Data Protection: Compliance with subject access requests
Section 7(9) of the Data Protection Act 1998 allows a court to order a data controller to comply with a request where he or she as failed to comply with any of the provisions of section 7 (right of access to personal data). In two recent cases (Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd & Ors  EWCA Civ 121, heard together with Deer v The University of Oxford), the Court of Appeal dismissed appeals, refusing to exercise its discretion under s.7(9).
In doing so, it confirmed that where a data controller receives a subject access request the obligation to search documents is limited to what is reasonable and proportionate (unless the request has been made in connection with actual or contemplated litigation – see Dawson-Damer and others v Taylor Wessing LLP  EWCA Civ 74). The factors to be taken into account when achieving a balance between data subject rights and data controller interests include having a legitimate reason for the request, and the data subject’s motives may be relevant to the court when exercising its discretion, and may have direct consequences on any costs orders involved. The Court found that the data controller had carried out a reasonable search (of 17,000 documents) and correctly relied upon legal professional privilege, confirming that the Court would only inspect such documents if it could be demonstrated that the party relying on the privilege either misunderstood their duty, could not be trusted to make such a decision or there is no reasonably practicable alternative.
Published: 22 March 2017
Article Sections: Miscellaneous