May 3, 2019

Useful court guidance on dealing with subject access requests

The High Court recently ruled that the information provided in response to a subject access request (SAR) was inadequate and ordered the data controller to provide significant further information. The court also provided guidance on issues that often arise for employers when responding to a SAR.

In this case Dr Rudd, a medical expert on exposure to asbestos, made a SAR to Mr Bridle, a lobbyist for the asbestos industry, after he alleged that Dr Rudd was part of a wider conspiracy to provide false evidence about the risks associated with white asbestos. On the basis the response to his SAR was inadequate, Dr Rudd brought a claim against Mr Bridle and his company, seeking an order that they provide further information.

The court's decision

The court ruled that Mr Bridle should provide a further SAR response, disclosing the following additional information.

The identity of third parties

The court said that the identity of third parties whom Dr Rudd was alleged to have conspired with to provide false evidence was part of his personal data because it focused on him and was biographically significant, and should therefore be disclosed.  However, the court rejected Dr Rudd's argument that there was an obligation to disclose the identity of the recipients of emails from Mr Bridle containing Dr Rudd's personal data.  It said that it is clear from the legislation and the ICO’s Subject Access Code of Practice that the right is to a description of the recipient (i.e. 'a legal adviser'), not their name.

Exemptions

There are various exemptions which mean certain information may not need to be provided to the individual in a SAR response. The exemptions relied on by Mr Bridle included privilege and the regulatory proceedings exemption (in relation to his attempt to get Dr Rudd struck off by the General Medical Council). The regulatory exemption can apply in certain circumstances where personal data is processed for the purpose of regulatory functions, carried out by bodies such as the Financial Conduct Authority and the Pensions Ombudsman.

Although a data controller is only required to act reasonably and proportionately in terms of the scope of its search for personal data, the court said that this principle is not relevant in the context of assessing whether an exemption applies.  That said, it is likely that a court may decide not to make a disclosure order if the data controller has exercised reasonable diligence in assessing whether an exemption applies, and there is not good reason to doubt that assessment. 

Although the court did not need to decide whether the regulatory exemption applied here and did not rule definitively on this point (as Mr Bridle had disclosed this category of documents before the court hearing) it said that this exemption probably only applies to processing by the regulatory body itself, and not to processing by an individual reporting to a regulator. It is also worth noting that the regulatory exemption only applies to the extent to which providing personal data could prejudice the regulator's ability to carry out its regulatory functions appropriately. So in any event, this exemption is unlikely to apply in most cases after the regulator's involvement has ceased.

The source of the data

Data controllers must provide any information available to them in relation to the source of the individual's data. The court said the individual must be provided with the actual identity of the source, not just a description or class of the source. That said, it is still a matter for another decision as to whether it is sufficient to disclose the name of the company which is the source of data, or whether the name of the individual there who has provided the data should also be disclosed. If the latter, this would be subject to their consent or the reasonableness of disclosing this information without their consent.

The purpose of the data processing

The court said that the requirement to describe the purpose of the processing does not have to be done on a document by document basis. It is sufficient to set out the essence of what the controller was doing with the data.

Practical points to take from this decision

Although this SAR was lodged prior to 25 May 2018 and so this case was considered under the previous legislation, the court's guidance is relevant under the GDPR.

In relation to the approach to disclosing the identity of recipients of an individual's personal data and to the purposes of processing data, this guidance is helpful for employers. Furthermore, it is worth noting that the court endorsed the ICO's Code which is a useful guide on responding to SARs.

That said, employers will not welcome the fact that this decision demonstrates the breadth of the obligations in relation to SARs and means that an individual's personal data may in some circumstances include the identity of third parties.

Rudd v Bridle and J&S Bridle Limited