It is no secret that a subject access request is an unwelcomed request for any business.
Individuals have the right to access their personal data, which can be done via a subject access request (SAR). The Court may also order compliance with an SAR in the event a data controller refuses to comply with an SAR, at first instance, and the individual makes an application to the Court.
There are limited exemptions from the requirement to provide personal data in response to an SAR. One such exemption is when personal data is subject to legal (i.e. attorney/client) professional privilege.
A Welcomed Decision
It is no secret that a SAR is an unwelcomed request for any business. SARs can be tricky and expensive, consuming the efforts and time of HR and management professionals. Technological developments also mean that SARs now potentially have a far broader scope than was previously the case. Unlike a SAR, however, a recent High Court decision will be welcomed by businesses acting as data controllers. The Court refused to uphold a SAR compliance order. The Court’s reasoning being that the searches carried out were proportionate and the legal professional privilege exemption applied.
SARs are often used for strategic purposes and as a tool in disputes between parties (whether that be in an employment or commercial context), as illustrated in the case of Holyoake v Candy and another 2017. The dispute involved a loan agreement between high-end property developers in which one party made a SAR against the other, who in turn claimed the SAR had already been adequately answered. The defence successfully claimed that it had already carried out adequate searches and it could rely on the legal professional privilege exemption as a basis for withdrawing certain information. There were therefore no grounds on which to require further searches.
Useful Guidance for Businesses…
The decision will provide businesses with some level of reassurance in complying with a SAR. In particular, the Court provided some helpful guidance which businesses will undoubtedly welcome:
- “Reasonable and proportionate”: The Court reaffirmed that data controllers are only expected to carry out searches which are “reasonable and proportionate”. In other words, businesses are not expected to go above and beyond to satisfy compliance with a SAR.
- Personal email accounts: Personal email accounts which are not processed by a company as the data controller do not need to be searched. In this case, no search was carried out for relevant emails in the personal email accounts of directors. It is sufficient therefore to just search corporate email accounts. One caveat: the Court did accept that a director who used their personal email account for company business may be required to allow the company access their account in order to comply with an SAR. The saving grace, however, is that businesses are not automatically bound to ask the question unless there is some sufficient reason to do so and there is no general right of access. There was no such reason in this case.
- Legal professional privilege exemption: The claimant argued that this exemption could not be claimed where privilege was “designed to act as a cloak for crime and fraud”. Allegations were made of unlawfully obtaining personal data by surveillance. The Court, however, took the view that such bold claims (i.e. of iniquity) need to be proven by a strong (not speculative) prima facie case in order to exonerate this exemption. Here it was not.