By Ibrahim Hasan, IBA Solicitors,Dewsbury
Subject access and disclosure
The Data Protection Act 1998 (DPA) is designed to protect the privacy of individuals (data subjects) by giving them rights over their personal data.
The main right is known as 'subject access' and is enshrined in section 7 of the act. This allows an individual to see his/her personal data held by the data controller (those who hold and process the personal data). It fulfils the objects of the European Data Protection Directive 1995, which are to protect the fundamental rights of individuals, notably the right to privacy and accuracy of their personal data held and processed by others.
Over the years data protection officers in large public and private sector organisations have been frustrated by the number and wide-ranging requests received under the DPA. All the data subject has to do is make a request in writing and describe the information being sought.
Often the purpose of the requestor has nothing to do with the original aims of the directive. It is not uncommon for unions, as well as disgruntled employees or lawyers representing the data subject, to make subject access requests demanding a copy of all documents containing personal data about an individual. These are sometimes considered to be 'fishing expeditions', designed to try to tease out every last scrap of information that may be useful in any current or future litigation.
The problems for large organisations, which have many different databases containing thousands of records, are the cost and resource implications of searching for the requested data. Such costs are not recoverable under the DPA, which allows a maximum charge of £10 for most personal data.
A recent High Court decision confirms the previous Court of Appeal ruling on the nature of the subject access right, and goes further in giving guidance on the scope of the search required to be done by the data controller. In Ezsias v The Welsh Ministers [2007] ALL ER (D) 65, the claimant was employed by North Glamorgan NHS Trust as a consultant. He was suspended and subsequently dismissed. He commenced proceedings in the Employment Tribunal for unfair dismissal.
The claimant had made a number of subject access requests to the Welsh Assembly for disclosure of personal data that related to his complaints about and treatment by the trust. Some of these were quite wide in their scope and asked for 'all materials and documents whether in paper or electronic format... which are connected to me, any issue, decision, consideration etc. related to me...' The purpose of his requests was to try to obtain evidence for his tribunal claim that he was a whistleblower and should not have been dismissed.
When the defendants failed to produce the requested data, the claimant applied under section 7(9) of the act for: (i) a declaration that the defendants had failed to comply with the obligation to make 'appropriate disclosures' of documents that were in their possession; (ii) damages in respect of those alleged failures; and (iii) an order requiring compliance.
The defendants contested the claim stating, among other things, that all the disclosable data had in fact been disclosed, even if it had not been disclosed within the statutory period of 40 days from the date of the request.
The High Court's decision sets out very useful guiding principles for those dealing with subject access requests, especially where they are 'catch all' requests. For example: 'give me everything you have about me.'
Firstly, the data subject and the data controller must not lose sight of the purpose of the subject access right. The court followed the now-famous Court of Appeal judgment in Durant v The Financial Services Authority [2003] EWCA Civ 1746, [2004] FSR 573. It stated that the purpose of subject access is to check whether the data controller's processing of personal data about the data subject unlawfully infringes his privacy and to allow him to take such steps as the act provides to protect it. The court ruled that the claimant had muddled the rights under section 7(9) (to obtain a court order seeking compliance with a subject access request) with any rights a person may have within a substantive claim to disclosure of documents under part 31 of the Civil Procedure Rules.
The DPA does not contain a right to have access to or copies of documents. Section 7 gives a data subject a right to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller: and, if that be the case, to be given a description of those data, the purposes of the processing and the recipients of any disclosure, and (according to section 7(1)(c)): '... to have communicated to him in an intelligible form:
(i) the information constituting any personal data of which that individual is the data subject; and
(ii) any information available to the data controller as to the source of those data...'
|
The court went on to state that, while the obligation to disclose information in communicable form under section 7(1)(c)(i) (above) generally 'must be complied with by supplying the data subject with a copy of the information in permanent form...' (as per section 8(2)) - and this particular obligation may be met by providing the data subject with a copy of a pre-existing document containing the data and other relevant information required to be disclosed - that is not the equivalent of a right to disclosure of documents.
The court quoted Auld LJ in Durant (paragraph 26): 'The intention of the directive, faithfully reproduced in the [1998] act, is to enable an individual to obtain from a data controller's filing system, whether computerised or manual, his personal data, that is, information about himself. It is not an entitlement to be provided with original or copy documents as such, but, as section 7(1)(c)(i) and 8(2) provide, with information constituting personal data in intelligible and permanent form. This may be in documentary form prepared for the purpose and/or where it is convenient in the form of copies of original documents redacted if necessary to remove matters that do not constitute personal data (and/or to protect the interests of other individuals...'
The court ruled that the underlying premise of the claimant's claim (that, in his own words, under the 1998 act he has a right to full disclosure from the defendants of 'all materials and documents' which are 'connected to [him] or connected to overlapping investigations, considerations, actions, intended actions etc') is false.
Secondly, how far does a data controller have to go in searching for personal data requested by the data subject? The claimant submitted that efforts made by the defendants to identify and disclose his personal data were inadequate, and further efforts ought to have been made to ensure the search was reasonable and proportionate. In particular, he criticised the defendants for only requesting information from three departments (the Department of Health and Social Services, the Information Management Division and the Complaints Unit), and not from other departments or agencies (such as the Healthcare Inspectorate Wales).
The court ruled that, under the DPA, upon receipt of a subject access request, a data controller must take reasonable and proportionate steps to identify and disclose the data he is bound to disclose. To repeat the words of section 8(2): 'The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless: (a) the supply of such a copy is not possible or would otherwise involve disproportionate effort; or (b) the data subject agrees otherwise.'
Here, the court sought to widely interpret the provision, which on the face of it only applies to the provision of hard copies. The court seems to have interpreted it as reflecting the whole ethos of subject access. It ruled that, on the evidence, the defendants' search for personal data had been reasonable and proportionate. It would not be reasonable for the defendants to conduct any further searches, especially given the claimant accepted that the documents he sought in this action for the purposes of progressing his employment claim in the Employment Tribunal would be disclosable in the course of that claim in any event and the defendants would be required to respond to any orders made against it to provide appropriate disclosure of documents.
Finally, the court confirmed what we already know from Durant: the judge has discretion (under section 7(9)) whether to order disclosure of the information sought pursuant to subject access. The material that had been disclosed was all the material that could be disclosable. Even if that was not the case, it would not be appropriate for the court to exercise its discretion to make an order for further disclosure.
In relation to the failure to make timely disclosures, the defendants had been in breach of their obligation under the DPA. However, as no damage or prejudice had been caused to the claimant, the court ruled that the current claim had to fail.
This decision is food for thought for lawyers, who often fire off a subject access request as part of their preparation for litigation. Though they can still do this, care must be taken to focus on what information is requested and they must not lose sight of the fact that, in the end, it is the judge's discretion to order disclosure.
No comments yet