In an important decision on subject access requests (SARs), the Court has considered the approach to take where the information an individual seeks relates to third parties such as the identity of recipients or sources of personal data. Whilst the decision was made under the previous legislation, the Data Protection Act 1998 (DPA98), the same approach should apply under the General Data Protection Regulation / Data Protection Act 2018.
The case was brought by Dr Rudd, a consultant physician (and a regular expert witness in court proceedings) specialising in exposure to asbestos, against a John Bridle, an asbestos lobbyist. Mr Bridle had made a complaint to the General Medical Council alleging that Dr Rudd had falsified the risks to health associated with chrysotile asbestos in expert reports. He also made unfounded allegations to MPs and communicated with unnamed allies in the asbestos industry about ways to discredit Dr Rudd. Dr Rudd made a subject access request and sought information about the identities of the third parties who had been collaborating with Mr Bridle. Considering Mr Bridle's response to his SAR inadequate, he applied to Court for an order under s.7(9) DPA98.
Dr Rudd was successful in obtaining an order that the disclosure provided in response to his SAR was inadequate. The key points to note from the decision are:
- Mr Bridle, not his company, was the data controller
- None of the claimed exemptions (Journalist, Regulatory Activity or Litigation Privilege) applied.
- Mr Bridle must provide further information, including descriptions of recipients of Dr Rudd's personal data, any information as to the sources of the personal data and the purposes for which the data was being processed
- No damages were payable by Mr Bridle as Dr Rudd had not provided evidence of harm or distress
What information was Dr Rudd entitled to under the SAR?
- Does a data controller, when responding to SAR, have to 'leave no stone unturned'? A data controller is only required to conduct a reasonable and proportionate search for the applicant's personal data. However, the Court said it is less clear that a data controller has such latitude when determining whether the personal data retrieved as a result of a reasonable and proportionate search is subject to one or more of the exemptions from the subject access provisions. The case law suggested that they did not have such latitude, and the nature and extent of the operations conducted by the data controller would be a relevant factor in the exercise of the Court's discretion under s.7(9) DPA98. If a data controller acts with reasonable diligence, and there is no substantive reason to doubt the validity of the conclusions it had reached, an order is unlikely under s.7(9). However, that was not the case here.
- Can the data subject seek disclosure of documents? The statutory rights relate to personal data, and the obligation is not to supply documents (though it may be more convenient or cheaper for the data controller to do so). Indeed, the Judge said, a "claim for documentary disclosure pursuant to the DPA is likely, almost always, to be misconceived".
- Can the data subject seek disclosure of the identity of recipients of personal data? The statute/ICO guidance confirm that the data subject is entitled to seek a description, but not the identity, of recipients of their personal data. This should include an indication of the nature or status of the person, firm or company to whom e.g., emails were sent. However, the identities of those to whom personal data are disclosed may count as part of the individual's personal data, and this will be a question of fact. The important case of Durant confirmed that information is not an individual's personal data merely because it names them: the information must be biographical in a significant sense and it should have the data subject as its focus (not some other person or a transaction or event). In this case, the identities of individuals with whom it was said Dr Rudd had conspired or who were said to be his 'victims' was information that focused on him and was biographically significant. However, the position was different re the identity of the recipients of the personal data; this was not information relating to him.
- Can the data subject seek disclosure of the identity of sources of personal data? Again, the Court concluded that the identity of the source of the personal data was not information relating to Dr Rudd, applying the Durant test. However, the data controller must provide under DPA98 "any information available" as to the source. There could not be a blanket refusal to provide information about sources of personal data and in this case it meant that source information such as the names of solicitors' firms should be provided.
- How much detail must be given of the purposes for which data have been processed? The essence of the right is to know what the data controller is doing or intends to do with personal data relating to the data subject. However, it does not impose an obligation to provide that information on a document by document or item by item basis.