Subject access requests ("SARs") are viewed either as an essential right or a huge administrative burden, depending on whether you are the requestor or responder. Recent Court of Appeal ("Court") case law has made the Information Commissioner's Office ("ICO") update its Subject access code of practice ("Code"). The balance in the "disproportionate effort" exception debate has tilted in favour of controllers, but ICO does not give them carte blanche to refuse SARs.
What ICO always said
At a recent SAR seminar in London attended by Fieldfisher, the large organisations on the panel all estimated 0% of their SARs were genuinely related to data protection. In fact they are all from disgruntled employees, sniffing journalists or potential litigants. Yet ICO is unsympathetic to complaints of significant unrecoverable resources being spent on what is essentially a pre-disclosure exercise. The DPA provides the right of access with little qualification and no obligation to look into the requestors' purpose.
The only narrow exception is if the supply of information would involve disproportionate effort. ICO always interpreted the exception as applying strictly to supply, rather than the far more time-consuming process of searching, collating, redacting and reviewing. The expense involved can be vast, sometimes stretching to six figures, and can tie up central management for months. Despite this, ICO maintained that there virtually no circumstances in which the exception could be relied upon.
What the Court said
Two recent Court cases (Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74, Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University [2017] EWCA Civ 121) challenged this position. Both involved acrimonious SARs as part of wider litigation. The requestors made this clear. The Court found the disproportionate effort exception was not limited to the supply of information but also the difficulties in producing a copy of it. It is a question of fact in each case to balance the effort involved against the benefits to the data subject. Defendants, the law firm Taylor Wessing, had not done enough by merely asserting disproportionate effort without actually making any.
The Court also partially confirmed that SARs are purpose-blind. In Dawson the existence of a parallel purpose – to assist legal proceedings – was not a reason for the controller to refuse the SAR. Ittihadieh/Deer slightly watered this down: the lack of a legitimate reason for making a request can be a factor in finding in the controller's favour, though having an alternative purpose is not an absolute bar.
What ICO now says
Good news: disproportionate effort exception expanded
In the updated version of the Code, ICO recognises that the disproportionate effort exception applies to the search part of the request:
"[You] may take into account difficulties which occur throughout the process of complying with the request, including any difficulties you encounter in finding the requested information."
Conversely, note the strong statements now removed from the Code:
"We rarely hear of instances where an organisation could legitimately use disproportionate effort as a reason for denying [an SAR]"
"The DPA does not permit you to exclude information from your response to a SAR merely because it is difficult to access...it does not place any express limits on your duty…."
"...it will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive."
However, ICO predictably notes that this does not allow controllers to merely assert a search would involve disproportionate effort:
"[t]he burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR, and that it would be disproportionate in all the circumstances of the case for you to take further steps." [emphasis added]
There is still a high-bar to meet in assessing and conducting the internal data searches. Interestingly the Code specifically encourages controllers to engage with data subjects to have "an open conversation" about their request. It surprises us how rarely clients ask the requestor to qualify his search. Early honest engagement signifying you are dealing with the request, and an explanation that with a bit more background you could supply the actual information desired faster, can go a long way.
Bad news: the actual motive remains irrelevant
However following the Court's confirmation, ICO restated its traditional assertion about SAR purposes:
"Whether or not the applicant has a "collateral" purpose (ie other than seeking to check or correct their personal data) for making the SAR is not relevant",
even though this was not strictly what the Court concluded in Ittihadieh/Deer. Given the somewhat inconsistent message, the Code goes on to list a range of factors that court may take into account when deciding whether to order a controller to comply with a SAR: the gravity of the controller's breach, the principle of proportionality, whether there is a more appropriate route to disclosure and whether there is an abuse of process. Controllers are still obliged to comply with the SAR, but these may be relevant if an SAR complaint ever makes it to the courts.
Conclusion
It is worth remembering that all this will change after 25 May 2018 once GDPR applies. There is no disproportionate effort exception in GDPR, only for unfounded or excessive requests. It is amazing how many requestors are put off by the nominal £10 fee. Presumably the GDPR's removal of even this nominal fee will increase the number of SARs, particularly as consumers and activists get more 'data savvy' and there are more and more online pieces encouraging SARs and giving step by step guides on how to conduct them.
Requestors should no longer expect to win all challenges to a controller's refusal to hand over all their data. In particular they can expect less sympathy for excessive or antagonistic requests.
Does the amended Code allow you to be a bit more robust in refusing SARs? Yes, but as always it involves assessing risk within the context of the request. Bold controllers could refuse a SAR on the basis that it is really a fishing exercise and hope the court later sided with its argument that disclosure is more appropriate. However ICO makes clear it will still expect controllers to comply regardless of requestor's motive and will enforce on that basis. ICO still views SARs as a fundamental part of data protection law and you need to be careful before denying an individual their fundamental privacy rights.