The issue of subject access requests (SARs) has come under the Court of Appeal's spotlight again, only a few weeks after its decision in Dawson-Damer v Taylor Wessing (discussed in our recent article).
The latest decision comprises two appeals heard together (Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd & ors and Deer v The University of Oxford) and it contains a number of favourable findings for data subjects. In particular, the decision treats 'personal data' as a wide concept, and confirms that collateral motives for marking a SAR will not entitle the data controller to refuse disclosure. Further, when judges are exercising their discretion as to whether to grant an order requiring the data controller to comply, they should effectively start from a presumption in favour of the data subject. However, where a data subject does have an illegitimate purpose for making the SAR, the Court can take this into account in exercising its discretion, alongside other factors such as the data subject's conduct in making the SAR. The decision also confirms that excessive burdens should not be imposed on data controllers in terms of the levels of searches that must be conducted, provided that the search is reasonable and proportionate.
In both cases, a subject access request (SAR) had been made and an order sought under section 7(9) of the Data Protection Act on the grounds that the relevant data controllers had failed to comply with the requests. The orders had been refused, and these decisions were upheld by the Court of Appeal.
Mr Ittihadieh was concerned his fellow residents in a residential building were using information about him. He made a SAR to the management company of the building, as well as a number of the residents personally. The letter indicated that he intended to bring proceedings against the company and its officers for discrimination, harassment and victimisation. Around 400 documents were disclosed, but Mr Ittihadieh was not satisfied and sought an order under section 7(9). In rejecting the application, the Court was satisfied that the 'overwhelming majority' of the documents would fall within the personal and household affairs exemption and it would be wholly disproportionate to require a search for data outside that exemption, or to search for more documents. The Court of Appeal decided that this was an entirely legitimate exercise of the Court's discretion.
Ms Deer made a SAR to Oxford University, having been in litigation with the University for eight years. Following an order in 2014, the University conducted searches which involved reviewing over 500,000 emails and documents, at a cost of £116,116. As a result, 63 disclosable documents contained Ms Deer's personal data (30 of which had been previously disclosed). The claim returned to Court to determine whether the University had complied with its obligations. Whilst the Court of Appeal considered that the lower court judge had taken too narrow a view of Ms Deer's personal data, he was entitled to take the view, in his discretion, that further disclosure would serve no useful purpose. He was also entitled to take into account Ms Deer's 'relentless pursuit of disclosure' of documents as well as data and the lack of proportionality in her SARs.
Summary of the Court of Appeal's findings
- Scope of the definition of personal data: the Court of Appeal reiterated that, to be disclosable, data must 'relate' to a living individual, and that the individual must be identifiable from the data. However, whilst the mere mention of the data subject in a document does not necessarily mean it amounts to his personal data, the Court also suggested that a person's whereabouts on a particular day or at a particular time may amount to personal data. 'Personal data' must serve the purpose of the Directive: namely, to respect individuals' privacy rights with regard to data processed relating to them. Whether, as some have commented, this takes us back full circle to the test in Durant, or provides a different test, is not totally clear. The advent of the General Data Protection Regulation certainly, in headline terms, broadens the definition.
- The exemption for personal and household processing: the Court in Ittihadieh stressed the need to strike a balance between the two competing privacy interests: that of the data subject and the private interests of the data controller. Activities relating to management of a private block of flats where a 'data controller' lives, including the processing of his neighbour's personal data relating to matters concerning the management of that block of flats, would fall within the exemption. This is because they directly concern the 'data controller's' private life and household. This is a broader interpretation than what may have been expected. Decisions on CCTV use, for example, have been narrower – although perhaps future arguments in court will focus more on this exemption.
- Collateral purpose of a SAR: as confirmed in Dawson-Damer , a collateral purpose, such as for litigation, does not entitle a data controller to refuse a subject access request. However, the lack of a legitimate reason will be relevant to the court's discretion and may also impact on an award of costs.
- Proportionality of search: again, the Court followed the approach in Dawson-Damer: whilst proportionality could not justify a blanket refusal to comply with a SAR, it should limit the scope of the efforts that a data controller must take. Given that the Court found that the implied obligation to search is limited to a reasonable and proportionate search, it is possible that the search will not necessarily retrieve every item of personal data relating to an individual. As the Court put it, "…there may be things lurking under another stone which has not been turned over". Accordingly, even if a further and more extensive search reveals further personal data, this does not necessarily mean that the first search was inadequate.
- Court's discretion: in Dawson-Damer, the Court of Appeal had seemingly accepted the notion that the Court's discretion was 'general and untrammelled'. Here, the Court of Appeal questioned that approach, noting that "a discretion conferred upon the court by legislation is conferred upon the court for a purpose". As such, the discretion in section 7(9) only arises if the court is satisfied that the data controller has failed to comply with its obligations under section 7. In other words, the discretion is only exercisable once the court has found a breach, but it must first ascertain that there has been a breach, and it may then exercise its discretion for the purpose of satisfying s.7.