Data Subject Access Requests – Court of Appeal limits scope of exceptions
24 February 2017 #Data Protection
The Data Protection Act gives individuals the right to make a Data Subject Access Request (DSAR) to find out what information an organisation holds about them. Many employers will have received DSARs from employees or ex-employees, often as a precursor to claims being brought in the courts or tribunals.
There are a limited number of restrictions on what information needs to be provided as part of a DSAR, including an exemption for data that’s legally privileged (i.e. confidential communications with lawyers) or where providing the information would involve a disproportionate effort. However, a recent Court of Appeal decision has limited the scope of these exemptions.
The case (Dawson-Damer & Ors and Taylor Wessing LLP) was brought by the beneficiaries of a trust in the Bahamas. They had made a DSAR to Taylor Wessing LLP, who were the trust’s legal advisers, in the context of ongoing legal proceedings in the Bahamas. Taylor Wessing refused to disclose documents and relied on the legal privilege exemption as Bahamian trust law prohibited disclosure. The Court of Appeal disagreed with this approach and said that the only documents which would fall within this exemption would be those considered to be legally privileged under English law.
Taylor Wessing also argued that responding to the DSAR would require disproportionate effort. Whilst the Court of Appeal accepted that the disproportionate effort exemption could be applied to the search (which is contrary to the ICO’s view on the matter), it could only be relied upon if evidence was provided about what would have been required and why it was considered to be disproportionate. Finally the Court of Appeal said it didn’t matter that the purpose of this request had been to obtain documents for use in ongoing legal proceedings because a person’s right to make a DSAR is ‘purpose blind’.
This case will be unwelcome news for employers and businesses who may receive complex DSARs on a regular basis. Although the Court of Appeal gave a restrictive interpretation of the available exemptions in this case, there are still ways in which organisations can limit the amount of work required in order to lawfully comply with a DSAR. Contact our employment team if you would like to know more or if you’re unsure about how to deal with Data Protection Act issues.
Be the first to comment on this blog.