Subject access is an important right for people who want to protect their privacy and are concerned about the accuracy of the information that an organisation holds on them.
But, as many businesses have come to realise, they are often used by employees, customers and services-users who want to obtain pre-action disclosure in order to bring a claim.
The Data Protection Act 1998 (DPA) does not spell out what the reason behind the request must be.
What is more, judges have been inconsistent about whether a request whose purpose is not genuinely to find out about the processing of their personal data is legitimate, or is, in fact, an abuse of process. Nor has the Information Commissioner's Office indicated that a 'fishing expedition' is not a valid subject access request.
However, recently the High Court ruled that in some cases a business can refuse to disclose the requested information if the dominant purpose of the request is litigation.
The facts of this case (Dr DB v GMC) are that a patient who was bringing a claim against a doctor, (Dr DB), asked the GMC for a copy of a report into the doctor's competence. The report was critical but not damning. The GMC took the request to be a subject access request, and, because the report contained the patient's personal data, provided it to him.
Obviously, the report contained both the personal data of the patient and that of the doctor, so that neither party's personal data could be disclosed without identifying the other, known as 'mixed data'.
This situation often arises when an individual makes a subject access request of an organisation where the personal details of people in both their personal and professional capacities are intermingled with those of the data subject within emails, letters and notes of meetings.
The DPA states that when a data controller cannot comply with a request without disclosing information relating to another individual who can be identified from that data, the data controller is not obliged to disclose it unless he has consent from the other individual, or it is reasonable in all the circumstances to comply without consent.
The GMC disclosed the report even though Dr DB did not consent to the disclosure. The doctor brought a claim against the GMC on the basis that compliance with the request was unlawful and had breached his right to privacy.
The court held that the GMC was wrong to disclose the report. The balance of interests – the right of the data subject to the personal data held in the report versus the privacy rights of the doctor who would be professionally harmed by its disclosure – should have started with a presumption against disclosure, in view of Dr DB's privacy rights and his express refusal of consent.
Importantly, the court found that the GMC's decision to disclose the report did not take into account the fact that the purpose of the subject access request was not to protect the patient's privacy rights as a data subject, but instead it was to obtain disclosure which would normally be sought via the civil procedure rules.
The judge provided this handy guide to the balancing exercise in 'mixed data' cases:
- It is essential to keep in mind that the exercise involves a balance between the respective privacy rights of data subjects;
- In the absence of consent, the rebuttable presumption or starting point is against disclosure. Furthermore the express refusal of consent is a specific factor to be taken into account;
- If it appears that the sole or dominant purpose is to obtain a document for the purpose of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the Court procedure under CPR 31.
This judgment should not be read as carte blanche for organisations to refuse a subject access request because they know that the requester is preparing for litigation.
It turns on the competing privacy/data rights of Dr DB and the patient. But the fact that litigation was underway and the request was very clearly for the purpose of obtaining early disclosure, which was cheaper and quicker than using the court procedure, weighed significantly in the balance.
The case is a strong signal that the courts are moving towards the principle that the legitimate purpose of a subject access request is for the individual to find out about his or her own personal data, not to assist in a claim.
This signal is amplified by the GDPR which will come into effect in May 2018. Ministers have told us that the UK will sign up to the GDPR regardless of the Brexit negotiations, so the changes to the subject access request regulations will become law and are worth a quick mention.
Whereas the DPA is silent about the motivation behind a subject access request, the GDPR states that a data subject should have the right of access to personal data in order to be aware of and verify the lawfulness of the processing.
Our advice is to think carefully before disclosing third party data; once you've let it go, you cannot get it back. It may seem unhelpful, and even counter to the spirit of the DPA to refuse to comply, but think carefully and seek advice before providing disclosure. Ironically, in complying with one person's data protection rights, you could end up breaching those of another.