UK: DSAR ruling confirms that descriptions of the purposes of processing and recipients of personal data can be general, but actual identity of sources must be provided

The recent High Court judgment in Rudd v Bridle & J&S Bridle Ltd provides some useful guidance on subject access requests under the Data Protection Act 1998 (equally relevant to the new GDPR regime).

Dr Rudd, a medical expert on exposure to asbestos, was the subject of a campaign by a lobbyist for the asbestos industry, Mr Bridle, who attempted (unsuccessfully) to get Dr Rudd struck off by the GMC and alleged that Dr Rudd conspired with others to commit a fraud to deceive the courts in supporting spurious legal claims.  Dr Rudd made a subject access request in order to learn more about Mr Bridle's activities and claimed that Mr Bridle's responses were inadequate.  (Dr Rudd has also sought an order preventing further processing and compensation, but without properly pleading his case as to how processing was unwarranted and had caused distress, meaning that those aspects of the claim were stayed.)

Warby J's judgment highlights a number of points:

• The judge emphasised that subject access rights are to data ie information, not to the disclosure of documents.  "A claim for documentary disclosure … is likely, almost always, to be misconceived".

Exemptions

• A data controller is only required to act reasonably and proportionately in terms of the scope of its search for personal data, but this does not mean that the same latitude is appropriate when determining whether one of the exemptions from the subject access provisions applies.  The fact that the data controller's solicitor has reviewed material and identified that it is covered by an exemption will not be conclusive.  It is likely that a court may exercise its discretion not to make a disclosure order where the data controller has acted with reasonable diligence in determining whether an exemption applies and there is no reason of substance to doubt the validity of the conclusions arrived at.  However, this was not the case here.  The solicitor who concluded that the exemptions applied was relying on Mr Bridle, who had been held to be an unreliable witness, and there was no evidence pleaded to establish the necessary constituents of the journalism or regulatory exemptions claimed.
• In relation to the regulatory exemption, the judge gave his view that this may only apply to processing by the regulatory body itself and not to processing by an individual reporting to a regulator, although it was not necessary for him to decide this.  Further, given that the regulatory exemption only applies to the extent to which the provision of subject access would be likely to prejudice the proper discharge of the regulatory functions, the judge considered that it would have been hard to argue this at a time several years after the regulator had rejected the complaint and its involvement had ceased.
• In relation to the claim to legal professional privilege, the judge noted that evidence from a solicitor that they have reviewed the material and concluded the exemption applies should carry more weight than in relation to the journalism and regulatory activity exemptions. There was sufficient evidence to justify the legal advice privilege claims, but the judge was not prepared to accept the claim to litigation privilege given that no litigation or prospective litigation had been identified.  A claim that Mr Bridle expected to act as an expert witness in relevant legal cases was insufficient given the lack of supporting evidence and the unreliable nature of the witness.

Identity of individuals

• Dr Rudd argued that there was an obligation to disclose the identity of the recipients of emails from Mr Bridle containing the personal data.  The judge noted that both the statutory wording and the ICO's Subject Access Code make clear that the right in relation to an individual recipient is to a description of the recipient (eg "a medical practitioner"), not to their name;  where the disclosure is made to a class of recipient, the right is to a description of the class (eg "the readership of the Daily Globe").
• The identities of third parties alleged to have conspired with or assisted or collaborated with Dr Rudd in the alleged fraud, or whom he is alleged to have helped to attack others, was information amounting to Dr Rudd's own personal data, as the information focussed on him and was biographically significant.  The same was true in relation to the identities of the 'victims' of his alleged fraud and those to whom allegations that Dr Rudd was guilty of fraud have been made.  (In contrast, information as to who had been sent Dr Rudd's personal data was not itself his personal data.)  The data controller's decision as to whether it is reasonable to disclose the identities of those individuals without consent is a decision that must be made on a case-by-case basis and not by applying a blanket policy, as stated in the ICO's Code of Practice.
• The requirement to provide "any information available to the data controller as to the source of the data" means providing the actual identity of the source, not just a description or class of source. The judge noted that Mr Bridle must know who the lawyers are that provided him with copies of Dr Rudd's expert witness reports and that there was clearly much source information available to Mr Bridle "including but not necessarily limited to the names of the solicitors' firms involved" that should have been disclosed.  The judgment is unclear whether disclosing the name of the company or firm which is the source of data would suffice or whether there is also a requirement to disclose the name of the individual at that legal entity who has provided the data on its behalf (subject to consent and/or reasonableness of disclosure without consent).

Contextual data

• Dr Rudd argued that the disclosure only of extracts from paragraphs, largely just incomplete sentences, rendered the disclosures unintelligible and that the whole of the relevant paragraphs should have been included "given the gravity of the allegations made about him".  The judge rejected this argument, noting that information can be presented in "in an intelligible form" as required without the need to provide its full context or even the whole of the sentence in which it appears.

Purpose

• In light of the principle of proportionality, the requirement to describe the purpose of the processing need not be done on a document-by-document basis, but can be met by setting out the essence of what the controller is doing with the data.

The judge also ruled that Mr Bridle was the data controller, and not the company controlled by Mr Bridle and his son, given that the processing was part of Mr Bridle's lobbying activities conducted by him individually and not as part of his company's commercial operation.

The rulings that the description of the purposes of processing and the recipients of personal data can both be general, and the fact that contextual data is not required, will be welcome to those facing subject access requests.  The endorsement of the ICO's Code of Practice is also helpful.  Less helpful is the ruling that a controller must disclose the actual sources of data and not just a description or class of source, if the controller has that information available.  Controllers will also need to bear in mind that an applicant's personal data could include the identities of some other individuals, for example the co-conspirators in this case, and that if they intend to rely on an exemption, sufficient evidence will need to be pleaded (for example that disclosure would likely prejudice an ongoing regulatory investigation).