisations in “a structured, commonly used and machine-readable format” (known as “data portability”).

One might reasonably ask how these new rights can be accommodated if an organisation cannot find all of the personal data in the first place. Will they also be subject to limitations and exemptions similar to those under the current SAR regime? We do not currently know. While proportionality will remain a general principle of EU law, the GDPR may place a greater burden on organisations to know where all of an individual’s personal data is held.  Read more about GDPR here.

In terms of practical steps businesses can take, setting up systems to enable them to deal more efficiently with SARs will be key, so that locating and accessing personal data can be done more quickly and easily.

For further guidance and information on this topic please visit our intellectual property page.

[1] Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others [2017] EWCA Civ 121.