An important decision was issued in April 2019 by the Hight Court in relation to Subject Access Requests. Whilst the decision related to a request made under the old (pre-GDPR) data protection regime, the principles will also apply to the current regime.
Under the General Data Protection Regulations (GDPR) and its predecessor, the Data Protection Act 1998 (DPA), individuals have a right to find out if an organisation is using or storing their personal data.
A request can be made for this information, commonly referred to as a Subject Access Request (SAR). The request can be made verbally or in writing. This right applies to all organisations that process personal data.
The right does not give a right of access to information about anyone else (unless a parent is acting on behalf of a child). A Freedom of Information Request (FOIA) is a different regime, and can only be made to a public authority.
Subject to clarifying the request, the data must now be provided within one month of request, a timescale which is proving to be a challenge for many organisations.
An organisation may refuse the SAR if the data includes information about another individual, except where:
The organisation can also refuse your request if it is ‘manifestly unfounded or excessive’, provided the requester is informed and the decision is justified.
Whilst the normal deadline is one month, in certain limited circumstances extra time may be considered reasonable.
Finally, the data should be provided free.
Most importantly the legislation provides for a number of exemptions from the GDPR and DPA provisions. If such an exemption applies then the organisation may not have to comply with all the usual rights and obligations.
The case in question considered how these exemptions should be applied.
The exemptions fall into a number of categories:
Rudd v Bridle [2019] EWHC 893 (QB) was considered by the High Court under the ‘old regime’, but these principles will equally apply to any requests made under the GDPR regime.
Dr Rudd (a consultant physician specialising in asbestos disease) had made a SAR to Bridle (a lobbyist who accused him of giving fraudulent evidence in court cases) and Dr Rudd maintained that the responses were inadequate.
The court provided the following guidance:
The court’s lengthy judgement has given practitioners in this field useful guidance on what the duties are of organisations receiving a SAR, and in particular the application of exemptions and the level of detail required when responding.
Whilst the ICO have issued a useful guide on responding to a SAR, specialist legal advice is likely to be needed if a responder is looking to resist a SAR.
For any more information on the topics within the article please contact Christopher Francis