The case of Dawson-Damer and Others v Taylor Wessing LLP  EWCA Civ 74 addresses the questions of whether an organisation can refuse to comply with a data subject access request because compliance will involve disproportionate effort or because the requester intends to use the requested data in litigation.
Any organisation, which processes data relating to individuals has legal obligations in relation to that data (known as personal data) under the Data Protection Act 1998 (DPA). As employers you will hold and process personal data about your employees and you need to comply with the DPA when doing so.
One of the key rights that your employees have under the DPA is a right to ask for confirmation of what data you hold and a copy of that data. Such a request is commonly referred to as a subject access request (SAR).
Usually data relating to employees will be held electronically on your IT systems and in an employee's physical personnel file (although, depending on how files are organised, there can be a technical issue as to whether personnel files are covered under the DPA).
In recent years we have seen an increasing trend towards disgruntled employees (and ex-employees) utilising their right to make an SAR either for the purposes of working out if they have a claim or to obtain information to use in internal grievance or disciplinary processes. There is also a perception that some employees use their SAR rights simply to make life difficult for their employers in the hope of extracting a settlement.
Complying with an SAR in relation to an employee's personnel file is generally straightforward. However, we have seen SARs where carrying out searches for electronic records properly can produce tens of thousands of potentially relevant emails, which then need to be reviewed to make sure that disclosing them does not infringe on the data rights of other employees. The time and cost involved in dealing with such requests can be of serious concern to employers. This is particularly the case when they are only entitled to charge a requester a fee of £10 for making the request, which would not even begin to cover the costs of compliance.
There have been suggestions in cases brought in the Courts that the purpose of the DPA is not to assist the data subject in litigation. However, the Information Commissioner has always been clear that SARs are meant to be 'motive-blind' and its guidance has therefore been that organisations must comply with SARs regardless of the purpose for which data is sought. It is therefore helpful to now have a Court of Appeal decision on this issue, although, as explained below, it may not be good news for employers.
The facts of Dawson-Damer
The Dawson-Damer case concerned an SAR made by beneficiaries of a Trust for information held by a firm of solicitors, Taylor Wessing (TW) who had been advising the Trustees. The Trust was governed by the law of the Bahamas and the beneficiaries would not be able to obtain the information requested in their SAR under Bahamas law. Therefore the SAR could be viewed as an attempt to obtain information to assist in litigation, which the beneficiaries would not be able to obtain through the litigation process itself.
TW refused to comply with the request arguing that the data was covered by legal professional privilege. If this was correct then the data would fall into an exemption from the DPA.
High Court decision
The beneficiaries then brought a claim in the High Court, which has a discretion to order an organisation to comply with an SAR.
The DPA contains an exemption, which says that an organisation does not need to provide copies of data if this would involve disproportionate effort. Therefore, in addition to asserting that the data was subject to privilege, TW argued that, to the extent that its files contained some non-privileged information, the effort involved in identifying which data was and was not privileged would be disproportionate.
The High Court decided:
- That TW's files did contain data that was exempt from being supplied because it was subject to legal professional privilege (in a very wide sense)
- That working out which data was not privileged would take disproportionate effort (meaning TW did not have to provide the data).
- That the Court should not exercise its discretion to order compliance with the request because the purpose of the SAR right was not to assist parties with litigation.
This decision was encouraging news for employers and other organisations faced with potentially onerous SARs. However, the beneficiaries appealed to the Court of Appeal.
Court of Appeal decision
Unfortunately, the Court of Appeal reached a different conclusion to the High Court. We will not go into detail about its conclusions on legal professional privilege because the decision on this was very specific to the facts of the dispute and the interrelationship with the Bahamas law governing the Trust. However, the Court of Appeal decided that TW could not apply legal professional privilege to the large volume of documentation it was seeking to apply it to.
The Court of Appeal then considered the question of disproportionate effort. Helpfully, it did accept that the reference to disproportionate effort in the DPA should be read as referring to the effort involved in searching for documents and not just the effort involved in providing copies of such documents (the beneficiaries had argued for the latter interpretation). However, it went on to say that, on the facts of this case, TW had not demonstrated that the task of separating out privileged and non-privileged documents would involve disproportionate effort.
On the question of whether there was a rule that the Court should not compel compliance with an SAR where the purpose of the request was to assist a person in litigation, the Court of Appeal concluded that there was no such rule. Whilst, in principle, there was no limit on the Court's exercise of its discretion, it could not refuse to order that an organisation had to comply with an SAR simply because the purpose of the request was to assist the requester in litigation.
One of the key guiding principles for the Court of Appeal was that the Data Protection Directive (from which the DPA is derived) does not limit the purposes for which an SAR can be made.
It is clear from the Court of Appeal's decision that an employer will not be entitled to refuse to comply with an SAR simply because it believes an employee wants the information to assist him/her in a claim. Additionally, it is clear from the Judgment that an employer will usually be expected to carry out wide and extensive searches in the pursuit of complying with an SAR. The Judgment refers to an expectation that data controllers will be aware of their rights and have designed their systems to enable them to make most searches for the purposes of complying with an SAR.
However, there is a glimmer of light for employers faced with potentially onerous SAR requests. The Court of Appeal did recognise that whether disproportionate effort is involved in a search needs to be evaluated in each particular case and that, in appropriate circumstances, there will be limits on the search that needs to be carried out. Accordingly, there will be some situations in which an employer can refuse to comply with a wide SAR, although it will need very clear evidence on the effort involved in complying.
The best advice we can give to employers faced with a wide SAR is to seek further information from the employee on the data he/she is looking for and to therefore seek to narrow the scope of the request. Employees are often looking for particular data and dialogue over this can be effective in reducing the size of the task. However, if an employee is unwilling to narrow his/her request, employers should exercise significant caution before refusing to comply based on proportionality.