Teal blue graphic

Subject access requests: what is a reasonable and proportionate search?

Often data controllers will receive requests for personal data where the data subject is in litigation or impending litigation with either the data controller or a third party. This often causes friction between the lawyers handling the litigation and the individuals responsible for responding to the request. 

In the case of Dawson-Damer & others v Taylor Wessing & others, the High Court re-affirmed previous judgments when it refused an application under s7(9) of the Data Protection Act (DPA) for an order to compel the defendant to comply with a subject access request. This was because the court felt that the request was made for the primary purpose of assisting a litigation case.

Background

The applicants were beneficiaries of a trust, who had issued proceedings in the Bahamas against the trustees. The defendant was the legal advisor of the trustees. The applicants submitted subject access requests to the defendant, requesting access to their personal data. 

The defendant refused the original request, on the grounds that it was entitled to rely on legal professional privilege in respect of the majority of the documents. It claimed that it would be disproportionate and/or unreasonable to expect it to carry out a search to determine which of the documents were privileged and which were not.

S7(9) Application

The applicants then applied to the court for an order, under s7(9) of the DPA, to compel the defendant to comply with the request.

The court considered two issues in detail:

  • Legal privilege; and
  • Reasonable and proportionate search;

Legal privilege

Under the DPA, legally privileged information is exempt from disclosure in response to a subject access request. However, the scope of legal privilege was in issue in this case, as the claimants sought to argue that the court should interpret the definition of legally privileged information narrowly.

However, the court determined that legal privilege, for the purposes of subject access requests, should have the same meaning as in litigation. The defendants would therefore be able to refuse to provide personal data where it was privileged using the same criteria that would be used in determining whether that information could be withheld (under privilege) in the Bahamian proceedings.

Reasonable and proportionate search

The defendant sought to refuse to undertake a detailed and extensive search for the applicant's personal data on the grounds that, as the majority of the personal data held was legally privileged, it would not be reasonable and proportionate to undertake a search to locate any non-privileged personal data.

The Information Commissioner considers that data controllers are only entitled to refuse to provide information where the costs of providing the information in a permanent form would involve a disproportionate effort, and not where the costs of locating and collating the personal data alone are considerable. 

However, the courts have taken a slightly different view, and are prepared to support data controllers who seek to limit the work involved in complying with a request (ie locating, identifying and extracting personal data), where it can be shown that the purpose behind the request was to assist in actual or impending litigation.

The court followed the approach taken in the County Court case of Elliott v Lloyds TSB Bank and the High Court decision in Ezsias v Welsh Ministers, where the respective courts supported data controllers who had limited the scope of subject access requests which were made in furtherance of civil proceedings.

However, unlike Elliott and Ezsias, the defendant failed to provide any evidence to support the extent of the searches undertaken to comply with the request. Surprisingly, the court agreed with the defendant that it was not reasonable or proportionate to expect the defendant to either:

  • carry out any search; or 
  • determine which documents were protected by privilege and which were not. 

This was on the basis that resources involved in determining whether a document was protected by privilege was a matter that required consideration by skilled lawyers and would be a lengthy and costly exercise, and that they were only entitled to charge a £10 fee. 

Whilst the court supported the defendant's approach not to undertake a search due to the potentially small volume of (non privileged) personal data that would be located, this judgment should not be seen as a blanket exemption from undertaking any searches. 

This case, in conjunction with the earlier cases of Durant, Elliott and Ezsaias, should be seen in the context of individuals seeking to use their rights under the DPA to assist them in actual or impending civil litigation, as opposed to individuals merely seeking access to their personal data for the purposes of checking the accuracy of the information, and securing corrections to that data if required.

This case is currently being appealed to the Court of Appeal, and this gives the Court of Appeal the option to revisit the conclusions reached in the Durant v FSA judgment.

Conclusion

Ever since the comments of the Court of Appeal in Durant, where the judges expressed dissatisfaction with the use of subject access requests for the purposes of supporting litigation, the courts have been unhappy with applicants seeking to use subject access rights as an alternative to the discovery process. 

By asking a court under s7(9) to compel a data controller to comply with a subject access request to "fish" for information to assist in litigation, individuals are attempting to bypass the CPRs disclosure regime. This potentially places the court in conflict with the CPRs' overriding objective, that is, to enable the court to deal with cases justly and at proportionate cost. This is not just in respect of the court's resources, but also in respect of the parties' resources.

By using subject access rights in a civil litigation context, the data subject is seeking to compel the data controller to undertake a wider, more resource intensive and costly burden to identify and disclose personal data. In most cases, this data will either be irrelevant to the issues in dispute or would have been provided to the data subject through the discovery process.

Wherever possible, data controllers should seek to enter into a dialogue with the data subject to narrow down the scope of the request and/or the areas of the organisation that the data subject requires to be searched, to reasonable levels. The Information Commissioner's guidance makes it clear that the data subject can refuse to narrow down the scope of the request, and indicates that data controllers must comply with the request. However, if the data subject fails to narrow down the scope of the request, and provided it can be shown that the request was made in furtherance of litigation, the courts may be prepared to back the data controller.

Failure to comply with the subject access request, for whatever reason, will result in the Information Commissioner finding that the data controller has failed to comply with the DPA. 

However, if the data subject then applies to the court to obtain an order to compel the disclosure of the personal data, where it is clear that he/she has made the request for the purposes of assisting in a litigation claim, he/she will need to produce a strong case to justify the additional burden on the data controller. This is particularly important if the result of such searches will either produce information that the data subject has or will receive, in its entirety, as part of the disclosure process, or if the burden of locating and collating the personal data will place a disproportionate burden on the data controller.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at September 2015. Specific advice should be sought for specific cases. For more information see our terms & conditions.

by Varun Shingari


Insights & events View all