UK: Court of Appeal rules on subject access requests

HR practitioners know only too well what an effective weapon a subject access request (SAR) can be in the hands of an aggrieved employee or ex-employee.  Even if no 'smoking gun' is unearthed for the purposes of litigation, at the very least it will consume substantial amounts of the employer's time and money.  The burden for employers has been exacerbated by uncertainty over the precise scope of their obligations. 

The greater clarity provided by the Court of Appeal in the recent judgments of Deer v University of Oxford, heard together with Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd, and Dawson-Damer v Taylor Wessing LLP will therefore be welcome.  There is also some (limited) good news for employers as to the lengths to which they must go in searching for data although, on the downside, the rulings also lay to rest the possibility of refusing to comply with a SAR simply because its purpose is to aid litigation.

The cases provide useful guidance for employers facing SARs, and the facts and decisions are discussed in more detail in our briefing here.  The key practical points for employers responding to a SAR are summarised below:

Whether to comply

• An employer should respond to receipt of a written SAR, provided it is clearly calling on the employer to comply with its statutory duty as data controller.  This includes where the request is communicated by e-mail or even via social media sites such as Facebook or Twitter.  The Court made clear that a SAR is valid even if the data subject does not proffer a fee or ask if a fee is required.  A fee is only payable if the employer chooses to ask for it.
• Employers who routinely resist SARs on the basis that they are a fishing expedition to gather evidence for litigation will need to revisit their approach.  The cases make it clear that a SAR remains valid notwithstanding that the data subject's motive is to obtain documents or information to assist with ongoing or contemplated litigation. 
• However, a court can still exercise its discretion not to order compliance on the grounds that the request is an abuse of process.  The Court of Appeal in Dawson-Damer ruled that the mere holding of a collateral purpose (such as to obtain evidence for litigation) would not amount to an abuse, but an intent purely to antagonise might be.  The motive can also be taken into account when making a costs order.
• Particularly where litigation is threatened or already afoot, some employers wishing to withhold potentially damaging documents may consider gambling on the court being willing to exercise its discretion to refuse to order disclosure, should a claim for breach of the Data Protection Act 1998 (DPA) be brought.  The recent judgments set out a number of factors that could justify such a refusal, including where there is a more appropriate route to obtain the information such as disclosure in legal proceedings.
• However, employers should bear in mind that there will be a tougher penalty regime for non-compliance under the General Data Protection Regulation, in force from May 2018. It will become even more important to get the response to SARs right.

How to comply

• The judgments confirm that, contrary to the view taken by the Information Commissioner's Office (ICO) Guidance, a SAR requires employers to carry out only a reasonable and proportionate search for personal data.  However, a proportionate search may still be pretty extensive, particularly for a large employer, so this will not provide an easy get out.  Where an employer receives a broad and generalised request for all personal data which would include a very large number of material, the employer should not simply refuse to comply without first seeking to clarify the specific data sought by the data subject, for example by asking them to confirm a date range and names or subject headings to search.
• Employers should use the wide interpretation of 'personal data' set out in the Information Commissioner's Office Guidance.  Those seeking to restrict the cost of compliance may choose to include more information/documentation than before (provided it does not include third-party information), both to avoid spending time agonising over relatively trivial documents and to minimise the risks of later being held to be in breach of the obligation.
• The only obligation is to provide information about the personal data in documents and not to provide copies of the documents themselves (albeit that this is often how requests are phrased).  However, it is unlikely to be worthwhile for employers to spend time extracting information, save where the information in a document is sensitive or contentious only a small part is personal data.
• The fact that the data subject already has copies of the documents containing his/her personal data, or has authored them or supplied them to the employer, does not put them outside the scope of the SAR.  Employers should still disclose the personal data/ documents, although if they fail to do so, the court may take this into account in deciding not to exercise its discretion to order compliance.
• Most data subjects alleging a failure to comply with a SAR will complain to the ICO rather than take legal action.  Given that the ICO intervened in Deer, hopefully the ICO's approach will (and its Guidance will be updated to) reflect the latest Court rulings, in particular the ruling that a search need only be proportionate.  Employers will continue to face some uncertainty until the ICO's response becomes clear.