Responding to a Subject Access Request (also known as a Data Subject Access request, SAR or DSAR) can be a burdensome task, particularly where an organisation is processing large volumes of personal data. The matter can be especially thorny where the organisation believes that the disclosure sought is effectively a means by which to obtain pre-action disclosure, to allow the data subject to access the missing piece of the jigsaw required for a legal claim against the organisation itself, its employees and/or third parties with whom the organisation has corresponded. A subject access is generally still valid, and must be responded to, even if it is made for the collateral purpose of seeking pre-action disclosure. Accordingly, subject access requests have become an extremely useful weapon in a claimant’s armoury and a bête noire for data controllers, particularly those filled with trepidation at the prospect of information disclosed pursuant to the request being used against the organisation in subsequent - and what can often be costly - legal proceedings (regardless of whether the claim has any genuine merit).
What information is a data subject entitled to?
Pursuant to Article 15 of the UK General Data Protection Regulation (‘UK GDPR’), a data subject has a right to seek confirmation from a data controller as to whether or not their personal data is being processed and, where it is, a copy of that data. In addition, a data subject is also entitled, amongst other things, to the following information:-
- Details regarding the source(s) of the data (assuming the data has not been collected solely from the data subject);
- An explanation of the purpose(s) for the processing;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed; and
- the envisaged period for which the personal data will be stored.
In respect of the (3), the European Court of Justice of the European Union – whose decisions on data protection matters continue to be persuasive following the UK’s withdrawal from the EU – recently stated in RW v Österreichische Post AG (C-154/21), 12 January 2023 that this requirement, enshrined in Article 15(1)(c) of the UK GDPR, confers:-
“an obligation on the part of the controller to provide the data subject with the actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive within the meaning of Article 12(5) of the GDPR, in which cases the controller may indicate to the data subject only the categories of recipient in question.”
This is potentially useful for a claimant considering whether to bring an action because it means, subject to any relevant exemptions (see further below), that they are generally entitled to know precisely to whom their personal data has been disclosed. The success or failure of claims for defamation, privacy and breach of an individual’s data protection rights can often turn on whether disclosure to a particular individual is justified in all the circumstances and, as the full extent of publication is not always known until formal disclosure has taken place – usually several months after a claim has been issued (if a claimant incurs the costs and costs risk of issuing). The requirement for a data controller to provide names of the recipients in response to a subject access request can potentially assist a claimant in formulating their claim.
What can be done to avoid disclosing unnecessary material?
RW v Österreichische Post AG is, broadly speaking, a helpful decision for data subjects. However, it is not all doom and gloom for data controllers as there are a number of legitimate grounds on which to limit the extent of material provided in response to a subject access request.
A subject access request does not compel an organisation to disclose the same documentation that an individual could expect to receive had they made a successful application for pre-action disclosure under Civil Procedure Rule 31.16. Indeed, a subject access request does not bestow any right on an individual to obtain copies of documents. Instead, as mentioned above, the right is confined to a copy of the individual’s data. In practical terms, this means that personal data can be extracted from a document or information that does not fall within the scope of the request can be redacted. This is an important consideration which is sometimes overlooked, particularly by smaller organisations who do not have to deal with subject access requests on a routine basis. Carefully adopting this approach can often avoid disclosing sensitive material to which the data subject has no right of access. If, for example, the alleged conduct of a data subject was one item for discussion at a board meeting otherwise devoted to matters concerning a company’s financial affairs, then there is no obligation on the company to disclose full copies of documents pertaining to the meeting (e.g. minutes), which would likely contain highly sensitive information with no connection to the individual’s data.
Even where an organisation is processing an individual’s personal data, such data does not always need to be disclosed. This is because Schedule 2 to the Data Protection Act 2018 contains various exemptions which, if the relevant conditions are met, will mean that the data controller does not need to comply with the request. Some of the most commonly invoked exemptions relate to where the data in question is being processed for the purpose of preventing or detecting a crime (and compliance with the request would be likely to prejudice this), where the data is protected by legal professional privilege, where the data is included in a confidential reference and where it is necessary to protect the rights of others. Whether a particular exemption is available will require careful analysis in each case.
Failing to respond
It is never sensible for a data controller to bury its head in the sand and ignore a subject access request, not least because this is likely to result in a complaint being made to the Information Commissioner’s Office (ICO), the UK’s data protection regulator, which now appears to be taking a harder line in respect of non-compliance. In September 2022, for example, the ICO announced that it had taken regulatory action against seven organisations, including the Home Office, who failed in their duty to respond to subject access requests.
In addition, failing to deal with a subject access request appropriately can lead to a claim for compensation. In AB v Ministry of Justice [2014] EWHC 1847, Mr Justice Jeremy Baker concluded that the Ministry of Justice had wrongly withheld some of the claimant’s personal data, and failed to provide other data within the statutory time limits, awarding the claimant a sum of £2,250 in compensation for distress as a result of the Ministry of Justice’s breach of the Data Protection Act 1998 (UK GDPR/Data Protection Act 2018’s predecessor). Whilst several subsequent authorities indicate that the High Court may no longer be the appropriate forum for claims founded on an organisation’s failure to comply with a subject access request, compensation for non-compliance remains available under the UK GDPR and such claims will no doubt continue to be pursued in the County Court.