Dealing with data request dramas
The High Court decision in the case of Dawson-Damer v Taylor Wessing has recently been in the news; giving an interesting insight into the means and methods of individuals' obtaining information in the course of litigation.
Although Dawson-Damer was a trusts' litigation matter rather than an employment case, the link between the right to disclosure of personal data under the statutory Subject Access Request ('SAR') regime and use of that ‘right’ to obtain information in litigation proceedings is frequently evident in the course of any contentious proceedings. In this case, the claimants sought personal data which was purportedly inextricable from confidential information, protected from disclosure by legal professional privilege.
The purpose of the SAR regime is to allow individuals to find out what organisations are doing with their personal information; not to enable 'fishing expeditions', or the obtaining of documents for litigation. However, requests are frequently used as a tool in an individual's preparation for employment tribunal litigation, and it is important to be able to both spot and deal with a SAR if you receive one. Here's an overview of the SAR regime and some tips on dealing with requests if and when they arise…
Where does the 'Subject Access right' come from?
An individual's right to make a SAR to discover what information a 'data controller' holds about them is a central principle of the EU Data Protection Directive. The Directive was implemented in the UK by the Data Protection Act 1998 ('DPA'), and the protection of personal data under this statute is enforced by the Information Commissioner's Office ('ICO') and the Courts.
What is a 'Subject Access Request'?
Under the DPA, individuals have the right to know what personal data about them is being held and used by organisations, and for what purpose (as well as certain information about the source of that personal data and any disclosures of it), by making a SAR (subject to certain limitations and exemptions). Usually, individuals are also entitled to a 'permanent copy' of the personal data held, unless this would entail 'disproportionate effort' on the part of the organisation.
Employers often find it most expedient to provide photocopies or printouts of any applicable document.
How should a SAR be made?
A SAR must be made in writing (organisations can ask requesters to use a specific 'form', but they cannot insist). Organisations can request:
a. payment of a fee of up to £10; and
b. any information reasonably required in order to locate the data sought (e.g. parties or departments who might hold any data or applicable date ranges), and/or to confirm the identity of the individual.
In order to speed up the location of the data and assessment of whether that data should be disclosed under the SAR regime, additional questions should always be asked of requestors if reasonable parameters have not been identified in the original written SAR letter or form.
Note that a SAR can validly be made by an individual's solicitor or TU representative – as long as a third party is genuinely acting on the individual's behalf (and it would be reasonable for the organisation to check this is the case).
What is the time limit for responding?
The organisation has 40 calendar days, starting with the date on which the SAR is received, or the date on which the £10 fee or further information referred to above is received, if later. In order to appease concerned or (potentially) disgruntled individuals, organisations should respond immediately to requests by way of a letter acknowledging receipt of the SAR, and requesting or acknowledging the receipt of the £10 fee and requesting any further information as necessary.
The ICO takes exception to organisations which deliberately delay responding to a request in order to artificially extend the 40-day deadline, and such delay may result in enforcement action (see below).
What information has to be disclosed?
A SAR only provides access to the individual's own 'personal data'. 'Personal data' is defined by the DPA as 'data' which 'relates to' an identifiable, living individual, including expressions of opinion about that individual and the intentions of any person towards them. This includes
a. electronically held information (including HR records, emails, instant messenger conversation records, documents, telephone and internet logs); and
b. hard copy records if they are held in a 'relevant filing system' (i.e. are sufficiently well-organised to give easy access to specific information about the individual).
What if the information identifies other people?
Where personal data about the person making a SAR also constitutes 'personal data' about another person (a 'third party'), an organisation is not obliged to disclose it in response to a SAR unless:
a. the third party has consented; or
b. it is 'reasonable in all the circumstances' to disclose without their consent (taking into account, for example, the efforts made to consult the third party, the third party's views, and any obligation of confidentiality to that third party).
Care needs to be taken in this area, as disclosure of information which also relates to a third party may be undesirable and may even give rise to a breach of confidence towards that other person. If key information relevant to the SAR features in a record alongside data on a third party, it might be appropriate simply to redact that irrelevant and private data.
Are there any exemptions to the Subject Access right?
Information may be exempt from disclosure if it:
a. is legally privileged;
b. consists of a confidential reference given by the organisation (though not confidential references received by it);
c. is held and used for the purposes of management forecasting or management planning;
d. records the intentions of the organisation responding to the SAR in negotiations or settlement discussions with the individual (and disclosure would prejudice those negotiations); or
e. would prejudice the prevention and detection of crime if disclosed (subject to other conditions).
What are the consequences of non-compliance?
Individuals who are unsatisfied with an organisation's response to a SAR may complain to the ICO, which will generally investigate and (typically, after giving the organisation a chance to state its case) give its view on whether the organisation has complied with its duties under the DPA. In some cases the ICO may simply ask the organisation informally to re-consider, with no further consequences (although it will keep a record of the matter, which could have an impact on how future complaints are dealt with).
Alternatively, and less frequently, the ICO may require the organisation to give an 'Undertaking' committing to do better in future; or even issue a formal Enforcement Notice. A failure to comply with the latter is a criminal offence, and both Enforcement Notices and Undertakings are published on the ICO website (where they might be picked up by the media). Theoretically, the ICO may also impose monetary penalties of up to £500,000 for breaches of the DPA causing (or likely to cause) substantial damage or distress.
As well as (or instead of) complaining to the ICO, individuals may apply to the Court (as the Dawson-Damer family did in the trusts litigation case above), which can order organisations to comply with a SAR, and/or to pay compensation if the individual has suffered damage or distress as a result of the organisation's breach of the DPA.
Although in this recent judgment the High Court did not so order Taylor Wessing to comply with the SAR, because (for one reason) it would not have been reasonable or proportionate to expect the organisation to assess which information was covered by legal professional privilege and which was not; it is important to deal with SARs in a timely and systematic manner. The ICO and courts will usually enforce reasonable Subject Access Requests should it get to that stage, and providing a considered and fair response should nip potential dramas in the bud.