Any business that has had to deal with a data subject access request (DSAR) knows just how painful, complicated and time consuming they can be. However, for fans of data protection everywhere, Christmas has come early with not one, not two but three recent cases involving DSARs giving some much needed clarity on the limits to requests.
For those who haven’t had the pleasure, the Data Protection Act 1998 provides a mechanism for individuals to get hold of information held about them by a company by making a DSAR. The company is then required to search its systems and hand over data; however there are some exceptions which can limit the scope of the exercise. Unfortunately, there have been so few data protection cases in the courts that there is little guidance on the statutory exceptions.
Most information concerning employees will fall within the scope of a DSAR, but the two exceptions dealt with by these cases involve legal professional privilege and “disproportionate effort”. In Dawson-Damer and others v Taylor Wessing LLP, the business, a solicitors’ firm, withheld data claiming that it was professionally privileged. Generally speaking communications with a solicitor seeking advice about a situation will be privileged. However, the rules of what is privileged and what is not are notoriously detailed, so proper consideration needs to be given before this exception is invoked. In this case, the firm invoked privilege as a blanket exception on all data. The court found that this was too wide and ordered disclosure of the data.
The other main get-out on which many businesses attempt to rely is that carrying out the search will involve disproportionate effort. This can be tricky to prove. In two appeals heard together, the Court of Appeal found in the companies’ favour and refused to order that they took further steps to comply with the DSARs. Both Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others and Deer v Oxford University involved DSARs where the organisations argued that the cost and effort of searching and providing the data was disproportionate.
The court found that in making this assessment, companies had to undertake a balancing act, and could consider the individual’s motive for making the request. In general terms, if the request is made in contemplation of litigation, the onus on the employer to provide the information is greater. However, if the request is more general in nature, there is more scope for a business to refuse to comply or limit their compliance. As the court put it, a search may be adequate even if "there may be things lurking beneath another stone which has not been turned over".
These cases provide helpful guidance and give companies some comfort that they can rely on exceptions if necessary. Employers should bear in mind that the DSAR process will change in May 2018 when the General Data Protection Regulation comes into force. This will add some elements to the information to be provided and remove the data controller’s right to make a £10 admin charge. Further information, including style policies, will be made available in the client area of our website later this year.