21 May 2019
The High Court looks at exemptions to responding to SARs.
A dramatic increase in Subject Access Requests (SARs) is one of the most notable impacts of the GDPR. Data controllers need to understand the extent of their obligations when responding to a SAR and, if they seek to rely on an exemption, to ensure they can defend that reliance.
The High Court upheld a claim that information provided to the claimant in response to a SAR under s7 Data Protection Act 1998, was inadequate and ordered the defendant to respond to the SAR with more detail. In doing so, the Court provided guidance on exemptions and what needs to be disclosed.
While the judgment related to the Data Protection Act 1998 and contains some highly specific circumstances, particularly in terms of the reliability of the defendant, it remains relevant to SARs under the GDPR. It offers guidance on reliance on the privilege, journalism and regulatory activity exemptions, as well as on the identification of sources and other recipients of the data.
The claimant acts as an expert witness in cases involving claims relating to exposure to asbestos. The defendants (an individual and his company) are involved in the manufacture of asbestos and allege that the claimant is involved in a conspiracy to provide false evidence about the risks associated with exposure to white asbestos.
The claimant made a SAR following a complaint made by the first defendant to the General Medical Council (which the Council declined to investigate). The claimant initially claimed that the response to the SAR was inadequate and also claimed a lack of response to notices to stop processing his personal data and for damages caused by that breach.
There was a complex analysis of what the Court should consider but ultimately it focused mainly on whether the SAR had been responded to properly, in particular, whether the defendant was able to rely on claimed exemptions, and on whether the sources and recipients of the data had to be disclosed.
The Court ordered a further SAR response after discussing a number of interesting points (referring to previous guidance and case law):
The journalism exemption
While the journalism exemption is broad, it is not so broad as to cover every expression of opinion and a campaigning purpose is not the same as a journalistic one.
The applicability of the exemption depends on the purposes and state of mind of the data controller which are matters of fact and which require proof, as well as an assessment of the reasonableness of the data controller's beliefs assuming they are established as a matter of fact.
The regulatory exemption
The regulatory exemption most likely applies only to a regulatory body and cannot be claimed by a data controller to whom it has supplied information. It is also a qualified exemption and only applies to the extent to which provision of subject access would be likely to prejudice the proper discharge of regulatory functions.
This is absolute and unqualified and does not depend on proof that the defendants held a reasonable belief in anything. That means that evidence from a solicitor that documents have been reviewed and benefit from the exemption should carry considerable weight.
In this instance, however, the solicitor conducting the review (while not criticised) was found to have relied too heavily on the defendant who was an unreliable source in the Judge's view. The Court also referred to the decision in Starbey GP Ltd v Interbrew Central European Holdings and the fact that the party claiming litigation privilege must establish litigation was reasonably contemplated or anticipated, and not merely a possibility.
Recipients and sources of personal data
The claimant sought disclosure of all the recipients and sources of his personal data held by the defendant. It was held that the defendant had made insufficient disclosure, although the claimant was not necessarily entitled to all the requested data.
The information supplied by the data controller in response to the SAR did not comply with s7 DPA 98 (now Article 15 GDPR) as it did not include information about the nature, status or identities of the persons or companies to whom emails were sent. Where these related to individuals alleged to be the claimant's 'co-conspirators' or 'victims' then they were part of the claimant's personal data and had to be disclosed.
The claimant did not need to know the personal details of persons who had merely received his data. The controller was, however, required to disclose the actual source of data (rather than a description or class of source) in order to comply with s7(1)(c)(ii) DPA98.