Skip to main content
Menu

On 24 February we reported on the Court of Appeal's decision in Dawson-Damer and others v Taylor Wessing LLP, which concerned the relevance of motive to subject access requests under the Data Protection Act. This issue has recently been before the Court of Appeal again: in Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and others [2017] EWCA Civ 121, the Court considered whether a company was required to comply with a data subject access request (DSAR) where the request was made for the purpose of gathering information for litigation. The Court also gave guidance on dealing with DSARs and how far a company needs to go for a search to be 'proportionate'. 

Facts

Mr Ittihadieh owned a flat in 5-11 Cheyne Gardens. Mr Ittihadieh and several other owners of the flats in the building became members of 5-11 Cheyne Gardens RTM Company Ltd (RTM), a right to manage company. Later, Mr Ittihadieh attempted to secure a board position with RTM but this was blocked by the other members. 

Mr Ittihadieh alleged that other members of RTM had copies of personal information about him and that RTM kept a file about him, which contained his personal data. Mr Ittihadieh made a DSAR to RTM, stating that he intended to bring proceedings for discrimination, harassment and victimisation against it. 

In response to the DSAR, RTM disclosed 400 documents containing Mr Ittihadieh's personal data. One of the documents referred to an 'Alireza file', which was not among the disclosed documents. Mr Ittihadieh sought disclosure of the 'Alireza file' from RTM, which was refused. 

Mr Ittihadieh brought proceedings in the High Court against RTM and the individual members of RTM, alleging that they had failed to comply with their obligations under the Data Protection Act 1998 (DPA) and asking the Court to order them to disclose the 'Alireza file'.

A second case, Deer v Oxford University, was heard with this one. While the facts were different (the case concerned litigation that had been going on for eight years), the issues were the same and we therefore concentrate on the Ittihadieh case.

Background

The DPA gives individuals the right to make a DSAR to a data controller who holds their personal data. 

Following receipt of a DSAR, a data controller is obliged to carry out 'a reasonable and proportionate search' for the individual's personal data and provide this to them within 40 days.

Courts have the power to order disclosure of an individual's personal data where they are satisfied that a data controller has not complied with the DPA.

High Court decision

In the High Court, HHJ Seymour refused to order RTM to disclose the 'Alireza file', saying that RTM's search had been reasonable and proportionate and noting that RTM had already disclosed a significant amount of documentation. 

In relation to the claim against RTM's members, HHJ Seymour found that the DSAR was only directed to RTM and the members were therefore under no obligation to disclose the data sought. HHJ Seymour also held that none of the members was a data controller in any case. 

Mr Ittihadieh appealed to the Court of Appeal.

Court of Appeal decision

In the Court of Appeal Lewison LJ dismissed Mr Ittihadieh's appeal, holding that HHJ Seymour had been correct in refusing to order RTM to disclose the 'Alireza file', stating that to do so would be 'wholly disproportionate'. 

Lewison LJ also held that the DSAR had only been sent to RTM and the claim against the individual members had been correctly dismissed.

In his judgment, Lewison LJ gave some useful guidance for data controllers about complying with the DPA, including examining what constitutes personal data and what will be a reasonable and proportionate search.

In relation to proportionality, Lewison LJ confirmed that a blanket refusal to comply with a DSAR will not be justifiable but that, equally, data controllers are not obliged to leave 'no stone unturned' when searching for an individual's personal data and that a search may still be proportionate where some items of personal data are not retrieved.

The judgment also confirmed that for data to constitute 'personal data', it must contain the individual's name (or otherwise identify them in some way) and must have the individual as its focus. The mere fact that a document contains the person's name does not, of itself, mean that it is personal data.

In reviewing the case, Lewison LJ also considered whether the fact that Mr Ittihadieh had made the DSAR to assist him with litigation might mean that RTM was not obliged to comply with it. Lewison LJ concluded that Mr Ittihadieh's collateral purpose in bringing the DSAR did not invalidate it, although he stated that the motive behind a DSAR was a relevant consideration for a court when deciding whether to order further disclosure of documents.

Comment

This judgment is helpful for employers, as it confirms that they are not obliged to perform an exhaustive search for an individual's personal data and that a reasonable and proportionate search of its files and systems will comply with the requirements of the DPA. The judgment also gives useful guidance as to what information will constitute personal data.

DSARs are often used by individuals who are either contemplating or involved in litigation with their employers (or former employers), in order to fish for further documents that may assist them, or to increase the employer's workload in dealing with their case. While it would have been helpful for employers had the Court ruled that companies are not required to comply with DSARs that have a collateral purpose, this would likely have been difficult to prove in practice and it is not surprising that the Court veered away from coming to this conclusion. 

The DPA is due to be replaced by the General Data Protection Regulation (GDPR), which will come into force in May 2018. The GDPR will make some changes to the procedure for complying with DSARs and the information that data controllers are required to disclose. Employers should make sure that they are aware of how the new data protection regime will operate under the GDPR and consider what changes they may need to make to their existing policies and systems.