High Court Refuses to Order Subject Access Compliance
An application to order compliance with a subject access request was refused by the High Court because the data controller's searches were found to be reasonable and proportionate, and the legal professional privilege exemption had been properly claimed..
... in the case of Holyoake v Candy.
Legal Background
Individuals are entitled to know:
- whether an organisation - a 'data controller' is holding personal data which relates to them
- what that information is
- the source of the information
- how the organisation uses the information and
- who the information has been or may be disclosed to
Individuals are also entitled to request a copy of the personal data which an organisation holds about them. This right can be exercised by the individual making a subject access request (SAR). Generally, the data controller is then required to provide the requestor with their personal data within 40 days of that request.
There are various exemptions that might apply regarding whether personal data should be disclosed to the individual in response to their SAR. The application of one of the exemptions - information that is subject to legal professional privilege - was put to the test in this case in the High Court.
The Facts
Mr Holyoake and Mr Candy are involved in a long running dispute relating to a loan agreement.
Mr Holyoake had made a SAR to Mr Candy, which he had narrowed down at a later stage. Mr Candy had responded to the narrowed SAR but had relied on legal professional privilege for some documents, arguing that they were excluded from the response.
Mr Holyoake subsequentlymade an application to the court to order compliance with his SAR. He argued that legal professional privilege had been lost because he claimed that the documents had been created for the purposes of criminal or fraudulent activities.
In deciding whether to order compliance in accordance with Mr Holyoake's application, the court had to consider:
- whether adequate searches had been carried out when responding to the narrowed SAR
- whether Mr Candy had correctly relied upon the legal professional privilege exemption
Decision
The High Court found that the searches undertaken by the data controller had been reasonable and proportionate and the legal professional privilege exemption had been correctly relied upon. Therefore, Mr Holyoake's application to order further disclosure in response to his SAR was refused.
Mr Holyoake alleged that there had been a failure to search directors' private email accounts. However, as there was no evidence that the private email accounts had been used for company business, the High Court said that there was no requirement for the business to have done so. The High Court observed that the data controller is only obliged to carry out searches insofar as they are reasonable and proportionate. The searches undertaken in this case met that criteria.
In relation to the legal professional privilege issue, the court considered that there was sufficient evidence to show the exemption had been validly relied upon and there was insufficient evidence to support Mr Holyoake's position.
Best Practice
Upon receipt of a SAR, data controllers are under an obligation to make reasonable and proportionate searches to find the individual's personal data. In practice this can mean detailed searches of locations where the data controller considers that relevant information might be located, speaking to relevant staff members and keyword searches on its computer system.
It seems to us that the High Court will often find that the searches carried out met the 'reasonable and proportionate' threshold. As such, the High Court's interpretation of what a 'reasonable and proportionate' search is arguably differs from the view point taken by the Information Commissioner's Office (ICO). The ICO's view has been that data controllers are obliged to make very extensive efforts to locate personal data relevant to a SAR - giving guidance to the effect that "it will never be reasonable to deny access to the requested information merely because responding to the request may be labour-intensive or inconvenient".
Data controllers should always act carefully when dealing with SARs as the way in which they respond can give rise to a number of significant legal, practical and reputational issues particularly in light of the differing views taken by the ICO and the High Court as to when a search may be 'reasonable and proportionate'. This decision is an example of the opportunity data controllers have to seek advice and to think tactically about their response to a SAR in order to develop a strategic response to the request.