Data protection and subject access requests
July 2017 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
July 2017 Issue
An individual whose data is being processed (a data subject) has the right to request copies of that data from the organisation that controls the processing of it (the data controller) under section 7 of the Data Protection Act 1998 (DPA).
The data controller must respond within 40 calendar days and is entitled to charge the data subject a fee of £10. This mechanism essentially allows individuals to request information that an organisation holds about them, the reason it is being processed and whether it could be passed on to others.
On 3 March 2017, the Court of Appeal in Deer v. University of Oxford delivered a significant judgement on the rights of a data subject to make subject access requests (SAR).
In light of this judgment, we now have a better understanding of the definition of ‘personal data’ in relation to SARs and the impact of the doctrine of proportionality which must now be applied to data controllers when complying with SARs.
In practice, most data controllers struggle to comply with SARs due to the fact that much of their data is stored in large disorganised systems. Delving through extensive volumes of data to find the specific information on data subjects can be time consuming and an unproductive use of resources, especially if the data controller is required to look through archived data stores, computerised and non-computerised records. The proportionality test may now relieve some of the burden which data controllers face when complying with SARs.
The court in Deer has now confirmed a two pronged definition of ‘personal data’ for the purposes of complying with SARs: (i) whether the data in question ‘related to’ a living individual; and (ii) whether the individual was identifiable from those data.
What amounts to ‘personal data’ for the purpose of complying with SARs has been the subject of many discussions in recent cases. In Durant v. Financial Services Authority, Auld LJ claimed that the purpose of section 7 should enable a data subject to check whether the data being processed unlawfully infringes their privacy and whether the data they hold is correct. It should not be used as an alternative route to access any information in which they may be named or involved.
The main concern is whether the data is ‘related’ to the data subject, rather than whether a data subject could be identified from the data. Auld LJ suggested that where the data subject is mentioned, the data subject is subsequently ‘identified’ and is therefore personal data. Many individuals have exploited this section 7 mechanism of the DPA by using it to obtain documents for the purpose of assisting in litigation. If documents contain ‘personal data’ and might be subject to privilege in a trial, data controllers could be entitled to refuse to comply with the SAR.
The DPA does not contain an express obligation on the data controller to search for personal data in response to a SAR; however, an obligation is strongly implied. The judgment in Deer provides that a data controller must take reasonable and proportionate steps to identify and disclose the data which they are bound to disclose. Section 8(2) of the DPA entitles a data controller not to supply a copy of the information in permanent form if to do so would involve disproportionate effort.
In Deer, the court claimed that there is no limit on the efforts that a data controller must take in response to a SAR, however, the principle of proportionality must be applied. As such, the degree of effort made by the data controller to find the personal data requested will need to correspond directly to the particular SAR.
There needs to be a balance between the rights of the data subject being able to access his personal data and also the interests of the data controller. The doctrine of proportionality should be taken into account when determining the time, expenditure and resources it will cost the data controller to carry out the SAR. Proportionality in each case will depend on a number of factors, including but not limited to whether the SAR is being used as a fishing expedition for documents, the absence of a legitimate reason for the SAR or if the SAR is purely abusive.
The proportionality test will result in not every single item of personal data being retrieved by the data controller; however, this does not necessarily mean that the search will be deemed inadequate.
The courts will judge this on a case-by-case basis and, as a result, data controllers will need to remain vigilant when dealing with a SAR. If any uncertainties arise in relation to the effort and extent of compliance with a SAR, it would be best for data controllers to speak to a professional.
Richard Penfold is a partner and Tayler Billington is a trainee solicitor at JAG Shaw Baker. Mr Penfold can be contacted on +44 (0)203 598 3070 or by email: firstname.lastname@example.org. Ms Billington can be contacted on +44 (0)203 598 3070 or by email: email@example.com.
© Financier Worldwide
Richard Penfold and Tayler Billington
JAG Shaw Baker