Is what’s mine really yours?

Section 7 of the Data Protection Act 1998 (DPA)provides individuals (or ‘data subjects’) with a right of access to their personal data by making data subject access requests (DSAR) of ‘data controllers’ – namely persons (including organisations) who either alone or with others determine how and for what purpose the personal data of others is processed.

We consider the scope of DSAR obligations on data controllers and the exemptions which may be applied. We also consider the impact of the decision in Ashley Judith Dawson- Damer and others v Taylor Wessing LLP and others [2015] which provides some insight into the treatment of DSARs in the context of ongoing litigation and consider responses to DSARs during settlement negotiations. We also provide some practical tips when preparing a DSAR response.

Personal data is defined under the DPA as data which relate to a living individual who can be identified –

(a) from the data, or 

(b) from those data and other information which is in the possession of, or likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

In the leading authority of Durant v Financial Services Authority [2003] EWCA Civ 1746 the Court of Appeal noted that section 7 of the DPA did not automatically cover all information or matters in which the data subject may be named or involved. To be deemed ‘personal data’ the information must either be ‘biographical in a significant sense’ (going beyond the data subject’s involvement in a matter or an event which has no personal connotations), or the information should have the data subject as its ‘focus’, rather than some other person with whom the data subject may have been involved or some transaction or event in which he may have figured or have had an interest. Above all, personal data is information which affects that individual’s privacy, ‘whether in his personal or family life, business or professional capacity’.

In practice, it is not always straight- forward to identify which information will constitute personal data.

In exchange for the data subject paying a £10 fee, the data controller must undertake a proportionate search for the data subject’s personal data, responding to the DSAR within 40 calendar days. Receipt of a DSAR should be acknowledged promptly, and the scope of the DSAR should be examined and additional information sought from the data subject if necessary (the 40 day response period commences once the data controller has received any additional information needed to produce its response).

The data subject should be contacted in anticipation of any delays in dealing with the request. A delay in responding to a DSAR may result in the data subject bringing the matter to the attention of the Information Commissioner (ICO) who may then require the data controller to ‘comply or explain.’ To date, the ICO has investigated and fined data controllers for breaches of data protection (for example in disclosing the personal data of third parties within DSAR responses). However, although the ICO has brought enforcement actions, it is yet to fine a data controller for failure to fully comply with a DSAR request.

Data controllers should also consider whether the data subject’s personal data is being held by any data processors engaged to act on the data controllers’ behalf, including external entities to which a business function has been outsourced, such as a payroll or HR. Data controllers will also have an obligation to provide personal data held by such data processors.

There are a number of exemptions to disclosure under the DPA. Some of the most common include:

• material covered by legal privilege, such as legal advice or material prepared for the dominant purpose of actual or contemplated litigation
• material which evidences the intentions of the data controller in relation to negotiations to the extent that disclosing the information would be likely to prejudice the negotiations, such as records of internal strategy discussions
• material which is processed for management forecasting or planning if disclosure would be likely to prejudice such activity
• material constituting third-party personal data, unless consent is obtained from the third party or it is reasonable in all the circumstances to comply with the request without that individual’s consent. Even if third parties are not specifically named, they may be identifiable to the data subject by reference to their job title or in relation to a certain event or location.

Personal data in hard-copy documents will not be disclosable where these are not part of a ‘relevant filing system’ – i.e. a manual filing system which must:

1. relate to individuals;
2. be a ‘set’ or part of a ‘set’ of information;
3. be structured by reference to individuals or criteria relating to individuals; and
4. be structured in such a way that specific information relating to a particular individual is readily accessible.

The obligation on the data controller is to provide to the data subject the information constituting their personal data, as opposed to a complete copy of every document that includes their personal data. In practice, provided that it is carefully set out in an intelligible form, personal data can be extracted and placed into a table noting the corresponding document source and date.

While the original purpose of a DSAR is for data subjects to check the accuracy of their personal data held by a data controller, in practice DSARs are increasingly being used by litigants as a quick, inexpensive means of seeking interparty or third-party disclosure alongside or in advance of contentious proceedings.

The recent judgment in Ashley Judith Dawson-Damer and others v Taylor Wessing LLP and others provides some insight into the judicial treatment of DSARs in the context of ongoing litigation.

In that case the beneficiary of a trust sought to challenge the appointment of settlement funds and submitted DSAR requests to Taylor Wessing for copies of all her personal data held by the firm, including any personal data of her children. Taylor Wessing, the lawyers of the trust company, asserted legal professional privilege, declining to respond on the basis that it was not reasonable nor proportionate for them to carry out a search of their client’s files (dating back over 30 years), to determine whether or not particular documents were privileged.

In agreeing that Taylor Wessing could rely on the privilege exemption, the High Court judge referred to the purpose of the DPA which, pursuant to the EU Directive 25/46/EC, is to enable data subjects to obtain copies of their personal data so as to check whether the data controller’s processing unlawfully infringes their privacy and, if so, to protect their data by correcting any inaccuracies. The judge also noted that under the DPA the data controller is not required to provide copies of data which ‘would involve disproportionate effort;’ noting that the claimants had only paid £10 each to request the information.

The Taylor Wessing decision evidences the reluctance of English courts to enforce DSARs made for the purpose of obtaining information or documents to assist in litigation or complaints against third parties, especially where this will involve disproportionate and unreasonable effort and cost. This is in contrast to the ICO’s Code of Practice which states that ‘the purpose for which the SAR is made does not affect its validity, or your duty to respond to it…there is nothing in the Act that limits the purposes for which a SAR may be made, or which requires the requester to tell you what they want the information for.’

In practice, this case may be confined to its facts. As a law firm, Taylor Wessing sought to protect its clients’ privilege by undertaking a blanket application of the privilege exemption over all of its clients’ files, but it will be difficult – if not impossible – for a corporate entity to take the same approach. It is also worth remembering that, depending on the issues in dispute, much of the material provided in a DSAR response may be disclosable in any event as part of the litigation process.

It remains to be seen whether the scope to use DSARs as a litigation tool will be limited to the facts of this first instance judgment or widened by the Court of Appeal in a hearing scheduled for July 2016.

Settlement of, or attempts to settle, ongoing litigation does not terminate the data controller’s regulatory obligation to produce a DSAR response. Even when a dispute appears to be resolved a DSAR could be used to obtain information in an attempt to reopen old wounds. Areas of particular sensitivity to a data controller are likely to include any information that could potentially be detrimental to the litigation process, along with negative comments of a personal nature. Robust internal communication protocols are therefore essential to ensure that, where applicable, material is subject to privilege and to prevent the creation of unnecessary prejudicial material.

Advance preparation:

• Ensure that you have a firm understanding of your organisation’s IT structures, including the location of exchanges, particularly if overseas, as such data may be exempt from disclosure.
• Investigate whether your company has software to search audio (e.g. recorded telephone calls) and video (e.g. video conferences) as such formats are covered by the DPA’s obligations on data controllers.
• Investigate what personal data is held by data processors, and the ability and capacity of data processors to retrieve material relating to an individual at short notice.
• Train employees on how to manage their communications, and warn them that throw-away personal remarks and comments concerning individuals may become accessible to future litigants via the DSAR process.

Following receipt of a DSAR:

• Consider carefully the scope of the data subject’s request and, where agreeable to the data subject, seek to narrow unclear or unjustifiably broad requests directly with the data subject in writing.
• Consider the sources of electronic material (whose email accounts, which servers?) and assess whether hard-copy material falls within a relevant filing system.
• Consider using a reputable electronic document review platform which provides an efficient, cost effective means of conducting a DSAR review, allowing for the material to be de-duplicated (where the same emails have been recovered from multiple accounts), searched by way of key-word search, coded as non-disclosable where exemptions apply and redacted electronically, as appropriate. This can also generate a DSAR review report instantaneously, producing a comprehensive record by way of audit trail.
• Ensure that any commercially sensitive information is identified. To the extent that this does not constitute personal data of the data subject, it can be redacted.
• Monitor the timeframe and keep the data subject informed of any delays.