Subject access? Print E-mail

Applications for compliance with a subject access request are not as straightforward as they should be, says James Pavey

The Court of Appeal’s judgment in Durant v Financial Services Authority [2003] EWCA Civ 1746 excited great interest among practitioners and commentators. It provided the first substantive guidance by an appellate court on key provisions of the Data Protection Act (DPA) 1998. Although the subject of that litigation was alleged non-compliance with a s 7 DPA 1998 ‘subject-access request’, the Court of Appeal gave little guidance on the mechanics of applications for compliance with a subject-access request under s 7(9).

This article explores the procedural and practical issues, as well as the pitfalls. It deals too with applications for compliance with requests to stop processing personal data that causes unwarranted damage or distress (s 10(4)) and with requests to cease processing personal data for direct marketing (s 11(2)). The moral of the story is that these applications are not as straightforward as they first appear – or, perhaps, as they should be.

Statutory provisions

Section 7(1) and (2) provide an individual with the facility to write to a data controller, requesting that the data controller inform him or her what personal data the data controller is processing, the purposes of the processing and any recipients of the data. The data subject can also request copies of documents containing the data. Section 7(3)-(6) and s 8 prescribe how the data controller is to handle the subject-access request: for example, when disclosure of the documents containing the personal data would also disclose the personal data of others. If the data controller does not comply within a statutory maximum 40 days, s 7(9) provides the individual making the request with a means of enforcing compliance:

"If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request."

By s 10(1) a data subject may send a ‘data subject notice’ to a data controller, requesting that the data controller cease processing his or her personal data wholly or in part or for some purpose, where the material processing causes or is likely to cause substantial damage or distress and that damage or distress is or would be unwarranted. The data controller is obliged to respond within 21 days, either communicating compliance with the notice or giving reasons why compliance would be unjustified. Faced with non-compliance, s 10(4) provides the data subject with a mechanism for enforcing compliance:

"If a court is satisfied, on the application of any person who has given a notice under subs (1) which appears to the court to be justified (or to be justified to any extent), that the data controller in question has failed to comply with the notice, the court may order him to take such steps for complying with the notice (or for complying with it to that extent) as the court thinks fit."

Section 11 operates in a similar way. Section 11(1) allows a data subject to serve a notice on a data controller requiring the latter to cease or not to begin processing his personal data for the purposes of direct marketing. Where the data controller does not comply, s 11(2) provides the data subject with a means of compelling the data controller to comply:

"If the court is satisfied, on the application of any person who has given a notice under subs (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit."

In addition to seeking an order under s 10(4) or s 11(2), a data subject may well seek compensatory damages under s 13 for damage or distress, the latter being available in relation to processing for journalistic purposes.

First things first

Before commencing proceedings under any of these provisions, a data subject needs to consider a variety of compliance issues and potential pitfalls.

Basic definitions

Auld LJ’s interpretation of ‘personal data’ in Durant was more restrictive than the previous interpretations of most practitioners and commentators – and, apparently, that of the Information Commissioner himself. Following Durant, a data controller has greater room than before to argue legitimately that information relating to the individual is not ‘personal data’ or, indeed, ‘data’ at all:

  • Not all information retrieved from a computer search against an individual’s name or unique identifier is personal data.

  • Information must be biographical in a significant sense going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data.

  • A relevant manual filing system must be so structured and/or indexed as to enable easy location within it or any sub-files of specific information about the data subject.

    From my experience of responses to subject-access requests since the Court of Appeal’s judgment in Durant, data controllers will rely heavily on these restrictive interpretations – not only to resist initial compliance with a s 7 request, but also to defend proceedings for non-compliance.

    Extent of (non-)compliance

    Section 7(3)-(6) and s 8 prescribe the parameters of the data controller’s compliance with a subject-access request. A potential litigant needs to scrutinise whether a data controller who has apparently failed to comply with a subject-access request is legitimately relying on these sections: there is a large grey area between total compliance and blatant non-compliance. Key questions include:

  • Where relevant documents also contain the personal data of other individuals, has the data controller sought the consent of those people to disclose their personal data? If so, has consent been refused?

  • Is it reasonable to comply without third party consent?

  • Would it require a disproportionate effort of the data controller to provide copies of every item that constitutes the individual’s personal data?

    A s 10(1) data subject notice and s 10(4) compliance proceedings clearly require proof of damage and/or distress. Section 10(2) also requires that none of the first four lawful processing conditions contained in Sched 2 apply. These include processing with the data subject’s consent, processing for the performance of a contract to which the data subject is a party, and processing that is necessary for compliance with non-contractual legal obligations. If any of these four conditions does apply, the data controller’s non-compliance with the s 10(1) notice can be justified and proceedings will be defensible.

    The s 11(1) request is, as suggested, likely to be more straightforward. Although the data controller may start processing the data subject’s personal data for direct marketing with his consent, the s 11(1) request necessarily revokes that consent.

    Timing

    It is essential that the time limits for compliance have elapsed: 40 days for s 7 and 21 days for s 10. As statutory time limits, they are inflexible: any premature application to court would be bound to fail.

    Exemptions

    The DPA 1998 includes total and partial exemptions to compliance with s 7 and s 10 in Part IV and at Sched 7. For example, s 32 provides a total exemption from s 7 and s 10 compliance to journalists in publishing material that they reasonably believe to be in the public interest and where compliance is incompatible with the journalistic purposes. Paragraph 10 of Sched 7 attempts to protect legal professional privilege from s 7 and s 10. Section 35 permits disclosure in connection with legal proceedings or for establishing or exercising or defending legal rights and, thereby, prevents the DPA 1998 stifling the legal process.

    Fishing expeditions?

    Auld LJ in Durant deprecated the use of s 7(9) as a proxy for third party disclosure in or with a view to litigation. Care should, therefore, be taken as to how a s 7(9) request is presented to the data controller in its particular context.

    Pre-Action Protocol Approach

    Unsurprisingly, there is no specific Pre-Action Protocol within the CPR in relation to s 7(9), s 10(4) and s 11(2) DPA 1998 applications. They fall within the catch-all paragraphs of Civil Procedure Rules Practice Directions – Protocols on ‘Pre-Action Behaviour in Other Cases’.

    In certain, limited circumstances, there may not be time for a protocol-compliant approach. For example, where valuable data are being processed in a highly damaging manner, the processing has not been justified and the 21-day compliance period has elapsed, it may be desirable to seek immediate and urgent relief under s 10(4). Likewise, if there is a real possibility that forewarning will assist a data controller to avoid service of proceedings, it may be desirable to issue and serve without pre-action correspondence. Such cases will be very rare and a protocol-compliant approach is recommended to avoid costs penalties and to apply pressure for compliance.

    How to commence

    The wording of s 7(9), s 10(4) and s 11(2) suggests procedural simplicity. However, there is no legislative tie-in to CPR Part 8: they are not necessarily ‘originating applications’. Rather, proceedings can be commenced under Part 7 or Part 8, at the claimant’s discretion. The more streamlined Part 8 procedure will clearly be available and appropriate where there is unlikely to be a substantial dispute of fact (CPR r 8.1(2)(a)). However, Part 8 may not be appropriate if, for example, there is a dispute as to the identity of the data controllers or if non-compliance is justified due to concerns about disclosure of third party data.

    How, then, can a claimant keep the proceedings to a minimum?

    By making an application under Part 25 for an interim injunction at the same time as issuing the claim form and, then, seeking permission to discontinue without costs once the order has been successfully obtained. (The injunction, once granted, would effectively bring proceedings to an end.) This is a high-risk strategy, particularly in costs terms, and will only be a real option where there is demonstrable urgency and a risk of substantial damage to the claimant.

    If the defendant persuades the court that the claimant’s Part 8 claim should continue as if commenced under Part 7, the claimant can argue that it be allocated to the fast track. There may be a dispute of fact, but it may be disposed of at a one-day hearing. Further, pursuit of injunctive relief does not necessarily place the matter in the multi-track.

    An application for summary judgment under Part 24 is clearly another means of bringing proceedings – Part 7 or Part 8 – to an earlier conclusion than at full trial. Though Part 8 is itself intended to provide a simple and swift means of determining cases, a summary judgment application may be listed sooner than a substantive Part 8 hearing.

    Venue

    The Information Commissioner, in his guidance ‘Taking a Case to Court’, sensibly recommends the county court to litigants in person. However, proceedings can clearly be issued in the High Court or in a county court. Nor is there restriction on the Division of the High Court in which to commence. Reported proceedings have been commenced and/or conducted in the Queen’s Bench, Chancery and, even, Family Divisions. R (Lord) v SoS for the Home Department [2003] EWHC 2073 was issued as a Part 8 claim in the QBD and was then transferred to the Administrative Court for judicial review: an order was sought under s 7(9) to quash the Home Office decision not to disclose personal data. This, however, seems to be an overlong procedural route, even when the defendant data controller is a public authority.

    Nature of the remedy?

    This is not just a matter of academic interest. Section 7(9), s 10(4) and s 11(2) all provide that "the court may order" compliance (emphasis added). This suggests a discretionary remedy, which is the approach favoured by the High Court in P v Wozencroft [2002] EWHC 1724 and in Lord. Auld LJ in Durant concurred with Munby J in Lord: the discretion conferred by s 7(9) is "general and untrammelled".

    If Lord and Durant are to be followed – and in Durant this issue was strictly obiter – the following factors will be relevant in the exercise of the discretion:

  • Where the data controller cannot comply without disclosing the data of another, whether it is reasonable in all the circumstance to comply with the subject-access request without the consent of the other person (s 7(4)(b)). Section 7(6) provides criteria by which to measure reasonableness in the circumstances.

  • Whether the supply of the data in a permanent form would require a disproportionate effort by the data controller (s 8(2)(a)).

  • Whether any of the Part IV and Sched 7 exemptions is in play.

    When the court orders compliance, is it exercising its equitable jurisdiction to grant a mandatory or prohibitory injunction or is it exercising a specific statutory jurisdiction conferred by s 7(9), s 10(4) and s 11(2)?

    This question was not answered in Lord or Durant. The former interpretation sits more easily with the "general and untrammelled" discretion described in those cases and would bring into play a number of other factors for the court when making its decision whether to grant relief:

  • Whether the claimant has unreasonably delayed in seeking relief from the court.

  • Whether the claimant has ‘clean hands’.

  • If seeking interim relief to stop processing of data under s 10(4), the familiar principles in American Cyanamid v Ethicon [1975] AC 396.

    The Information Commissioner, in ‘Taking a Case to Court’, appears to agree generally with this interpretation, although he appears, mistakenly, to characterise the order sought as specific performance. As the data controller’s obligations under s 7 are statutory, rather than contractual, the appropriate remedy to plead would seem to be a mandatory injunction, rather than specific performance.

    The approach of Kirsten Houghton, Mr Durant’s Counsel in the Court of Appeal, was very different and relied particularly on the European Data Protection Directive (95/46/EC), which the DPA 1998 implements. Article 12 of the Directive requires member states to ‘guarantee’ every data subject the right to obtain relevant data from the data controller. Article 22 of the Directive guarantees a judicial remedy: "Member states shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing remedy." Article 13 enables the member state, in implementing the Directive, to restrict the rights and obligations provided for in certain circumstances: for example, the prevention, detection and prosecution of criminal offences. These broadly correspond with the exemptions under Part IV and Sched 7 of the DPA 1998.

    Miss Houghton argued that the only discretion to be read into the word ‘may’ in s 7(9) was to give effect to the Art 13 restrictions. She also contended that the power to restrict does not empower a court to override the guarantee which the Directive provides. Where, as here, there is conflict between the Directive and the domestic statute, the Directive should prevail. Auld LJ did not favour this approach, in particular as he read principles of proportionality and discretion into Art 13 restrictions.

    In the light of Auld LJ’s obiter remarks, the courts are likely to favour a discretionary approach, probably based on the exercise of the court’s equitable jurisdiction. However, there is clearly scope for argument that the word ‘may’ in s 7(9), s 10(4) and s 11(2) DPA 1998 provides the court with a wider discretion than the Directive and, therefore, conflicts with the more restrictive terms of the Directive, which should prevail. This sits more neatly with the argument that s 7(9), s 10(4) and s 11(2) provide limited, specific statutory remedies, to which equitable bars do not apply. It also provides ammunition for argument before a judge who is reluctant to grant an order.

    What next?

    • The Financial Times reported on 16 July 2004 that Frits Bolkestein, the EU Internal Market Commissioner, had sent a ‘letter of formal notice’ to the (UK) Government setting out five areas in which the DPA 1998 does not properly implement the Directive. I understand that this notice may follow lobbying from Mr Durant, among many others.
    • If the DPA 1998 is amended and strengthened by the Government as a result, the extent of the discretion in s 7(9), s 10(4) and s 11(2) may be limited. It is hoped that the Government will also take the opportunity to clarify and streamline the procedure for obtaining orders under these sections.

    James Pavey is a partner in specialist litigation solicitors, Knights

    		•
     
    [ Back ]