Skip to main content
MENU CLOSE

Subject Access Requests

Subject access requests are used as instruments of torture by opportunistic lawyers who often have ulterior motives for such requests, even if just to irritate their opponents. However tempting as it is to be dismissive of requests where an improper motive is suspected, recent cases have indicated this may not be the correct approach. In Holyoake v Candy [2017] EWHC 52 (QB), Warby J held that a claimant was entitled to an order for costs incurred as a result of a defendant’s failure to respond to a subject access request made under the Data Protection Act 1998, even though the claimant’s attempt to enforce his subject access rights had been dismissed. The defendant had believed the claimant had a collateral purpose for making the request, but even if he had, that could not have deprived him of his subject access rights.

The case followed soon after Dawson–Damer v Taylor Wessing LLP [2015] EWHL 2366 (ch) where a request was made by parties involved in litigation in the Bahamas of solicitors in London. The solicitors were dismissive of the application principally because they relied on the legal professional privilege exception.

The request was for “all data of which they are the data subject (including data in which they are identified expressly or by inference) and which is in your firm’s possession custody or power.”

The response was “personal data records held by us are processed only in connection with our capacity as legal advisors. This data is exempt from the subject access provisions of the Act by virtue of Schedule 7 section 10 of the Act by reason that it consists of data in respect of which a claim to legal professional privilege applies.”

This was later supplemented by the following, “certain information held by our client is held in manual files with the majority loose leaf in boxes and so not in a relevant filing system for the purposes of [the 1998 Act] for the reason that the files contain multiple categories of information that are not structured by reference to individuals or criteria relating to individuals. Not all documents have been filed in chronological order and those that have are without any further structure that would enable specific information about a particular individual to be located without having to review the contents of the entire file.”

The core of a data subject’s entitlement to access his personal data is to be found in ss 7(1) and 8(2), which, so far as material provide:

“7(1) …an individual is entitled –

a.  to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

b.  if that is the case, to be given by the data controller a description of –

i.  the personal data of which that individual is the data subject,

ii.  the purposes for which they are being or are to be processed, and

iii.  the recipients or classes of recipients to whom they are or may be disclosed,

c.  to have communicated to him in an intelligible form –

i.  the information constituting any personal data of which that individual is the data subject, and

ii.  any information available to the data controller as to the source of those data, and

d.  where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.”.

“8 (2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless-

a.  the supply of such a copy is not possible or would involve disproportionate effort, or

b.  the data subject agrees otherwise.”

The data controller is only required under s 8(2) to supply the individual with such personal data as is found after a reasonable and proportionate search.

The purpose of section 7, in entitling an individual to have access to information in the form of his “personal data”, is to enable him to check whether the data controller’s processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved.

It is not the purpose of s 7 to enable the individual to obtain discovery of documents that may assist him in litigation or complaints against third parties. If there are mixed motives for the application, it will not be abuse of process unless it can be shown that, but for the collateral purpose the application would not have been brought at all.

If the application is an abuse this will be an important factor in the exercise of any discretion under s 7(9). It does not, however, follow that if the application is not an abuse the discretion will necessarily be exercised in favour of the individual.

S 7(9) of the 1998 Act provides:

“a.  If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.”

This section creates a discretion which can only be exercised if the data controller in question has failed to comply with a subject access request in contravention of the 1998 Act.

Paragraph 10 of Schedule 7 provides:

“a.  Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality as between client and professional legal adviser, could be maintained in legal proceedings.”

In this case there was virtually no evidence of the search carried out by the solicitors. The lessons to be learned from these cases is that a flat refusal to carry out a reasonable and proportionate search and a blanket reliance on legal professional privilege may not be sufficient to comply with the requirements of the legislation.

Bivonas Law LLP John Bechelet
John Bechelet

John specialises in commercial and civil fraud litigation. Admitted as a solicitor in 1983, John worked in private practice and in-house for a leading life assurance company before establishing Bivonas with Antony Brown in 1997. John has extensive experience in a wide range of courts and tribunals including the UK Supreme Court, the Court of Appeal and the Divisional Court. He has been involved in a number of important reported cases.

Subject access requests are used as instruments of torture by opportunistic lawyers who often have ulterior motives for such requests, even if just to irritate their opponents. However tempting as it is to be dismissive of requests where an improper motive is suspected, recent cases have indicated this may not be the correct approach. In Holyoake v Candy [2017] EWHC 52 (QB), Warby J held that a claimant was entitled to an order for costs incurred as a result of a defendant’s failure to respond to a subject access request made under the Data Protection Act 1998, even though the claimant’s attempt to enforce his subject access rights had been dismissed. The defendant had believed the claimant had a collateral purpose for making the request, but even if he had, that could not have deprived him of his subject access rights.

The case followed soon after Dawson–Damer v Taylor Wessing LLP [2015] EWHL 2366 (ch) where a request was made by parties involved in litigation in the Bahamas of solicitors in London. The solicitors were dismissive of the application principally because they relied on the legal professional privilege exception.

The request was for “all data of which they are the data subject (including data in which they are identified expressly or by inference) and which is in your firm’s possession custody or power.”

The response was “personal data records held by us are processed only in connection with our capacity as legal advisors. This data is exempt from the subject access provisions of the Act by virtue of Schedule 7 section 10 of the Act by reason that it consists of data in respect of which a claim to legal professional privilege applies.”

This was later supplemented by the following, “certain information held by our client is held in manual files with the majority loose leaf in boxes and so not in a relevant filing system for the purposes of [the 1998 Act] for the reason that the files contain multiple categories of information that are not structured by reference to individuals or criteria relating to individuals. Not all documents have been filed in chronological order and those that have are without any further structure that would enable specific information about a particular individual to be located without having to review the contents of the entire file.”

The core of a data subject’s entitlement to access his personal data is to be found in ss 7(1) and 8(2), which, so far as material provide:

“7(1) …an individual is entitled –

a.  to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

b.  if that is the case, to be given by the data controller a description of –

i.  the personal data of which that individual is the data subject,

ii.  the purposes for which they are being or are to be processed, and

iii.  the recipients or classes of recipients to whom they are or may be disclosed,

c.  to have communicated to him in an intelligible form –

i.  the information constituting any personal data of which that individual is the data subject, and

ii.  any information available to the data controller as to the source of those data, and

d.  where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.”.

“8 (2) The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless-

a.  the supply of such a copy is not possible or would involve disproportionate effort, or

b.  the data subject agrees otherwise.”

The data controller is only required under s 8(2) to supply the individual with such personal data as is found after a reasonable and proportionate search.

The purpose of section 7, in entitling an individual to have access to information in the form of his “personal data”, is to enable him to check whether the data controller’s processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved.

It is not the purpose of s 7 to enable the individual to obtain discovery of documents that may assist him in litigation or complaints against third parties. If there are mixed motives for the application, it will not be abuse of process unless it can be shown that, but for the collateral purpose the application would not have been brought at all.

If the application is an abuse this will be an important factor in the exercise of any discretion under s 7(9). It does not, however, follow that if the application is not an abuse the discretion will necessarily be exercised in favour of the individual.

S 7(9) of the 1998 Act provides:

“a.  If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.”

This section creates a discretion which can only be exercised if the data controller in question has failed to comply with a subject access request in contravention of the 1998 Act.

Paragraph 10 of Schedule 7 provides:

“a.  Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality as between client and professional legal adviser, could be maintained in legal proceedings.”

In this case there was virtually no evidence of the search carried out by the solicitors. The lessons to be learned from these cases is that a flat refusal to carry out a reasonable and proportionate search and a blanket reliance on legal professional privilege may not be sufficient to comply with the requirements of the legislation.

Bivonas Law LLP John Bechelet
John Bechelet

John specialises in commercial and civil fraud litigation. Admitted as a solicitor in 1983, John worked in private practice and in-house for a leading life assurance company before establishing Bivonas with Antony Brown in 1997. John has extensive experience in a wide range of courts and tribunals including the UK Supreme Court, the Court of Appeal and the Divisional Court. He has been involved in a number of important reported cases.

John Bechelet

About the author

John Bechelet

John specialises in commercial and civil fraud litigation. Admitted as a solicitor in 1983, John worked in private practice and in-house for a leading life assurance company before establishing Bivonas with Antony Brown in 1997. John has extensive experience in a wide range of courts and tribunals including the UK Supreme Court, the Court of Appeal and the Divisional Court. He has been involved in a number of important reported cases.