ICO updates subject access code to reflect recent Court of Appeal decisions
The Information Commissioner's Office (ICO) has updated its subject access code of practice to reflect developments in Court of Appeal judgments given in early 2017, in the cases of Dawson-Damer and others v Taylor Wessing LLP  EWCA Civ 74 and Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others  EWCA Civ 121.
The updates relate to organisations’ obligations in responding to subject access requests (SARs), a mechanism introduced under the DPA which gives individuals the right to access any of their personal data held by third parties on payment of a fee. Chapter 6 of the code on "Finding and retrieving the relevant information" has been amended to note that "the Data Protection Act 1998 (DPA) places a high expectation on you to provide information in response to a SAR". The section on "information contained in emails" now states that the disproportionate effort exception (in section 8(2) of the DPA) "cannot be used to justify a blanket refusal" of a SAR, as "it requires you to do whatever is proportionate in the circumstances".
Dawson-Damer and others v Taylor Wessing LLP
The Court of Appeal overturned a High Court decision to dismiss an application to compel disclosure and ordered a law firm to comply with a SAR.
Three beneficiaries (the data subjects) of a Bahamian trust made a SAR to Taylor Wessing, acting for the trust administrator. The SAR related to a trust dispute which the data subjects had commenced in the Supreme Court of The Bahamas. Taylor Wessing argued that the personal data was covered by legal professional privilege, and therefore exempted from disclosure, but the Court of Appeal held that efforts made by the firm to comply with the SAR were inadequate. The decision clarifies the position regarding compliance with SARs, namely that a SAR will be valid even if the sole or main purpose is to obtain information in connection with litigation and it is only a defence to not provide personal data if doing so would involve disproportionate effort.
The 'disproportionate effort' element is most significant to organisations that process personal data (data controllers). Complying with SARs can be burdensome as businesses often hold a lot of data, both personal and non-personal. Identifying relevant personal data and then redacting irrelevant information may involve a time-consuming and expensive manual review. The Court of Appeal decided that when assessing whether a response to a SAR would require disproportionate effort, it is necessary to consider both the work needed to find the relevant personal data and the work needed to produce copies of that personal data.
Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd (RTM)
The Court of Appeal refused to exercise its discretion to order SAR compliance as, given the circumstances, it would have been disproportionate.
Mr Ittihadieh owned a flat in 5-11 Cheyne Gardens and had an interest in other flats in the building. The other owner occupiers of flats in the building established and became members of RTM, a ‘right to manage’ company. Mr Ittihadieh and his partner subsequently became members but attempts to secure board representation were blocked. Mr Ittihadieh believed that other residents were "swapping, retaining and otherwise using personal information about him". In November 2014, Mr Ittihadieh made a SAR to RTM and its directors and company secretary, stating that he intended to bring proceedings for discrimination, harassment and victimisation. RTM disclosed 400 redacted documents, a proportionate effort considering RTM’s size. Furthermore, the SAR was only directed to RTM and none of the other respondents was a data controller.
Impact of the decisions on organisations
The Court of Appeal stated in its Dawson-Damer judgment that there are substantial public policy reasons for giving people control over their personal data and that data controllers should design their systems in a manner which helps them respond to requests. In order to demonstrate that the supply of information involves disproportionate effort, a data controller would have to produce a plan and provide evidence of its work to review and identify relevant personal data.
Assessing proportionality must also be done on a case-by-case basis and the burden is on the data controller to show that supplying the personal data would involve disproportionate effort. As the data controller in the Ittihadieh case had responded sufficiently to the SAR, the court did not intervene further.
Whilst the judgments confirm that the obligation to search on receipt of a SAR is limited to what is reasonable and proportionate, the code imposes a high threshold to satisfy the ‘disproportionate effort exception’.