In the conjoined cases of Ittihadieh v 5-11 Cheyne Gardens RTM company and ors and Deer v University of Oxford, the Court of Appeal has provided guidance on how judges should exercise their discretion when asked to order a data controller to comply with a subject access request under section 7(9) of the Data Protection Act (DPA).
Ittihadieh – facts and High Court decision
Mr Alireza Ittihadieh was a member of the RTM company which managed the block in which he lived. However, following a series of disputes with the other residents, he made a subject access request to the company for data. He also threatened to bring claims for discrimination, harassment and victimisation.
The company disclosed about 400 documents which included a reference to an "Alireza file". When it refused to disclose that document to him, he asked the High Court to make an order requiring the company to comply under section 7(9) DPA. The High Court judge refused to make an order to that effect.
Deer - facts and High Court decision
Dr Deer, a PhD student and employee at the university between 1996 and 2000, brought a number of claims against the university alleging victimisation. During the proceedings she made two subject access requests for information relating to the job reference and her complaints about the refusal to provide it. The university refused to comply on the basis that the reason for her request was to help her tribunal litigation.
She brought a claim in the High Court alleging that the university had failed to respond to her subject access request. The High Court judge ordered the university to carry out further searches which produced a number of new documents. However, when Dr Deer made an application for the disclosure of documents which had been withheld on grounds of legal professional privilege, the court refused holding that none of the withheld documents constituted personal data and exercised its discretion not to require the university to take any further steps because it would not serve any useful purpose. Dr Deer appealed to the Court of Appeal.
Decision of Court of Appeal
Dealing first with the definition of personal data, the Court of Appeal held that just because there was a reference to a person’s name in a document, that did not mean that every piece of information in a document referring to that person amounts to personal data. In that case it would be enough to inform the person how their name had been recorded without being obliged to disclose the documents themselves.
Although the implied obligation is limited to a reasonable and proportionate search, that does not necessarily mean that every item of personal data relating to an individual will be retrieved. Accordingly the mere fact that a more extensive search reveals further personal data does not automatically mean that the first search was inadequate.
In terms of the discretion of judges to order the data controller to comply with the request, the court said that they should consider:
- whether there was a more appropriate way to obtain the requested information, such as by disclosure in legal proceedings
- the nature and gravity of the breach
- the reason for making the request. Although data subjects do not have to say why they are making a request, the absence of a “legitimate reason” would influence how the court exercised its discretion. However, having a “collateral purpose” would not be an absolute bar
- If the application constitutes an abuse of rights
- Whether the request is for documents rather than personal data
- The potential benefit to the data subject.
This case agrees with the finding in the case of Dawson-Damer that a request for personal data is not invalid because it is made for the collateral purpose of assisting litigation. However, the absence of a legitimate reason may have a bearing on whether a court will, when exercising its discretion under section 7(9), order compliance with a subject access request.