Subject Access Requests

read time: 4 mins
14.05.19

An important decision was issued in April 2019 by the Hight Court in relation to Subject Access Requests.  Whilst the decision related to a request made under the old (pre-GDPR) data protection regime, the principles will also apply to the current regime.

Basic principles

Under the General Data Protection Regulations (GDPR) and its predecessor, the Data Protection Act 1998 (DPA), individuals have a right to find out if an organisation is using or storing their personal data. 

A request can be made for this information, commonly referred to as a Subject Access Request (SAR).  The request can be made verbally or in writing.  This right applies to all organisations that process personal data. 

The right does not give a right of access to information about anyone else (unless a parent is acting on behalf of a child).  A Freedom of Information Request (FOIA) is a different regime, and can only be made to a public authority.

Subject to clarifying the request, the data must now be provided within one month of request, a timescale which is proving to be a challenge for many organisations.

Exceptions

An organisation may refuse the SAR if the data includes information about another individual, except where:

  • the other individual has agreed to the disclosure, or
  • it is reasonable to provide you with this information without the other individual’s consent.

The organisation can also refuse your request if it is ‘manifestly unfounded or excessive’, provided the requester is informed and the decision is justified.

Whilst the normal deadline is one month, in certain limited circumstances extra time may be considered reasonable.

Finally, the data should be provided free.

Exemptions

Most importantly the legislation provides for a number of exemptions from the GDPR and DPA provisions.  If such an exemption applies then the organisation may not have to comply with all the usual rights and obligations.

The case in question considered how these exemptions should be applied.

The exemptions fall into a number of categories:

  • Crime, law and public protection
  • Regulation, parliament and judiciary
  • Journalism, research and archiving
  • Health, social work, education and child abuse
  • Finance, management and negotiations
  • References and exams
  • Subject access requests - in so far as they relate to information about other people.

The case

Rudd v Bridle [2019] EWHC 893 (QB) was considered by the High Court under the ‘old regime’, but these principles will equally apply to any requests made under the GDPR regime. 

Dr Rudd (a consultant physician specialising in asbestos disease) had made a SAR to Bridle (a lobbyist who accused him of giving fraudulent evidence in court cases) and Dr Rudd maintained that the responses were inadequate.

The court provided the following guidance:

  • In relation to exemptions, the court was asked to consider whether Bridle could rely on either privilege or journalism as grounds not to respond. The court concluded that he had not provided a sufficient explanation of his reliance on journalism as an exemption and could not therefore rely upon it.  The court was also not satisfied that legal privilege applied.
  • In relation to the adequacy of the data provided, the court was satisfied that a description, rather than the identity, of recipients of Dr Rudd’s information was sufficient.
  • Furthermore, in relation to the level of detail with which Bridle must respond, the court concluded that the data did not need to be set out in a document-by-document manner.
  • The court went on to consider what remedy or compensation Dr Rudd would be entitled to, having concluded that Bridle had failed to comply with his statutory duty. i.e. what is the penalty that should properly be applied to cases where a controller fails to deal with a request properly.
  • The court ordered that certain personal data should be provided but the failure by Dr Rudd to properly plead, or give adequate information, for two of the key claims in the case, in particular s.10 of the DPA 1998 (processing causing substantial damage or distress) and s.13 (compensation) meant that he was not entitled to financial compensation.

The court’s lengthy judgement has given practitioners in this field useful guidance on what the duties are of organisations receiving a SAR, and in particular the application of exemptions and the level of detail required when responding.

Whilst the ICO have issued a useful guide on responding to a SAR, specialist legal advice is likely to be needed if a responder is looking to resist a SAR.

For any more information on the topics within the article please contact Christopher Francis

Sign up for legal insights

We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.  

Sign up