by Breda O'Malley August-07-2015 in Employment Law

Breda O'Malley discusses the interaction between Subject Access Requests under Data Protection Legislation and Discovery in litigation. The aim of this article is to provide a user-friendly summary of the position for employment lawyers and those working in HR. This summary is particularly relevant where a Subject Access Request is made in circumstances where there is existing or anticipated litigation.

The Subject Access Request

One of the fundamental rights for individuals under the European Data Protection Directive is the right to access their personal data. This right is significant as it provides a means for individuals to verify the accuracy of any personal data held about them and to assess the lawfulness of the processing of that data.

The mechanism by which individuals can exercise these rights is the Subject Access Request (SAR). The SAR is a process under the Data Protection Acts (“the Acts”) whereby an individual may access any of their personal data held by third parties, on the payment of a small fee, provided their request meets certain procedural requirements.

While the SAR may sound relatively straightforward, it can be difficult to comply with in reality.  Over the past number of years, there has been a noted increase in the number of SARs being made under the Acts by individuals seeking documents pertaining to them. This is perhaps increasingly relevant where the significant reliance on email and other forms of electronic communication results in large volumes of data being processed on a daily basis.

In the context of litigation, it seems that SARs have also become a common tool employed by litigants, in advance of any formal Discovery orders. It may be the case that such requests constitute nuisance tactics whereby a litigant may attempt to avail of information earlier than required by Discovery disclosure, or simply to put pressure on the other side as SARs must be responded to within a 40 day period. Consequently, it is no surprise that answering such SARs can be both time-consuming and risky.

Irish context

The difficulty in Ireland is that the area of data protection and the definition of “personal data” has surprisingly not been the subject of much consideration by the Irish courts. This gives rise to an unfortunate degree of uncertainty.

With regard to SARs, the leading case is that of Dublin Bus v Data Protection Commissioner [2012] IEHC 339. Importantly, the Court held that the existence of legal proceedings between a data requester and a data controller does not preclude the requester from making a SAR, nor does it justify the data controller refusing the request.

In terms of exceptions to the right of access, the Data Protection Act 2003 imposes restrictions where:

  • The supply is not possible or would involve disproportionate effort, or
  • The data subject agrees otherwise.

In Dublin Bus, the Court quite clearly refused to entertain any further possible exceptions 

In the recent decision of Kinsella v Wallace, Monaghan and Bank of Scotland Plc [2013] IEHC 573, the Irish courts again examined the relationship between SARs and Discovery, this time noting that a party cannot claim, in response to a request for Discovery, that his opponent does not require Discovery of certain documents as that party has already obtained copies of these documents by way of a SAR. Therefore, as a matter of Irish law, the existence of litigation is irrelevant to the data controller's duty to supply the relevant personal data pursuant to a SAR and vice versa.

English context 

When advising clients operating in the UK, it is important to bear in mind that when it comes to SARs being made in the context of litigation, there has been a notable divergence between the approaches of the Irish and English courts.

The most high profile UK decision in this regard is the case of Durant v Financial Services Authority [2003] EWCA Civ 1746. In this decision, the UK Court of Appeal found that parties who receive a SAR may be justified in refusing to comply with the request in circumstances where the requester has initiated legal proceedings. 

However, following guidance issued from the UK Information Commissioner’s Office and the more recent decision in Efifom Edem v Information Commissioner and Financial Services Authority [2014] EWCA Civ 9,the English courts may beless likely to accept a broad application of Durant as a justification for refusing to comply with SARs

Conclusion – European reform

The concept that individuals should have a right to access personal data held about them has been a core value of data protection legislation for some time now. However, from a data controller’s perspective, the area of SARs is more complex than one would assume. These complexities are further compounded by:

  1. The interaction between SARs and Discovery
  2. A lack of judicial authority from the Irish courts
  3. The divergent approaches of the English and Irish courts.

The recent decision by the Irish courts in the Dublin Bus case suggests a reluctance to follow older UK jurisprudence as does the most recent English decision in Efifom Eden. With the number of SAR related complaints on the rise, there is a need for further clarity to assist data controllers in fulfilling their obligations under the Acts. It is envisaged that the forthcoming reform of European data protection law will change the position for the better. All 28 member states have now agreed to the new regime which will hopefully result in increased uniformity of data protection law across the European Union. For the time being however, organisations who receive SARs must be familiar with their obligations under the Acts which need to be fully complied with even in circumstances where there is ongoing or impending litigation.

 

For further information, please contact Breda O’Malley bomalley@hayes-solicitors.ie at Hayes solicitors.
Back to Full News