UK: Data protection - Court of Appeal ruling on subject access requests, prosecution for taking client data to a competitor, and new guidance

The Court of Appeal has clarified that non-compliance with a subject access request (SAR) cannot be justified on the ground that the requester has a purpose other than verifying or correcting the data (usually to assist in litigation). Statements in prior case law used to argue that there is a 'no other purpose rule' have been misunderstood. When exercising its discretion to enforce a SAR, the court should not consider the motive for the SAR, save perhaps where the application would be an abuse of the court's process (which the mere holding of a collateral purpose would not normally be) or where the requester represents a party and his and their purposes might conflict. 

The Court also considered s8(2) Data Protection Act 1998 which provides that data controllers need not supply copies of data held if this would involve disproportionate effort. The Information Commissioner's Office has taken the view that this exception only applies where the supply of copies would involve disproportionate effort and not where locating the data would do so. Helpfully for data controllers, the Court disagreed and ruled that the disproportionate effort test can include difficulties which occur in the process of complying with the request, ie locating the data, as well as difficulties arising in the process of producing a copy. However, disproportionate effort must involve more than an assertion that it is too difficult to search through voluminous papers. Where and so far as possible, SARs should be enforced. 

Finally, the Court ruled that the exemption for legal professional privilege is limited to documents privileged under English law and does not extend to privilege in the context of non-UK proceedings. (Dawson-Damer v Taylor Wessing)

The Court of Appeal ruling comes hot on the heels of another helpful ruling for data controllers. In Holyoake v Candy the High Court ruled that a data controller's implied obligation to carry out a search on receipt of a SAR was limited to what was reasonable and proportionate, and a review of 17,000 documents with time charges over £37,000 satisfied this test. It was not necessary for the controller to search its directors' private email accounts in the absence of evidence that they had been used for company business, and there was no requirement to ask if they had used their private email for company business in the absence of a sufficient reason to do so.

The Information Commissioner's Office has highlighted a successful prosecution of a recruitment agent for emailing the personal data of approximately 100 clients and potential clients to her personal email address and using the data to contact them when she started a new role at a rival recruitment company. She was found guilty of a criminal offence under s55 of the Data Protection Act 1998 (of unlawfully obtaining or accessing personal data) and fined £200 plus costs and a victim surcharge. Although employment contracts will usually prohibit the removal of such confidential information, the prospect of a criminal record may be a more effective deterrent to departing employees tempted to take client, supplier or employee data with them. Employers may wish to emphasise this possibility in data protection policies and termination letters.

The EU Article 29 Data Protection Working Party has published guidance on three important aspects of the General Data Protection Regulation (GDPR): guidance and FAQs on the right to data portability; guidance and FAQs on the obligation to appoint a named data protection officer; and guidance and FAQs on the new 'one-stop shop' mechanism, pursuant to which companies can identify which 'lead' data protection authority will be their main point of contact for multi-jurisdiction regulatory matters.   The Information Commissioner's Office has also given an update setting out what guidance organisations can expect on the GDPR.