Update

Data Subject Access Requests: How To Deal

"Data Subject Access Requests" (DSARs) are a potential minefield for data controllers.  The objective behind Article 7 of the Data Protection (Jersey) Law 2005 (the Law) (under which such requests are made) (Article 7) is clearly an important and well-intentioned one, namely giving individuals the right to know what any party they provide their data to is doing with that data (i.e where it is processed, who has access to it, which third parties it may be transferred to etc…).  However, commonly, a data subject access request is used to gather evidence for use in a complaint and, potentially, litigation.  The Royal Court set out some guidelines for those dealing with data subject access requests in the recent case of Dr Amar Alwitry –v- The States Employment Board and another [2016] JRC050.

The background to this particular case concerned an offer of employment at the General Hospital made to Dr Alwitry. Dr Alwitry entered into a contract of employment on 24 August 2012 and started the process of moving himself and his family to Jersey. He claimed it had been his dream to do so, having been brought up in Jersey and his medical training being paid for by the Island. However, the States Employment Board (SEB) revoked the contract on 22 November 2012 prior to Dr Alwitry starting work and the dream was lost. Dr Alwitry decided to pursue a complaint against SEB, apparently for two reasons:

1. because he wanted to know why the contract had been revoked before he even arrived in Jersey; and

2. because he considered there to be legitimate patient safety concerns arising from the handling of his contract negotiations and the termination of it. The SEB explained that the contract was terminated because of an irremediable breakdown in relations between Dr Alwitry and his proposed line manager.

Dr Alwitry made DSARs to SEB and whilst certain information was disclosed pursuant to those requests, there remained a dispute in respect of a substantial amount of material.

The Court issued the following guidance to those in receipt of a DSAR:

1. The first duty on the recipient is to review what personal data (and 'sensitive personal data') it has about the data subject. In that regard, there is competing authority in England as to what constitutes 'personal data', and also an apparent difference between the view of the Court and that of the information commissioners. The leading case in England, Durant v Financial Services Authority [2003] EWCA Civ 1746 talked of the data needing to be 'biographical' in nature, but later cases (in particular, Edem v The Information Commissioner and the Financial Services Authority [2014] EWCA Civ 92) suggest that it is more than that, and the Royal Court in this case agreed with that, saying it includes data 'obviously linked to him'. The position unfortunately remains unclear, and the position can only really be clarified with reference to individual cases, but it does appear that mere mention of someone is not sufficient (ie a person's name on an email chain) but rather it does have to be information about the data subject, and, as stated by the Court 'private to him or her'.

2. The Court noted that Article 7 stated that a data controller shall comply with a request ie you start from the assumption that the data subject is entitled to the information;

3. In considering possible exceptions to the obligation under Article 8 of the Law (which allows for refusal where compliance involves 'disproportionate effort') the Court noted that a data controller is not obliged to rely on that exception, and had a discretion to provide information regardless of any such effort (although it would need to also take account of any information on other data subjects that could possibly be disclosed in complying). The question of whether there would be disproportionate effort in complying with the request would need to be considered with reference to the principle of proportionality;

4. When a data controller refuses a request, the Court would then need to make the following assessment:

4.1. Whether personal or sensitive personal data is being processed by the data controller.

4.2. Whether any of the paragraphs of 1-6 of Schedule 2 (or in the case of sensitive personal data, paragraphs 1-10 of Schedule 3) are met (so that the Court could assess whether data was being processed fairly and lawfully).

4.3. Whether the data controller has contravened Article 7 (which may involve the Court seeking the rationale of the data controller in the decision-taking process).

4.4. Whether the rights of other data subjects need to be balanced with the rights of the data subject making the DSAR and, if so, whether redaction was appropriate.

4.5. Whether the data subject's motivation is disputed, and so whether the Court ought not to exercise its discretion to assist the data subject if there was not a proper purpose for the request.

The final point is one that is particularly interesting. As noted above, a majority of DSARs arise (certainly in our experience) in the context of a dispute, and usually where the data subject knows very well what data is being processed. There have been recent authorities in England (see eg Dawson- Damer v Taylor Wessing and others [2015] EWHC 2366) in which the Court said it would not exercise its discretion to order disclosure where the purpose of the request was to obtain discovery of documents that might assist the data subject in litigation of complaints. That case was not referred to the Royal Court in these proceedings, and it may be that the two cases can be easily distinguished (as Dawson-Damer appeared to be a clear case of evidence gathering, whereas it appears that, at least in some part, Dr Alwitry was genuinely looking for information he claimed not to be aware of).

However, the Royal Court did state in its judgment that the data subject would not need to prove valid motivation in seeking to enforce a DSAR. The Court said that there was nothing in the Law to require a valid motive, and having to prove a valid motive would involve proving a negative (ie that the DSAR was not for an improper purpose). The Court said it would be for the data controller to prove that any DSAR had been submitted for an improper purpose. This would likely involve careful analysis of the context surrounding the DSAR and any correspondence leading up to it.

The Royal Court in this case also did not appear to have been asked to consider any available exemptions to Article 7. There are some wide exemptions to Article 7, including an exemption to refuse to provide data relevant to negotiations where such negotiations may be prejudiced and data processed for management forecasts of planning. The data controller in this case does not appear to have sought to rely on any of these exceptions.

The Court, after having considered a number of documents itself, ultimately determined that the DSARs were valid, and required certain steps to be taken towards compliance, and gave careful guidance on certain appropriate redactions.

The points set out in this case are of general application and so should be considered by all data controllers. However, it is clear that any particular case must be considered on its individual facts. The key distinguishing factors in any case will be: the extent to which data is being processed; the nature of that personal data; the apparent motivation behind any request (including any views on what the data may be used for); and the extent to which disclosure will also involve disclosure of other data subjects. A data controller must consider all these factors and document its decision-making process. Ultimately, simply handing over a massive print-off of all hits against an individual's name (which is still the norm for many data controllers) is likely to satisfy the requesting party but there is no way back from that disclosure, and it may well itself be in breach of the requirements of the Law.

Mourant Ozannes regularly advise on the obligations arising for data controllers and is happy to assist on any tricky cases, or in developing that all-important policy. Please contact Helen Ruelle, Mathew Cook or Carla Benest if you wish to discuss further.

This update is only intended to give a summary and general overview of the subject matter. It is not intended to be comprehensive and does not constitute, and should not be taken to be, legal advice. If you would like legal advice or further information on any issue raised by this update, please get in touch with one of your usual Mourant Ozannes contacts.

© 2016 MOURANT OZANNES ALL RIGHTS RESERVED