DPA, SARs and the GDPR: Why you should be paying attention to these acronyms

The proverbial spot light is further intensified by a number of recent high profile subject access judgments from the Court of Appeal (England and Wales) which, given that the DPA is based upon the UK’s Data Protection Act 1998 (“DPA 1998”) and gives effect in the Island to Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 (the “Directive”) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the Isle of Man should be slow to ignore.

Subject Access Requests (“SAR”)

In the briefest of terms, section 5 of the DPA supplies persons or “data subjects” with the right of access to “personal data”.  In layman’s terms, section 5 provides – subject to key exemptions – an individual with the right to ask for, and be provided with, any information that an organisation (“data controller”) processes about him or her where he/she can be identified from the information on its own or when combined with other information.

Presently, provided the request satisfies certain requirements, the DPA dictates that a SAR must be complied with within 40 days.  This timescale will shorten to one month under the GDPR (and the volume of information will increase, but that’s an article for another day!).

Looking to ‘Across’ for Guidance

Section 5 of the DPA mirrors section 7 of the DPA 1998, which has been the subject of much judicial scrutiny in recent months.  Each of the cases below arose in consequence of applications made under section 7(9) of the DPA 1998, which provides that, if a court is satisfied, on the application of any person who has made a SAR, that the data controller has failed to comply with the request in breach of the legislation, the court may order compliance.

1. Dawson-Damer and others v Taylor Wessing LLP [2017] EWCA Civ 74

This judgment provided welcome clarification on the scope and application of various aspects of an individual’s right to make a SAR, including:

i. Legal Professional Privilege Exemption
The DPA provides for an exemption from the requirement to provide personal data in response to a SAR where a claim of legal professional privilege (“LPP”) could be maintained in respect of that data.

In Dawson-Damer the Court considered that a narrow interpretation of the LPP exemption must be taken insofar as the DPA only related to LPP as applying within the jurisdiction of the DPA.  Further, that the LPP exemption does not extend to or include a trustee's right of non-disclosure. i.e. notwithstanding that the Privy Council in Schmidt v Rosewood Trust Ltd [2003] described the jurisdiction to withhold disclosure as an "aspect of the court's inherent jurisdiction to supervise (and where appropriate intervene in) the administration of trusts", the Court in Dawson-Damer could find no relevant purpose or aim of the Directive such that would include a trustee’s right of disclosure as falling within the LPP exemption of the DPA 1998. 

ii. The Concept of Disproportionate Effort
The DPA limits the data controller’s obligation to supply copies of information constituting personal data in permanent form if “the supply of such a copy is not possible or would involve disproportionate effort.”  In Dawson-Damer the Court considered that the concept of disproportionate effort should not be limited to the mere supply of the information, noting that it could properly “include difficulties in the process of complying with the request which might result in the supply of the document involving disproportionate effort”.

The practical effect of this interpretation will be borne out of the facts on a case to case basis to determine whether disproportionate effort is involved in finding and supplying the information weighted against the benefit it could bring to the data subject.

iii. Relevance of Motive in a SAR
The mere fact that a person has a collateral purpose does not invalidate a SAR or relieve the data controller from his obligations.

While some commentators may have been quick to predict an opening of the floodgates as regards SARs consequent to this judgment, the landscape remains far from clear in light of the joined appeals of:

2. Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University [2017] EWCA Civ 121

These cases concerned the interpretation of section 7(9) of the DPA 1998 [s5(9) DPA] which provides that if a court is satisfied, on the application of any person who has made a SAR, that the data controller has failed to comply with the request in breach of the provisions of the legislation, the court may order compliance.

These two appeals were heard together by the Court of Appeal (England and Wales) as both raised issues relating to subject access under the DPA 1998. The specific facts of each case are irrelevant save that each case involved a wide ranging SAR and arguments of proportionality as regards compliance.  The Court of Appeal refused to exercise the discretion under section 7(9) DPA 1998 to order either data controller to take further steps in subject access compliance.  In brief, it was held:

(1) Personal data – The definition of "personal data" consisted of two limbs: (a) whether the data in question "related to" a living individual and (b) whether the individual was identifiable from that data.  Information was not disqualified from being "personal data" merely because it had been supplied to the data controller by the data subject [and thus they knew about it].
(2) Data controller – A data controller made decisions about how and why personal data was processed. The data controller was responsible for persons who processed data on his behalf. A person who processed data as agent for a data controller was not himself a data controller. Even where decisions about data were taken by natural persons, they would not themselves be data controllers if those decisions were made as agents of a company of which they were directors.
(3) SAR – There was no prescribed form for making a SAR. The only pre-condition was that the data controller must have "received … a request in writing."
(4) Proportionality – The EU legislature did not intend to impose excessive burdens on data controllers and the principle of proportionality must be considered. While the principle of proportionality could not justify a blanket refusal to comply with a SAR, it did limit the scope of the efforts that a data controller had to take. The implied obligation to search was limited to a reasonable and proportionate search, but the fact that a further and more extensive search revealed further personal data did not mean that the first search was inadequate.
(5) Discretion – In exercising its discretion, the court had to have regard to the general principle of proportionality. In striking the balance between the prima facie right of the data subject to have access to his personal data on the one hand, and the interests of the data controller on the other, the court could take into account, amongst other things, (a) whether there was a more appropriate route to obtaining the requested information; (b) the reason for making the SAR; (c) whether the application was an abuse of rights or procedurally abusive; (d) whether the request was really for documents rather than personal data; and (e) the potential benefit to the data subject.

DQ’s Prediction

These judgments indicate to us a trend that leads DQ to predict that phrases and acronyms such as GDPR and ‘data protection’ will be among the buzzwords for 2018**.  As the enhanced rights of the data subject under the GDPR become more widely known and understood, issues surrounding data protection, to include SARs, will become more commonplace as the DPA takes its place amongst the mainstream torts.

** not forgetting of course, Equality.

If your business requires assistance preparing for the implementation of GDPR, or as regards SARs by clients or employees, please contact Leanne McKeown or any member of DQ’s specialist GDPR team.