The Court of Appeal had to grapple with the issues of subject access requests in the course of a case back in December. This issue is a very common one faced by a wide range of businesses, both large and small who are concerned about potential litigation implications from subject access requests.
The relevant case was between Durham County Council and a Mr Dunn. Mr Dunn had allegedly suffered abuse whilst in care in the 80’s and his lawyers had written to Durham County Council looking for disclosure of lots of information before any formal legal proceedings had been brought.
His lawyers cross-referred in part to the Data Protection Act 1998 (DPA) but did not couch their request expressly as a “subject access request”.
Durham contested some of the disclosures and did not provide the information requested.
Mr Dunn’s solicitors brought formal court proceedings some three months later. The disclosure issues then resurfaced. Durham disclosed much of the information requested, but refused to disclose in full the personnel files of three individuals they employed whose activities were relevant to the case, arguing that this required the individuals consent or order of the Court.
This outstanding issue proved very contentious because the files included the names of other individuals including children in care at the time, who Mr Dunn’s solicitors wanted to approach as potential witnesses.
The disclosure issues were considered in two hearings and then appealed to The Court of Appeal.
What was all the fuss about?
In broad terms, section 7 of the DPA gives individuals’ the right to be provided with all information an organisation holds about him or her, together with the source of that information, in intelligible form. This right is generally referred to as a “subject access request”. A request has to be honoured quite quickly - within 40 days. A small fee can be charged.
This right is not absolute though. If the information can’t be provided without disclosing information on other people, it must be reasonable to disclose that other information, or those other people must consent. This requirement can be circumvented by redaction.
There is a specific statutory remedy provided in the DPA for failure to comply with a subject access request.
There is also a general exemption in the DPA allowing disclosure if it is required by another law, court order, or necessary for the purpose of legal proceedings or obtaining legal advice. This point is particularly significant because procedural issues in litigation are not specifically dealt with in the DPA. They are covered by a set of separate “Civil Procedure Rules” or “CPRs” which include amongst other things, general rules about the disclosure of documents. These rules also have the force of law.
The clash between Durham and Mr Dunn’s solicitors therefore turned on the interplay between the DPA and the CPRs.
Lessons to take away.
- Don’t mix up the DPA and CPRs. An individuals’ right to make a subject access request is completely separate from the position under the CPRs. In the Court’s own words, a subject access request can be made “before, during or without regard to legal proceedings”.
- A subject access request can be legitimately used as a tactical measure. Again in the Court’s own words, “a request prior to the commencement of proceedings may be attractive to prospective claimants and their solicitors. It is significantly less expensive than an application to the Court [for early disclosure under the CPRs]…[and]may result in sufficient disclosure to satisfy the prospective claimant’s immediate needs.”
- Subject access requests can be made by third parties acting on an individual’s behalf (e.g. solicitors as in the present case). This point is well accepted but is worth remembering. An organisation should always take steps to ensure that any third party is appropriately authorised to act for the individual though; disclosure to an unauthorised person would be a security breach contravening Principle 7 of the DPA.
- There are few formalities for subject access requests. This point was not directly addressed by the Court of Appeal, but the tone of its judgment arguably indicates that Mr Dunn’s solicitors could have pursued a remedy under the DPA for breach of subject access request had they chosen to do so. This position is in line with accepted guidance and general practice. Requests just have to be in writing, identify the relevant individual making the request and be clear as to the information being requested. They do not have to expressly refer to the DPA, or be called a “subject access request”.
- A subject access request is not as comprehensive as disclosure under the CPRs though. It just requires intelligible information to be provided, and the Court was of the view that the DPA could be satisfied without providing (for example) documents, redacted or otherwise. It is therefore open to an organisation to consider responding to any such request in a way that is compliant, but does not give the same picture as full litigation disclosure under the CPRs.
- The remedy for failure to comply with a subject access request is set out in the DPA, and is separate to the CPR regime. This process is not quick or painless; the Court’s view is that it would be “time consuming and expensive in any event”. As alluded to above, the Court formed the view that Mr Dunn’s solicitors did not pursue this issue, in spite of their original request not having been honoured during the statutory timescale.
- Clarity and consistency is the best policy at all times. This point was only indirectly addressed by the Court of Appeal, but it is hard to challenge. The first court proceedings had been applied for and conducted under the CPR disclosure regime as opposed to the DPA, yet both parties (and the original judge!) had then confused the two regimes in their discussions and focussed far more on DPA issues rather than the CPRs. The end result was a something of a legal mess, further dispute, further court hearings and additional loss of time, expense and no doubt stress for all concerned.
- If disclosure under the CPRs is sought, the DPA drops away. In Mr Dunn’s case, the Court had to balance the potential witnesses’ rights of confidentiality and privacy against Mr Dunn’s right to a fair trial, all of which arise under the European Convention on Human Rights. The DPA is irrelevant (and includes provisions which say as much) as the Court expressly acknowledged: “It [the DPA] leaves it to the court to determine the issue by the application of the appropriate balancing exercise under the umbrella of the CPR…the court’s decision [then automatically determines the position on] disclosure under the DPA”. That clears that one up then!
The Court went on to set out the criteria for making a decision under the CPRs, but this is really a matter for litigators and not a privacy issue.
Ultimately the Court found for Mr Dunn’s solicitors and ordered the relevant documents to be disclosed in full.
Other points to note
The Information Commissioner’s Office is consulting on a new subject access code of practice which obviously has some relevance to the issues discussed in this case.