Subject access requests - when enough is enough
Solicitor, Veale Wasbrough Vizards
The Court of Appeal has refused to order data controllers to take further steps in subject access compliance.
The Court of Appeal (CA) heard the cases of Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others and Deer v Oxford University together to consider issues relating to subject access requests (SARs) made under the Data Protection Act (DPA).
Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and Others
- Mr Ittihadieh owns flat 5/6 in 5-11 Cheyne Gardens (a block of 10 Victorian houses converted into 15 interlinked flats) and has interests in three other flats in 5-11 Cheyne Gardens.
- The non-corporate owners of the flats (excluding Mr Ittihadieh and his partner) established and became members of a right to manage company, 5-11 Cheyne Gardens RTM Company Ltd (RTM).
- Mr Ittihadieh and his partner subsequently became members of RTM but, when his request to have his solicitor appointed as a director was blocked, became suspicious that other residents were "swapping, retaining and otherwise using personal information about him".
- Mr Ittihadieh submitted a SAR to RTM as well as its directors and company secretary.
- RTM complied with the SAR by disclosing 400 redacted documents. Within this disclosure there was reference to a file which was not disclosed (which Mr Ittihadieh believed was about him).
- Mr Ittihadieh applied to the courts for an order confirming that the file should be disclosed as part of the response to his SAR. This order was refused on the basis that it would be disproportionate to require disclosure of the file. It was also held that none of the individuals concerned (the directors and company secretary) were a data controller and so they were not required to disclose data under the domestic purposes exemption.
- Mr Ittihadieh applied to the Court of Appeal (CA).
Deer v Oxford University
- Dr Deer, a former employee of Oxford University, had been engaged in litigation with the university for some eight years.
- Dr Deer submitted the first of two SARs.
- The university withheld certain information on the basis that it related to the ongoing litigation.
- As a result of the university's approach, Dr Deer made a second SAR on identical terms and the university disclosed some of the previously withheld information.
- Dr Deer, still unsatisfied, applied to the courts for an order that the SAR be complied with in full. The judge ordered the university to carry out further searches (1) of emails sent to or received from 22 named individuals between specific dates and (2) of servers used by five departments and faculties.
- The university disclosed a further 33 new documents after reviewing 500,000 documents at a cost of £116,116.
- Dr Deer made a further application to the courts for an order, but that order was refused on the basis that it would serve no useful purpose.
- Dr Deer further applied to the CA.
Article continues below...
Law and Practice
The status of employment rights on the transfer of an undertaking is an extremely complex area of...
The Court of Appeal's DecisionIn both cases, the CA refused to order further disclosure as follows:
- Mr Ittihadieh
- Mr Deer
Best PracticeWhen responding to a SAR, employers should carry out searches that are reasonable and proportionate in the circumstances and should not withhold information on the grounds that it is requested in connection with actual or contemplated litigation.
That said, what is reasonable and proportionate in the eyes of the employer may be different to that of the data subject or the courts and may well depend on the detailed facts in each case. We have a team of specialist data protection lawyers on hand to assist with any SARs received.