You need only do what’s reasonable and proportionate in responding to a subject access request
Have you ever received a subject access request? In other words, has an employee, or someone else, written to you pursuant to the Data Protection Act 1998 to say that you must provide to them copies of all documents, or all documents of a certain type, relating to them? First, as a general rule you must comply with the request – we’re not going to provide you with a blanket excuse to refuse. But if you thought the subject access request was too extensive, read on.
We can see the purpose of such a procedure: if you control data relating to another, you must use it fairly and be prepared to let them see it. But let’s face it – it can be quite a nuisance to be faced with such a request, and can test the administrative skills of the fairest business. You normally need to comply within 40 days, which normally comes more quickly than expected.
But quite how extensive must your search for documents be? A recent High Court Judgment, from January 2017, Holyoake v (1) Candy (2) CPC Group Limited, provides useful guidance on this. In brief, the court confirmed that the search must be reasonable and proportionate – in the circumstances of this case, asking directors to search their personal email accounts went beyond what was expected.
The case also relates to the exemption for documents protected by legal privilege – as you may be aware, in many circumstances, if you receive advice from a lawyer then that advice should remain confidential and not disclosed, either under a subject access request (as in this case) or in legal proceedings. In this case, the claimant asked the court to inspect the documents to make sure make sure that legal privilege was applied correctly and that no exemption applied. The court refused to inspect the documents – in particular, the court considered the claimant’s arguments to be too speculative.
For a more thorough and technical, yet very readable, summary of this case you may want to see the linked article, which appears on a blog about information law maintained by the four barristers who happen to have acted on this case: two on each side. As the article explains, this is a useful case for data controllers – in other words, anyone holding information relating to individuals.