Subject access requests: recent cases raise questions on how employers must comply
Charles Wynn-Evans of Dechert LLP reports on some recent decisions on subject access requests, which will give employers food for thought.
We've already looked at how subject access requests - when employees ask to see personal data held on them - can present significant challenges for employers, particularly during the course of any legal negotiations.
There is considerable effort involved not only in locating potentially disclosable information, but also in assessing whether or not it is actually disclosable and deciding if one of the potential exemptions, such as legal privilege, applies.
Employers may also have concerns that a subject access request is a "fishing expedition", aimed at obtaining material which could be useful to establish or bolster a claim.
Two recent Court of Appeal cases have addressed the issue of whether or not an employer can resist compliance with a subject access request on the basis that it has been made for a "collateral purpose", such as furthering litigation.
Collateral purpose
The Information Commissioner's Office (ICO) takes the view, in its code of practice, that there is nothing in the legislation that limits the purpose for which a subject access request can be made.
Nonetheless, it has been argued that compliance should not be ordered by the court where the request has been made for a collateral purpose.
In February, the Dawson-Damer v Taylor Wessing LLP case demonstrated how employers may not need to comply with a subject access request if the person making it proposes to use the information for some purpose other than verifying or collecting data held about the individual.
Only where there are specific circumstances justifying the refusal of an order to comply with a subject access request will the court not exercise its discretion to make such an order.
Nonetheless, if a request is an abuse of process - perhaps because disclosure is ongoing in specific proceedings - the court may decline to make an order.
In March, the same conclusion was reached in Deer v University of Oxford, in which it was noted that a subject access request entitles an individual not to documents but to the personal data which the data controller holds.
Striking a balance
It is clear from these decisions that an employer cannot argue that a subject access request is not valid or legitimate because it is made with a collateral purpose in mind. But that's not the end of the story.
Deer indicated that a court deciding whether or not to order compliance with a subject access request should strike a balance between the individual's right to have access to his or her personal data and the interests of the data controller.
Employers may still be able to resist applications to court for enforcement of compliance with a subject access request disclosure, however.
Where there is a more appropriate route for obtaining the information in the course of ongoing legal proceedings, where the employer's breach is trivial and where there is no legitimate reason for the subject access request (perhaps it has only been made to impose a burden on the employer) were all examples cited in the Deer case.
Disproportionate effort
Employers often try to argue that complying with a subject access request will entail disproportionate effort.
One way this can be addressed is by seeking to narrow the scope of the request, whether by reference to a specific time-frame, agreed search terms or specific individuals within the employer's organisation.
The ICO code of practice makes clear that employers are expected to make extensive efforts to find and retrieve information, although they are not required to do things that are unreasonable or disproportionate to the importance of providing the information.
In Dawson-Damer, the Court of Appeal clarified that the correct approach in assessing whether or not the employer is compliant is to examine what steps the data controller has taken, and to ask if it would be disproportionate to require further steps to comply with the individual's right of access to his or her personal data.
It is not enough simply for the employer to assert that it is too difficult to search through voluminous papers - it can't refuse to comply with a request just because of the effort involved.
In Deer, the Court of Appeal made the point that the fact that a further search locates data not previously disclosed does not necessarily mean that the employer breached its obligations in its initial search.
That said, if the employer has done what is reasonable and proportionate, it will have complied with its obligations.
In the January High Court decision of Holyoake v Candy and another, the court held that the data controller's implied obligation to carry out a search on receipt of a subject access request is limited to what is reasonable and proportionate.
In this case, the argument failed that a data controller had not properly complied with its obligations in relation to a request in circumstances where the searches actually conducted extended to a review of over 17,000 individual documents and time charges in excess of £37,000.
Directors' private emails
In Holyoake, the question also arose of whether or not the private email accounts of directors should have been reviewed.
There was no evidence in this case that the individuals in question had used private email accounts. It was held that, if a company director uses a personal email account in relation to the company's business, then the individual may owe the company a duty to allow access if necessary to enable the company to comply with a subject access request.
However, the company is not required to enquire about the position without sufficient reason to do so.
How should employers respond?
Recent case law has clearly made it more difficult to object to a subject access request on the grounds of the requestee's ulterior motives.
However, now more than ever, employers who receive requests need to determine whether or not the request can legitimately be clarified and narrowed in order to reduce the burden of compliance.
They must also consider and document the steps they take to locate disclosable data in order to be able to defend an accusation that the search has been inadequate.
