The Court of Appeal has given its verdict on how far a data controller needs to go to comply with a data subject access request ("SAR"). The answer: pretty far. The impact: the motive of the data subject in making the request is irrelevant; the legal privilege exemption is not a catch all exemption; evidence must be put forward to rely on "disproportionate effort". The slight benefit: contrary to the Information Commission's ("ICO's") Subject Access Code of Practice, the disproportionate effort ground may apply to searches for personal data, not just providing copies of data.
The Dawson-Damer case came about as Mrs Dawson-Damer submitted a SAR to Taylor Wessing law firm ("TW"). TW advised the Bahamian trustee in relation to a fund of which Mrs Dawson-Damer was a beneficiary. TW had some thirty years' worth of case files relating to this matter. The motive behind the SAR appeared to be in relation to litigation Mrs Dawson-Damer was bringing against the trustee.
Response to the SAR
TW refused to provide the data requested, stating that it was exempt from disclosure as it was all legally privileged (on the basis of rights akin to this as the trustees cannot be compelled in Bahamian proceedings to provide the information). The requester's solicitors argued that legal advice could not be withheld from the beneficiaries of the particular trust and that at most TW could attempt to rely upon litigation privilege. Limited data was disclosed to the requester and an order of the High Court was sought.
High Court decision
For a brief period controllers were hopeful. The High Court accepted TW's reliance upon legal professional privilege (trustee rights akin to this in the Bahamas), accepted that controllers could refuse to provide personal data if the purpose of the SAR was to obtain information that would be helpful in litigation and accepted that it would not be reasonable or proportionate to expect a controller to carry out the necessary search in order to make a decision as to whether the information was privileged (if this decision really lies with another party).
Court of Appeal decision
The Court of Appeal disagreed.
The legal professional privilege point: The court held that the legal privilege exemption should be construed narrowly. Essentially, if the information is not legally privileged under English law and no other exemption under the UK Data Protection Act ("DPA") applies there would be no grounds to withhold the requested data. This was considered to be the case even though there may be other principles (in this case, trust law principles in the Bahamas) which would prevent the information being disclosed,.
The disproportionate effort point: TW applied legal professional privilege in a blanket fashion, when it was highly likely that some of the information would not have been legally privileged. TW failed to satisfy the burden of proof upon it by producing evidence to show that it took adequate steps to search for the data requested. It appeared that TW had merely reviewed the files, but had not taken steps to identify personal data, considering that it would be too difficult to search through voluminous papers. TW could therefore not rely upon the disproportionate effort exemption.
Note that the Court agreed with the argument that, when considering whether the data cannot be supplied under s.7(1)(c)(i) DPA because "the supply of such a copy is not possible or would involve disproportionate effort", this involves consideration of the proportionality of compliance with a SAR throughout the whole process. As such, the proportionality in relation to the carrying out of searches may be taken into account, however, this should be considered on a case by case basis.
The intention behind the request point: The DPA does not specify that the purpose of the request needs to be limited to checking the accuracy of the data. A collateral purpose, such as obtaining the data for litigation purposes, does not prevent a controller from dealing with the request (whereas a conflict of interest or abuse of the court's process might). If this was the case, it would lead to complex satellite litigation in order to work out the true purpose of a request.
What now for controllers?
On receipt of a request: Take steps to carry out adequate searches for the personal data requested. If you think the searches would involve disproportionate effort, you will need to be prepared to argue this point and produce strong evidence.
More rights to come: The GDPR is fast approaching and with it extended and new data subject rights (which are available free of charge). Now is the time to make sure your house is in order: train staff; put request handling policies in place; make sure your systems are set up to deal with requests (searches can be run, data can be located, reviewed and redacted), notify third parties of requests etc. This also applies to companies acting as processors, who will need to assist their customers with their compliance.
Court vs ICO: If a data subject now decides to go down the court route (as opposed to the ICO route) this is not necessarily going to be a better result for the controller (as we have pretty much seen to date in the UK). The Court of Appeal's decision (which involved input from the ICO) was clearly more data subject friendly. As the ICO was quoted in the decision: "the cost of compliance is the price data controllers pay for processing data". It will be interesting to see how the EU courts and regulators approach the new and enhanced rights under the GDPR.
Member State laws: The GDPR makes barely a reference to exemptions that might apply to subject access requests. No doubt we will see Member State law differences (the UK currently being one of the Member States with the highest number and most complex exemptions).