subject access requests - data protection

Data Protection and Subject Access Requests

by

An increasing number of subject access requests have been made under the Data Protection Act 1998.

Subject access requests are used as tactical ploys as a way of putting pressure on the other side to disclose documents that would not otherwise be disclosable in litigation. Several cases have been reported on this topic and the following apply:-

1. Proportionality

-the controller does not have to supply documents if it involves disproportionate efforts. The Court of Appeal (CA) has adopted a wide approach here. Time and cost are issues that concern data controllers. However,  the CA believes most data controllers have systems in place to avoid subject access request searches being too onerous. Therefore, there is a public policy why subject access requests should be respected.

2. Ulterior motives

-ulterior motives or collateral purposes, for example, litigation, are irrelevant for subject access requests purposes.  A subject access request right should be treated as “purpose blind”

3. Legal professional privilege

– the CA has taken a very narrow approach stating that it is expressly limited to legal professional privilege (that is legal advice privilege and litigation privilege) within the UK. The court did not accept the argument that there was a broad assertion of legal privilege over all documents held on behalf of a client and therefore the assertion of privilege should be targeted and not general.

4. Personally processed information

-there is a distinction between,

  • data processed by an individual on behalf of the employer, and
  • information processed in a personal capacity.
  • Courts have made it clear, individual employees and directors are not data controllers.
  • Subject access requests can only properly extend to activities carried out on behalf of their employers.

It is not therefore normally appropriate to search personal email accounts of employees and directors unless there is clear evidence that these accounts have been used for work-related purposes.

All of the above encourages further use of subject access requests and they are likely to become more widely used. Businesses are therefore encouraged to have adequate systems and procedures in place to ensure that subject access requests are processed with the minimum amount of work.

subject access request -data protection

Important Changes

  •  fee of £10 was abolished in 2018 and
  • the period for compliance with the subject access request reduced from 40 days to one month.
Verified by ExactMetrics