This is the second article of three discussing the recent changes to the Information Commissioner’s Office’s Subject Access Code of Practice, and specifically considers the amendments regarding the “motive” of the data subject when making the subject access request (SAR).

Following Dawson-Damer v Taylor Wessing LLP, the general rule is that SARs are “purpose blind” meaning that the data subject’s motive when making the request is irrelevant. The courts determined that a SAR will not be invalidated if it has an additional purpose beyond simply accessing and verifying personal data, even if that additional purpose is in the pursuit of litigation.

In Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd, Mr Ittihadieh was a member of RTM, the management company of a building he partly owned. A dispute arose between the two parties, and Mr Ittihadieh made a SAR stating that he intended to begin legal proceedings against RTM for victimisation, harassment and discrimination. RTM claimed that the request was a “fishing expedition” and an abuse of process but nevertheless disclosed four hundred documents. Mr Ittihadieh subsequently issued proceedings against RTM for damages and an injunction. The courts held that RTM had fulfilled their obligation as a data controller and refused Mr Ittihadieh’s application. The judgement in this case confirms that if a SAR is made, the data controller must oblige regardless of the data subject’s motive.

In Deer v University of Oxford, Dr Deer brought sex discrimination claims against the University, her former employer. In the course of the proceedings, she made a SAR which the University declined to act upon on the basis that the information was to be used as part of her litigation in the Employment Tribunal. Dr Deer issued a claim against the University for failure to comply with her SAR, however the courts held that none of the withheld material constituted personal data, as defined under the Data Protection Act 1998, and dismissed the claim. Significantly, and in contrast to Ittihadieh, if the courts consider the SAR to be “antagonistic” then this may act to the data subject’s detriment; here, the claimant’s costs were reduced by 25 per cent due to the “essentially antagonistic” basis of her SAR.  Where the line is drawn between an additional purpose and antagonistic reasons for the SAR is, it appears, for the courts to decide, as the ICO’s updated guidance does not clarify this distinction.

The ICO’s SAR guidance now takes into account that, barring an abuse of process under any European Union doctrine or United Kingdom laws, organisations are still obliged to comply with the request regardless of whether the data subject intends to verify the accuracy of the personal data or use it for any other purpose. However, a request that lacks a “legitimate basis” will be unlikely to result in relief for the claimant.

To read the first article in the series please click here. To read the final article in the series please click here.