In the Big Data Society of the 21st Century, the difficulties in responding to subject access requests (SARs) have increased exponentially.
However, in the past 12 months the Courts have handed down a number of important judgements around SARs. These decisions provide welcome clarification as to the limits of SARs and the extent of data controllers’ obligations, in particular that a proportionate search is sufficient to locate a person’s information, but also that ulterior motives are irrelevant and application of the Legal Professional Privilege (LPP) exemption is limited.
The cases provide useful guidance for businesses facing SARs. The key practical points are summarised below.
Under the under the Data Protection Act 1998 (DPA) data controllers are obliged to provide individuals (data subjects), on request with specified information about the individuals, unless a relevant exemption applies. The right of access is considered a cornerstone of data protection law, enabling individuals to exercise a certain amount of control over the use of their personal data by organisations.
On receipt of a valid SAR, the data controller must locate that person’s information and respond with the requisite information within 40 days. The data controller may charge a maximum fee of £10.
Four key cases have recently clarified the law around SAR.
Holyoake v Candy  EWHC 52 (QB) considered the extent of the obligation to search for the data, and application of the legal professional privilege (LPP).
Dawson-Damer v Taylor Wessing LLP  EWCA Civ 74, also considered the extent of the LPP exemption; whether the data controller could refuse to comply with a SAR where the information was required for a collateral purpose, namely proceedings in a separate jurisdiction; and whether searches requiring disproportionate effort would justify not ordering further enforcement.
In the conjoined cases of Ittihadieh v Cheyne and Deer v Oxford University  EWCA Civ 121, the Court of Appeal considered collateral purposes and whether the individual was entitled to access information held in private email accounts.
Overall, these decisions provide important clarification for data controllers. The clarification that data controllers are obliged to carry out proportionate searches, and that these are (usually) limited to corporate accounts, is very welcome, and reduces the possibility of overly onerous SARs.
However, by confirming that ulterior motives are irrelevant, the Courts have potentially allowed for more SARs, regardless of their broader context and relevance. Employers that routinely resist SARs on the basis that they are a ‘fishing expedition’ for tribunal claims will need to rethink their approach.
It will be interesting to see how this clarifications are implemented in future cases, and if the interpretation of the UK Courts will remain good law once the General Data Protection Regulation (GDPR) is introduced in May 2018. Under the GDPR the SAR regime will be subject to further changes including the abolition of the £10 fee for compliance, and the reduction in the period for responding from 40 days to one month.