The Data Protection Act 1998 came into force on 1st March 2000. 15 years on is there still a legitimate interest in an employee having access to their personal data or has the system opened itself up to abuse?
Section 7 of the Data Protection Act 1998 (DPA) gives individuals the right to find out what personal data their employers hold about them, why they hold it and who they disclose it to. Individuals may exercise this right at any time by making a written ‘Data Subject Access Request’ (DSAR).
Even though there are obvious benefits to employees having access to their data, it is argued by many commentators that since its introduction, the DPA has in fact produced an “artificial, disruptive, expensive and unnecessary discovery process of its own”, which as a result is causing major disruption to employers who find themselves at the receiving end of a request.
In recent years it has become increasingly apparent that DSARs are being used disingenuously by aggrieved ex-employees to cause maximum disruption to their employers. As a result, employers are forced to recover, process and analyse potentially thousands of emails within the 40 day time limit which can be extremely onerous, costly and vastly disproportionate considering it all has to be done for the small fee of £10. On top of this, if employers get it wrong, fines from the Information Commissioner’s Office (ICO) can be up to £500,000.
The ICO’s Guidance indicates that DSARs must be answered even where onerous and an employer may only refuse to comply with a DSAR if a relevant exemption under the DPA applies in the particular circumstances. The ICO stresses that even where it is believed to be disproportionate, the recipient of the DSAR must still try to comply with the request, for example, by offering access to the relevant documents at its offices.
The courts on the other hand are taking an increasingly more pragmatic approach. In the recent case of Dawson-Damer v Taylor Wessing and others [2015] EWHC 2366, the court addressed the concept of disproportionate effort under the DPA and the court’s discretion to order compliance with a DSAR in the circumstances where it was claimed that the majority of the personal data held was subject to legal professional privilege and therefore exempt.
The court applied the disproportionate effort test which is set out in Section 8(2) of the DPA and held that it would be a very time-consuming and costly exercise for necessarily skilled lawyers to undertake the task for a fee of £10. The court concluded that it would be neither reasonable nor proportionate to expect Taylor Wessing to carry out the work required and therefor dismissed the Dawson-Damers’ application.
The court held that it would not exercise its discretion because the Dawson-Damers had only issued proceedings in the High Court in order to obtain information to be used in connection with other proceedings. The court referred to Durant v Financial Services Authority [2003] EWCA Civ 1746, where the Court of Appeal set out that DSARs are not an “automatic key to information” and should not be used to “obtain discovery of documents that may assist in litigation”.
As a result of this decision, there is now a real potential to reduce the burden on employers when responding to a DSAR. Namely, where there are ongoing or threatened legal proceedings employers may be able to argue an abuse of process and/or if the search for the information will be onerous, recipients may be able to argue that responding will involve disproportionate effort and as a result not respond. Employers must however remember that individuals can also refer a failure to comply with a DSAR to the ICO, which is likely to be much more receptive than the courts to these claims. It should also be noted that the Court has given the Dawson-Damers’ permission to appeal the decision, so it will be interesting to see the outcome bearing in mind the stark contrast of views between the Court and the ICO.
As it stands, although there is likely to be a number of cases where there is a legitimate interest in an employee having access to their personal data, it is clear that the system has opened itself up to abuse by individuals seeking to take advantage of an alternative discovery process or simply to cause trouble. It is now up to the courts to decide whether to approach the subject in a similar manner to Dawson-Damer v Taylor Wessing, whilst also determining the weight that should be given to the guidance by the ICO.
The Data Protection Act 1998 came into force on 1st March 2000. 15 years on is there still a legitimate interest in an employee having access to their personal data or has the system opened itself up to abuse?
Section 7 of the Data Protection Act 1998 (DPA) gives individuals the right to find out what personal data their employers hold about them, why they hold it and who they disclose it to. Individuals may exercise this right at any time by making a written ‘Data Subject Access Request’ (DSAR).
Even though there are obvious benefits to employees having access to their data, it is argued by many commentators that since its introduction, the DPA has in fact produced an “artificial, disruptive, expensive and unnecessary discovery process of its own”, which as a result is causing major disruption to employers who find themselves at the receiving end of a request.
In recent years it has become increasingly apparent that DSARs are being used disingenuously by aggrieved ex-employees to cause maximum disruption to their employers. As a result, employers are forced to recover, process and analyse potentially thousands of emails within the 40 day time limit which can be extremely onerous, costly and vastly disproportionate considering it all has to be done for the small fee of £10. On top of this, if employers get it wrong, fines from the Information Commissioner’s Office (ICO) can be up to £500,000.
The ICO’s Guidance indicates that DSARs must be answered even where onerous and an employer may only refuse to comply with a DSAR if a relevant exemption under the DPA applies in the particular circumstances. The ICO stresses that even where it is believed to be disproportionate, the recipient of the DSAR must still try to comply with the request, for example, by offering access to the relevant documents at its offices.
The courts on the other hand are taking an increasingly more pragmatic approach. In the recent case of Dawson-Damer v Taylor Wessing and others [2015] EWHC 2366, the court addressed the concept of disproportionate effort under the DPA and the court’s discretion to order compliance with a DSAR in the circumstances where it was claimed that the majority of the personal data held was subject to legal professional privilege and therefore exempt.
The court applied the disproportionate effort test which is set out in Section 8(2) of the DPA and held that it would be a very time-consuming and costly exercise for necessarily skilled lawyers to undertake the task for a fee of £10. The court concluded that it would be neither reasonable nor proportionate to expect Taylor Wessing to carry out the work required and therefor dismissed the Dawson-Damers’ application.
The court held that it would not exercise its discretion because the Dawson-Damers had only issued proceedings in the High Court in order to obtain information to be used in connection with other proceedings. The court referred to Durant v Financial Services Authority [2003] EWCA Civ 1746, where the Court of Appeal set out that DSARs are not an “automatic key to information” and should not be used to “obtain discovery of documents that may assist in litigation”.
As a result of this decision, there is now a real potential to reduce the burden on employers when responding to a DSAR. Namely, where there are ongoing or threatened legal proceedings employers may be able to argue an abuse of process and/or if the search for the information will be onerous, recipients may be able to argue that responding will involve disproportionate effort and as a result not respond. Employers must however remember that individuals can also refer a failure to comply with a DSAR to the ICO, which is likely to be much more receptive than the courts to these claims. It should also be noted that the Court has given the Dawson-Damers’ permission to appeal the decision, so it will be interesting to see the outcome bearing in mind the stark contrast of views between the Court and the ICO.
As it stands, although there is likely to be a number of cases where there is a legitimate interest in an employee having access to their personal data, it is clear that the system has opened itself up to abuse by individuals seeking to take advantage of an alternative discovery process or simply to cause trouble. It is now up to the courts to decide whether to approach the subject in a similar manner to Dawson-Damer v Taylor Wessing, whilst also determining the weight that should be given to the guidance by the ICO.
