Disclosure duties following a Data Subject Access Request

In the case of Dawson-Damer v Taylor Wessing LLP, the High Court has confirmed that, when considering whether personal data is held as part of a “relevant filing system”, the focus has changed from considering the burden on the data controller to the need to protect the data subject.

Employers could therefore now be required to disclose all personal data which can be “easily retrieved” by reference to specific criteria “related to individuals” when responding to a data subject access request. Further, this case highlights that where an employer claims that the time and costs associated with complying with a data subject access request would be “disproportionate”, the employer will be required to provide evidence.

Facts

The law firm Taylor Wessing (TW) acted for the trustee of a family trust. The Claimants, who were beneficiaries under the trust, sought to challenge the validity of the appointments and made data subject access requests (DSARs) under the Data Protection Act 1998 (DPA) seeking all data of which they were the data subjects to assist with their challenge.

TW replied to the DSARs, stating that:

• All personal data held was covered by legal professional privilege and was therefore exempt from disclosure; and
• Paper files which were kept by them prior to moving to an electronic filing system were exempt under the DPA as they were not held as part of a “relevant filing system”.

Dissatisfied with this response, the Claimants began proceedings to obtain a declaration that TW had failed to comply with the DSARs and requested an order requiring them to do so.

Decision

On remission from the Court of Appeal, the High Court considered four issues in respect of the DSARs. As part of this article, we have considered the two issues that we consider to have most relevance to employers when responding to DSARs:

Were paper files maintained by TW a “relevant filing system” for the purposes of the DPA?

Here, the papers were held in 35 paper files under the client description, “Yullis Trusts” and arranged in chronological order. The judge found that the papers could be “easily retrieved” and were therefore held as part of a “relevant filing system” for the purpose of the DPA. TW was therefore required to search the paper files for personal data relating to the Claimants.

The judge in this case considered that the criterion of whether the data could be “easily retrieved” was to be examined in the context of whether the data was structured by reference to specific criteria “related to individuals”.

Had TW breached its obligations under the DPA by failing or refusing to carry out reasonable and proportionate searches for the Claimant’s data?

TW had not provided evidence showing the time and cost that would have been involved in conducting a search for one of the categories of the Claimants’ personal data. It was therefore found that they had failed to demonstrate that the search would have been disproportionate.

The judge went on to find that it would have been disproportionate to have required TW to conduct searches of documents held on a back-up system as it would, in this case, have led to a disclosure of confidential information or personal data about TW’s employees and clients. The back-up system was found to hold too many documents for it to have been reasonable for TW to have searched through the entire system when the relevant documents would have been easily found on a site search of the document management system. The judge further went on to find that searches of current employees’ personal accounts where documents and emails could be saved would not be considered disproportionate.

Comment

Although this case was decided under the old legislation (the Data Protection Act 1998) it provides useful guidance for employers when dealing with DSARs under the new GDPR. When responding to a DSAR employers should be mindful that:

• When considering what constitutes a “relevant filing system”, there has been a shift in focus from considering the burden being placed on the data controller to the need to protect the data subject.  This has resulted in a broader interpretation of the wording. Employers should therefore consider carrying out a search for personal data in circumstances where data relating to individuals can be “easily retrieved”, rather than only in circumstances where data is held in a system broadly equivalent to that of computerised system, as was previously the case.
• Where it is claimed that the time and cost associated with carrying out a search is disproportionate, clear evidence should be provided.
• Each DSAR should be considered on an individual basis and employers will be required to show that they have taken all reasonable steps to comply with it to avoid costly proceedings being brought by employees.