The Court of Appeal’s decision on 16 February 2017 is good news for employees making a Data Subject Access Request (DSAR) to access their personal data but it is a disappointing blow for employers who will find that they must continue to respond to DSARs made by individuals whose main purpose is to obtain pre-action disclosure of documents for potential litigation.
The Court of Appeal’s decision in Dawson-Damer v Taylor Wessing LLP reversed a High Court ruling that the law firm Taylor Wessing had not breached the Data Protection Act 1998 (DPA) by refusing to comply with a Data Subject Access Request (DSAR) search citing legal privilege, abuse of process and proportionality.
Section 7 of the DPA gives individuals the right to find out what personal data their employers hold about them, why they hold it and who they disclose it to. Individuals can exercise this right at any time by making a DSAR for a modest cost of £10.00 which must be paid to the employer to trigger the search and disclosure process.
Within employment law, it has become increasingly apparent that DSARs are being used by disgruntled employees to cause maximum aggravation to their employers, either before or during a dispute. Commonly, an employee who is in a dispute with their employer will use a DSAR request as a means of applying pressure on an employer to agree to settlement terms during negotiations. The employer can be forced to recover, process and analyse large numbers of emails within the 40 day time limit. Depending on the size and resources of the employer this can be an onerous, costly and vastly disproportionate exercise in exchange for the £10.00 fee paid by the employee. There is also the risk to the employer that the employee will complain to the Information Commissioner’s Office (ICO) if the DSAR is inadequate and non-compliant. Thankfully, whilst the ICO has the power to impose fines of up to £500,000 in such circumstances, these are rare in practice.
The ICO does provide helpful guidance which indicates that DSARs must be answered even where onerous so that an employer may only refuse to comply with a DSAR if a relevant exemption under the DPA applies in the particular circumstances. The ICO stresses that even where it is believed to be disproportionate; the recipient of the DSAR must still try to comply with the request, for example, by offering access to the relevant documents at its offices.
The courts have shown a recent willingness to take an increasingly more pragmatic approach to DSARs and the balance in recent years was beginning to tip in favour of employers but that position has now been dramatically reversed. Frustratingly, there is no doubt that the DSAR process is open to abuse and this decision does little to give reassurance to employers. It is not clear whether Taylor Wessing will appeal to the Supreme Court. In the meantime, I would advise employers to continue to comply with the regime and to seek out specialist advice if they are considering refusing to comply with a DSAR request.
The Legal Bit
In 2014, Mrs Dawson-Damer and her adopted children, the data subjects and beneficiaries of a trust in the Bahamas, served a subject access request under the DPA on Taylor Wessing, the data controller and solicitors for the trust. The request was made in the context of an on-going trust dispute in the Bahamas. Taylor Wessing tried to rely on the legal professional privilege exemption under the DPA. They declined the request and withheld the relevant personal data by asserting:
- that some of the data was held in manual files and not a relevant filing system for the purposes of the DPA;
- that it was not reasonable or proportionate to carry out a search for the information and to assess what was covered by privilege and what was not; and
- that the Court should exercise its discretion and refuse to make an order for disclosure because the application was improper.
The judge at first instance ( EWHC 2366 (Ch) ruled in favour of Taylor Wessing, finding that the firms’ manual files were not chronologically arranged or filed by reference to individuals so that they fell outside the scope of the DPA requirement of a relevant filing system, secondly that the legal professional privilege exemption applied to the documents requested in the DSAR, and, thirdly that the proposed search of Taylor Wessing’s files was not reasonable or proportionate, because of the disproportionality of lawyers reviewing the documents for privilege whereas the applicant need only pay £10.00 and that the Dawson-Damers served the request in the context of the on-going trust dispute where they would not otherwise have been able to obtain disclosure in those proceedings.
The Court of Appeal determined that a data controller has to demonstrate that complying with the request and supplying the information would involve disproportionate effort and it was not satisfactory to simply assert that it is too difficult to search through a large volume of documents. Secondly, that data protection law doesn’t limit the purpose for which a data subject can request their personal data and that it does not provide data controllers with an option to refuse to respond to a DSAR for this reason. In addition, the Court of Appeal found that the High Court was wrong to decide that it was improper for a data subject to make a request if they intended to use the information in legal proceedings. This was not an abuse of process on the part of the applicant for the DSAR.