This summer the Information Commissioner’s Office (ICO) published an update to its Subject Access Code of Practice in response to the Court of Appeal judgements in Deer v University of Oxford, heard together with Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd, and Dawson-Damer v Taylor Wessing LLP, regarding Data Controllers’ obligations to respond to subject access requests (SARs).
This article is the first of a series of three discussing the nature of the amendments and the impact they may have on organisations when complying to SARs.
The most notable outcome to arise from the judgements is the confirmation of what constitutes “disproportionate effort” when responding to SARs. The “disproportionate effort” exemption allows organisations to refuse an SAR if the effort to comply is too onerous or the request is unreasonably repetitive, however the Data Protection Act 1998 (DPA) offers no definition of disproportionate effort, leading to uncertainty for organisations dealing with complicated requests.
In Dawson-Damer v Taylor Wessing LLP, Mrs Dawson-Damer and her children were beneficiaries of a trust of which Grampian was a sole trustee. The Dawson-Damer family became involved in legal proceedings against Grampian and sent SARs to the trustee’s solicitors, Taylor Wessing LLP. Taylor Wessing refused to comply with the requests, citing legal professional privilege. Subsequently, the High Court ruled that Taylor Wessing did not need to provide the requested information on the basis that the cost to retrieve the information and filter out the data protected by legal professional privilege would have been disproportionate to the benefit of the data subject.
On appeal, the Court of Appeal further held that the principle of “disproportionate effort” extends to searching for the data, as well as merely providing copies. At the time of the hearings, the ICO’s guidance only extended to providing copies and their code of practice has been updated accordingly.
It is clear from the updated code of practice that the ICO expects organisations to follow the EU principle of proportionality when deciding how to respond to an SAR, as stated in their Code of Practice “there is scope for assessing whether, in the circumstances of a particular case, complying with a request by supplying a copy of the requested information in permanent form would result in so much work or expense as to outweigh the requester’s right of access to their personal data.” Organisations must be able to provide evidence that they have applied the proportionality principle if necessary. In Dawson-Damer, the Court of Appeal held that Taylor Wessing had failed to provide any evidence of such, instead relying on a blanket exception.
The ICO recommends transparent communication with the data subject in the event of requests that are likely to result in disproportionate effort, as a mutually-beneficial compromise may be achieved. Furthermore, willingness to liaise with the data subject will be taken into account by the ICO should a complaint arise.
While the updated code of practice provides clarity regarding disproportionate effort, significantly reducing the scope of effort that organisations must make in relation to SARs, there is a strong reliance on organisations to be able to take an objective view when weighing up the benefits of both parties.