Planning guidelines and targets for renewable energy in Australian markets
Victoria and South Australia are tightening their guidelines and planning policies for renewable energy facilities.
Section 7 of the Data Protection Act 1998 (DPA)provides individuals (or ‘data subjects’) with a right of access to their personal data by making data subject access requests (DSAR) of ‘data controllers’ – namely persons (including organisations) who either alone or with others determine how and for what purpose the personal data of others is processed.
We consider the scope of DSAR obligations on data controllers and the exemptions which may be applied. We also consider the impact of the decision in Ashley Judith Dawson- Damer and others v Taylor Wessing LLP and others  which provides some insight into the treatment of DSARs in the context of ongoing litigation and consider responses to DSARs during settlement negotiations. We also provide some practical tips when preparing a DSAR response.
Personal data is defined under the DPA as data which relate to a living individual who can be identified –
(a) from the data, or
(b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
In the leading authority of Durant v Financial Services Authority  EWCA Civ 1746 the Court of Appeal noted that section 7 of the DPA did not automatically cover all information or matters in which the data subject may be named or involved. To be deemed ‘personal data’ the information must either be ‘biographical in a significant sense’ (going beyond the data subject’s involvement in a matter or an event which has no personal connotations), or the information should have the data subject as its ‘focus’, rather than some other person with whom the data subject may have been involved or some transaction or event in which he may have figured or have had an interest. Above all, personal data is information which affects that individual’s privacy, ‘whether in his personal or family life, business or professional capacity’.
In practice, it is not always straight- forward to identify which information will constitute personal data.
In exchange for the data subject paying a £10 fee, the data controller must undertake a proportionate search for the data subject’s personal data, responding to the DSAR within 40 calendar days. Receipt of a DSAR should be acknowledged promptly, and the scope of the DSAR should be examined and additional information sought from the data subject if necessary (the 40 day response period commences once the data controller has received any additional information needed to produce its response).
The data subject should be contacted in anticipation of any delays in dealing with the request. A delay in responding to a DSAR may result in the data subject bringing the matter to the attention of the Information Commissioner (ICO) who may then require the data controller to ‘comply or explain.’ To date, the ICO has investigated and fined data controllers for breaches of data protection (for example in disclosing the personal data of third parties within DSAR responses). However, although the ICO has brought enforcement actions, it is yet to fine a data controller for failure to fully comply with a DSAR request.
Data controllers should also consider whether the data subject’s personal data is being held by any data processors engaged to act on the data controllers’ behalf, including external entities to which a business function has been outsourced, such as a payroll or HR. Data controllers will also have an obligation to provide personal data held by such data processors.
There are a number of exemptions to disclosure under the DPA. Some of the most common include:
Personal data in hard-copy documents will not be disclosable where these are not part of a ‘relevant filing system’ – i.e. a manual filing system which must:
The obligation on the data controller is to provide to the data subject the information constituting their personal data, as opposed to a complete copy of every document that includes their personal data. In practice, provided that it is carefully set out in an intelligible form, personal data can be extracted and placed into a table noting the corresponding document source and date.
While the original purpose of a DSAR is for data subjects to check the accuracy of their personal data held by a data controller, in practice DSARs are increasingly being used by litigants as a quick, inexpensive means of seeking interparty or third-party disclosure alongside or in advance of contentious proceedings.
The recent judgment in Ashley Judith Dawson-Damer and others v Taylor Wessing LLP and others provides some insight into the judicial treatment of DSARs in the context of ongoing litigation.
In that case the beneficiary of a trust sought to challenge the appointment of settlement funds and submitted DSAR requests to Taylor Wessing for copies of all her personal data held by the firm, including any personal data of her children. Taylor Wessing, the lawyers of the trust company, asserted legal professional privilege, declining to respond on the basis that it was not reasonable nor proportionate for them to carry out a search of their client’s files (dating back over 30 years), to determine whether or not particular documents were privileged.
In agreeing that Taylor Wessing could rely on the privilege exemption, the High Court judge referred to the purpose of the DPA which, pursuant to the EU Directive 25/46/EC, is to enable data subjects to obtain copies of their personal data so as to check whether the data controller’s processing unlawfully infringes their privacy and, if so, to protect their data by correcting any inaccuracies. The judge also noted that under the DPA the data controller is not required to provide copies of data which ‘would involve disproportionate effort;’ noting that the claimants had only paid £10 each to request the information.
The Taylor Wessing decision evidences the reluctance of English courts to enforce DSARs made for the purpose of obtaining information or documents to assist in litigation or complaints against third parties, especially where this will involve disproportionate and unreasonable effort and cost. This is in contrast to the ICO’s Code of Practice which states that ‘the purpose for which the SAR is made does not affect its validity, or your duty to respond to it…there is nothing in the Act that limits the purposes for which a SAR may be made, or which requires the requester to tell you what they want the information for.’
In practice, this case may be confined to its facts. As a law firm, Taylor Wessing sought to protect its clients’ privilege by undertaking a blanket application of the privilege exemption over all of its clients’ files, but it will be difficult – if not impossible – for a corporate entity to take the same approach. It is also worth remembering that, depending on the issues in dispute, much of the material provided in a DSAR response may be disclosable in any event as part of the litigation process.
It remains to be seen whether the scope to use DSARs as a litigation tool will be limited to the facts of this first instance judgment or widened by the Court of Appeal in a hearing scheduled for July 2016.
Settlement of, or attempts to settle, ongoing litigation does not terminate the data controller’s regulatory obligation to produce a DSAR response. Even when a dispute appears to be resolved a DSAR could be used to obtain information in an attempt to reopen old wounds. Areas of particular sensitivity to a data controller are likely to include any information that could potentially be detrimental to the litigation process, along with negative comments of a personal nature. Robust internal communication protocols are therefore essential to ensure that, where applicable, material is subject to privilege and to prevent the creation of unnecessary prejudicial material.
Hacking, corporate espionage and data breaches are on the rise around the globe.