Employment E-Bulletin Article
When can employers legitimately push back on potentially burdensome and time consuming subject access requests (SARs)? Data protection specialist and solicitor Jo Vale considers the latest Court of Appeal decisions which test some of the limits often relied on when responding to a SAR.
In particular, the Court considers privilege, proportionality and whether litigation has a legitimate purpose in subject access requests.
Subject access requests (SARs) are an important privacy right for individuals. And for employers, they are a fact of life. However, there is little doubt that they can be a burdensome, time consuming and disruptive process.
SARs can also pose a business risk. For example, if an employee considering an employment claim wishes to see what discussion of his or her performance took place prior to a redundancy, an SAR is a useful a way of obtaining early disclosure outside of the court process.
Last month in the Dawson-Damer case, the Court of Appeal decided, at least for now, the position on three issues:
- The extent of the Legal Professional Privilege exemption to the Data Protection Act 1998 (DPA)
- The proportionality of the searches a data controller is obliged to carry out; and
- Whether litigation is a proper reason for making an SAR
Mrs Dawson-Damer is the beneficiary of a Bahaman Trust which was administered by UK solicitors Taylor Wessing ("TW"). Mrs Dawson-Damer made an SAR to TW, two years before her solicitors commenced proceedings in the Bahamas challenging various aspects of the Trust.
Unsatisfied with TW's response, Mrs Dawson-Damer applied to the court for both a declaration that they had not adequately complied with the SAR and were thus breaching their compliance duties of the DPA; and further requested an order compelling them to comply with the SAR.
"Legal professional privilege" is one of the exemptions to the right of subject access. If the information sought is covered by legal advice or litigation privilege, the data controller is not required to disclose it.
TW considered that much of the requested information was exempt because it was covered by particular Panamanian trust disclosure rules. But when the case went to the appeal court, the judge interpreted privilege strictly – it only extends to normal legal professional privilege as it is known in proceedings in the UK, not to other rules or jurisdictions.
The DPA dictates that an SAR must be complied with unless such supply of copies of the information would be impossible or involve disproportionate effort.
What is disproportionate? The DPA does not specify, though the Information Commissioner (ICO) advises: "You should be prepared to make extensive efforts to find and retrieve the requested information…. It will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive or inconvenient."
The reasoning behind this expectation is that an organisation that processes data should have processes for dealing with SARs built into its planning and systems. In its submission, the ICO said that in the cases where the data controller has carried out some searches, it may be disproportionate to require them to conduct further searches 'for some remote strand of data which may not even be held'. But in its view, it is not open to the data controller to avoid substantive compliance by arguing that work would be expensive or time consuming. The burden of proof is on the data controller to show that it has taken all reasonable steps to comply with the SAR.
TW's argument was that it was not reasonable or proportionate to carry out a search of the all the documentation to establish whether a particular document was covered by privilege. The requested documents included a mixture of information that was privileged and information that was not, therefore it would be an expensive and time consuming task to separate those documents out.
Lady Justice Arden's response was that "Disproportionate effort must involve more than an assertion that it is too difficult to search through voluminous papers. It falls to the data controller to show that the supply of the information in permanent form would involve disproportionate effort." However, in this case, there was virtually no evidence that TW had carried out a search at all.
In effect, TW had not demonstrated that complying with the SAR would involve disproportionate effort because it had relied on its erroneous view that legal professional privilege exemption was available and that searching the 'mixed' documentation would be disproportionate. Without that exemption, there was no reason not to carry out a full search, which they clearly had not done.
Rather like buses, SAR judgments are few and far between, but in the last month there have been three at once. The second, Ittihadieh v 5 – 11 Cheyne Gardens, also dealt with 'proportionality', but in the context of the exemption for domestic personal data. It was considered by the Court of Appeal alongside a claim by a Dr Deer against Oxford University. The University ended up reviewing thousands of documents at a cost of £116,000 after the court ordered it to carry out further searches. The background to this case is that Dr Deer, a former employee submitted two SARs against the background of ongoing employment tribunal litigation, but was not satisfied with the University's response. In fact, after searching 500,000 documents, only 33 documents were found to contain her personal data.
Clearly neither the DPA nor the EU directive behind it intends to impose excessive burdens on data controllers. But unfortunately neither the Act nor these cases answers directly the question of "How much is enough?" or "How much is too much?" when it comes to searching for and providing personal data. Put simply, it seems that an answer to the above questions could well be: "A lot".
There is much debate about whether a SAR made for the purpose of obtaining disclosure outside of the normal court rules for litigation is a legitimate use of a law which was designed to protect the personal data rights of individuals, by giving them the right to find out if their personal data is fairly and lawfully processed and to verify and correct the data.
A 2003 case called Durant has been interpreted by practitioners to mean that obtaining documents that may assist a claimant in litigation or complaints against third parties is not a legitimate purpose for an SAR.
However, contrary to interpretations of Durant , the judge in Dawson-Damer made it crystal clear in her ruling that it is perfectly legitimate to make an SAR for the purpose of litigation. There is nothing in the DPA which stipulates what the purpose of an SAR must be. What is more, Lady Justice Arden said that Durant had been misinterpreted and taken out of context.
Dawson-Damer is the third case in recent years to find that individual data subjects are entitled to use the DPA as a means of obtaining disclosure for purposes of litigation. But in an interesting coda from the Dr Deer case, the Court of Appeal agreed to a 25% reduction in part of the costs the University had to pay, because of the "essentially antagonistic" motives in pursuing the SAR claim.
Key take away points
The extent to which employers can push back on SARs will often depend on the particular circumstances of a request and the data it produces. Employers should take advice when responding to SARs. HR professionals should also flag any SARs early so that an appropriate response can be carefully considered and provided within the strict time limits for responding- currently 40 days' from receipt of payment (although this will be reduced to one month and free of charge when the GDPR comes into force on 25 May 2018 – please see our article Data Protection - All Change by senior associate Alexandra Leonidou).
These cases highlight the following general take away points to remember when responding to SARs:
- The exemption for privileged documents is interpreted strictly and it only extends to normal legal professional privilege as it is known in the UK
- The burden of proof is on the data controller to demonstrate that it has carried out reasonable searches – it cannot avoid substantive compliance by arguing that it is expensive or time-consuming
- An SAR can be brought in the context of litigation.