Dealing with subject access requests (“SAR”s) under the Data Protection Act 1998 is becoming a regular occurrence for many organisations, particularly banks and their advisors. Processing such requests can take up significant manpower and the costs can be substantial. Whilst designed to allow individuals to access personal data, determine its source, why it is held and who it is shared with, in reality SARs are frequently being used as a fishing exercise for prospective litigation and complaints against institutions such as banks. The recent case of Dawson-Damer v Taylor Wessing LLP [2015] EWHC 2366 considered the proper use of SARs and the scope of the investigation required by the Act.
SARs
The provisions of the Data Protection Act 1998 which enable individuals to access data held about them were introduced to enable individuals to check what information was held about them by others and whether it was being processed unlawfully or in a way that affected their right to privacy.
Back in 1998, the extent of information held would have been limited to some manual records and basic electronic information about individuals, largely by their employers and government organisations. The world has changed and there is now a plethora of electronic and manual information held about individuals by all manner of data controllers. A SAR can cost the applicant as little as £10 and involves a simple form, but for the recipient or target of that request the impact of receiving one can be significantly greater.
Upon receipt, a data controller must search through all of their electronic and paper archives (there is no limit on the period of time the search could relate to) to identify any data relating to the person. This includes relevant individual employee hard drives and email archives. Once identified, an assessment of the information must be made as to whether it falls within the scope of the relevant sections of the Data Protection Act 1998, whether it touches on any third parties who must consent to its disclosure or whether it should be redacted. Once complete, the information must then be produced in a format where it can be shared with the individual.
There is then of course the internal assessment of the level of risk and damage limitation for future litigation that the information to be disclosed might require. All of this needs to be completed within 40 days. So a SARs outbreak can cause more than a slight headache for its target.
Guidance for targets of SARs
Whilst banks will be relatively practised at dealing with ‘fishing’ SARs requests from aggrieved customers, advisors will still receive relatively few such requests. It is becoming increasingly popular for individuals who have been involved in the management of insolvent companies, or individuals who have been in bankruptcy or IVA to make such requests of those involved in advising on an insolvency. Such requests have been the subject of recent publicity and are likely to become a regular feature. Our data protection experts have produced a guide for targets dealing with request that can be provided on request.
There are some protections afforded by law and case law to prevent abuses of the legislation (such as using it to obtain cheaper and better disclosure than might be achieved by the disclosure provisions of the CPR). Some protection is afforded by proportionality guidelines set out in a Code of Practice issued by the Information Commissioner. Further guidance was offered by the leading Court of Appeal decisions in Durant v Financial Services Authority [2003] EWCA Civ 1746 and Edem v The Information Commissioner & Anor [2014] EWCA Civ 92. Those decisions made it clear that the purpose of an SAR should not be to assist a party in obtaining disclosure of documents to assist with litigation or to make complaints against a third party. There has been further court clarification that the extent of the search should be reasonable and proportionate, however this clarification and the views of the Court of Appeal on the purpose of SARs has done little to alleviate the level of work required in responding to a SAR in practice.
In the most recent decision on SARs, handed down on 6 August 2015, Taylor Wessing successfully resisted a SAR from the beneficiaries of a trust it had previously advised who were searching for documents to assist with litigation in the Bahamas. Taylor Wessing do not appear to have carried out an extensive search upon receipt of the SAR on the basis that any documents it revealed would be subject to legal professional privilege. Taylor Wessing argued that it was not reasonable or proportionate for Taylor Wessing to have to determine which of any documents located were subject to privilege. Such an exercise would be a costly and time consuming exercise as it would require review by highly skilled lawyers. The Judge agreed and the request was denied.
The court also considered and showed sympathy to the argument used in Durant that manual filing systems that cannot be easily searched in the manner of a computerised filing system are not required to be searched as part of a SARs data search. The arguments in the case may be useful when considering the extent of a search required of manual filing systems.
The future
It is not clear whether the decision will be appealed, but the Judge left the possibility open and made it clear that he considered that he had decided on an issue that would generate debate. As it stands, the decision is a very helpful one for solicitors on the receiving end of SARs, but also for other recipients of requests as it at least demonstrates a more restrictive approach to the idea of a proportionate search than previous cases. For those dealing with large volumes of SARs, any narrowing of the legal boundaries in this area will be welcome news.