Data protection rules (including GDPR and the UK Data Protection Act 2018) allow for individuals to make so-called “Subject Access Requests” (SARs) where they can seek to obtain copies of the personal data held about them by organisations and certain other related information about how that data is stored and processed. Recent rulings by the English High Court in the case of Lees v Lloyds Bank plc and in Scotland by the Sheriffdom of Glasgow and Strathkelvin have shown possible limits to dealing with SARs, which this brief article looks at.
What are these cases about?
The background in the English case is as follows:
- An individual called Mr. Lees, obtained (buy-to-let) mortgages for three properties with Lloyds Bank Plc (Lloyds), which later became subject to orders for possession;
- Mr. Lees brought legal action concerning the mortgages and also submitted a number of SARs to Lloyds between 2017 and 2019, which Lloyds responded to;
- As regards the SARs Mr. Lees claimed that Lloyds had failed to provide a copy of his personal data contrary to both GDPR and the UK data protection regime that preceded it.
The background in the Scottish case (a different jurisdiction to England & Wales) is as follows:
- An individual made an application to a court to obtain social work records relating to two of their children from an unnamed local authority. The court ordered the local authority to produce the documents to the court, which it did but which were in substantially redacted form;
- The court stated that “[t]here were varying degrees of sophistication in the redaction and the text obscured went from a few words to whole pages”. The court considered that this “unilateral interference with the documents produced might amount to a form of contempt of court”;
- The court therefore held a hearing on the matter and invited a senior officer from the relevant department of the local authority and also a representative from the legal services department to attend the hearing to explain to the court what had occurred;
- The officials from the local authority explained at the hearing that prior to providing the documents to the court a SAR had been made to the local authority seeking access to the same documents. The officials said that erroneous legal advice had been provided – the advice was that the material provided under the application to a court to obtain social work records “should be redacted as if it had been material recovered by way of a SAR” – which the officials apologised for, and they also told the court that an internal investigation had consequently been undertaken.
What did the courts decide?
Concerning the SARs issue the English High Court ruled that:
- Lloyds had provided Mr Lees with an answer to each of the SARs;
- Whilst it had discretion to make an order to require Lloyds to comply with the SARs, even if Lloyds had not complied with the SARs, the court would not made such an order because: there were numerous and repetitive SARs, which was abusive; the real purpose of the SARs was to obtain documents rather than personal data; there was a collateral purpose behind the SARs, i.e. to obtain assistance in preventing Lloyds bringing claims for possession – the court stated that “a collateral purpose of assisting in litigation is not an absolute answer to there being an obligation to answer a […]SAR, but it is a relevant factor in the exercise of the court’s discretion. In this case Mr Lees has formed, so it appears, a fixed view that the benefit of loans made to him have been the subject of securitisation without having any evidence to support that belief”; the sought-after information would be of no use to Mr Lees; and, the claims for possession had been the subject of final determinations in the lower court from which all available avenues of appeal had been exhausted.
Concerning the SAR issue, the Scottish court ruled that:
- Taking all the circumstances into consideration the court decided not to make a finding of contempt of court against the local authority as its behaviour “could not be regarded as conduct which was intended to be offensive to the dignity and authority of the court”. The court accepted that “the efforts to comply with the [court order] were plainly conflated with and confused by the simultaneous compliance with the SAR for broadly the same material.” The court also acknowledged that the local authority had dealt with the matter internally in an appropriate manner, including arranging for “refresher training” and had apologised to the court for what had happened.
What are the takeaways?
The Lees judgment shows that courts are prepared to deny SARs legal challenges in certain circumstances, including where there is a collateral purpose. The ICO’s existing SARs Code of Practice however suggests otherwise stating “Whether or not the applicant has a ‘collateral’ purpose (i.e. other than seeking to check or correct their personal data) for making the SAR is not relevant.” This said, the ICO has now revised its official guidance on SARs (see here https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/) which doesn’t mention this. A takeaway here for now therefore is to bear in mind that the ICO and a court could have different approaches as to when a SAR made for a collateral purpose has to be responded to.
The key takeaway of the Sheriffdom of Glasgow and Strathkelvin judgment is to consider factoring in possibly different considerations when dealing with the same documents in responding to SARs and handling other procedures respectively, especially in court proceedings otherwise in this case there is a risk of falling foul of contempt of court rules.
Finally, businesses should consider either reviewing their existing policy on SARs or creating a new policy, especially now that there is new ICO guidance on SARs.
Organisations should ensure that in their practices, documentation and training they are getting the message across about this issue – a quick audit might also reveal if any immediate action needs to be taken.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The two UK court rulings can be found here: https://www.bailii.org/ew/cases/EWHC/Ch/2020/2249.html
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|