Data Subject Access Requests in the UK Latest High Court Guidance – Recipients and Sources of Information
A recent High Court decision concerning compliance with a data subject access request considered the basis upon which an individual can require the data controller to provide the names of those in receipt of his or her personal data and the sources of those data.
Introduction
The claim in Rudd v Bridle (1) and J&S Bridle Limited (2) was brought under the Data Protection Act 1998 (DPA 1998) prior to its replacement by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It is, however, likely still to be useful guidance for dealing with subject access requests – as well as understanding how the court addresses an application for an order for disclosure of personal data on the basis of breach of the requirements for compliance with a DSAR. The case is of particular interest because the claimant sought a court order that the names be disclosed to him of recipients of his personal data and of the sources of that personal data. The defendants in this case had withheld and/or redacted the information that the claimant sought.
The claimant, Dr Rudd, was a consultant surgeon who acted regularly as an expert witness in proceedings where it was alleged that damage had been caused to individuals by exposure to asbestos cement products. The first defendant in the proceedings, Mr Bridle, was an active campaigner relating to asbestos issues who made complaints about Dr Rudd to the General Medical Council, which were dismissed, alleging that Dr Rudd had falsified risks relating to asbestos. Mr Bridle also made complaints about Dr Rudd to the Justice Secretary and various MPs alleging that Dr Rudd was conspiring with claimant law firms to provide false evidence. Mr Bridle was also involved in the sending of a letter to Dr Rudd by a Thailand law firm on behalf of unnamed white asbestos manufacturers.
As a result of his concerns that Mr Bridle was operating a campaign to discredit and intimidate him in relation to his testimonies as an expert witness, Dr Rudd served data subject access requests (DSARs) on Mr Bridle as well as J&S Bridle Limited which was a company controlled by Mr Bridle and his son. These DSARs sought amongst other things information about the identities of those who Dr Rudd was concerned had been collaborating with Mr Bridle in his activities. Dr Rudd argued that the responses he received to these DSARs were inadequate and commenced proceedings under what was then section 7 of the DPA 1998 seeking orders compelling the defendants to provide further information.
The identity of recipients of personal data
Noting the important point that a DSAR entitles the individual making it to information as opposed to documents, the Court considered whether Dr Rudd had a prima facie right to know the identity of the recipients of his personal data and, if so, whether the defendants had a right or duty to withhold that information. Consistent with the view of the Information Commissioner’s Office (ICO) in its Subject Access Code of Conduct, the Court considered that under section 7 of the DPA 1998 Mr Rudd, as a data subject, was (only) entitled to a description in general terms of persons or organisations to whom his personal information may be given and not to their names. That said, the Court indicated that the requisite description to be provided will depend on the circumstances – if disclosure is made to a class of people then a description of that class will suffice whereas, if there is just one recipient, that recipient must be described. The example description given for a class of recipients was “I will or may disclose these data to the readership of the Daily Globe” whereas for a single recipient the example given was “on 14 October 2017 I told a medical practitioner that I had caught measles from the claimant." The Court held that the information which had been provided to Dr Rudd in response to his DSARs did not comply with the requirements of section 7 of the DPA 1998 as no indication had been provided of the nature or status of the person, firm or company to whom the relevant data, set out in specific emails, were sent.
However, Dr Rudd also advanced a separate argument that he was entitled not just to a description but actually to be informed of the names of the people with whom the defendants were corresponding, on the basis that they formed part of his personal data. The defendants resisted this on two grounds – that the names of those individuals did not form part of Dr Rudd’s personal data, as they did not relate to him, and that a data controller is not required to disclose information relating to another individual such as the person’s name and email address. The Court held that the identities of those who it was alleged had conspired, assisted or collaborated with Dr Rudd in his alleged fraud - as well as those to whom allegations of fraud had been made were part of Mr Rudd’s personal data. This information was focused on Dr Rudd and was therefore “biographically significant” such as to constitute personal data.
Third party identification
In resisting an obligation to disclose the identities of third parties, the defendants also sought to rely on section 7(4) of the DPA 1998. This provides that, where a data controller cannot comply with a request without disclosing information relating to another individual who can be identified from that information, the data controller is not obliged to comply with the request unless the individual has consented to such disclosure or disclosure without the individual’s consent is reasonable in the circumstances. The Court considered that the defendants had not considered the issue despite the guidance provided in the ICO’s Code of Practice - that a data controller must not apply a “blanket policy” of withholding information in such circumstances, but must make decisions about disclosure of third party data on a case-by-case basis.
Sources
The Court held that the names of the sources of the personal data relating to Dr Rudd held or processed by the defendants did not form part of Dr Rudd’s personal data as this data did not concern him and the data which had been disclosed to him was comprehensible without that additional information about its sources.
Excerpts and context
Dr Rudd argued that the defendants had not complied with the obligation to provide the disclosable data in “an intelligible form” to the extent that the disclosure only of extracts from paragraphs and incomplete sentences rendered the disclosures unintelligible. The judge rejected the argument that the entirety of the relevant paragraphs and sentences should have been disclosed on the basis that data can be disclosed in an intelligible form without its full context or indeed the whole sentence within which the data is contained.
Processing
In relation to the requirement that the data controller provide a description of the purpose of the processing of the data subject’s personal data that it conducts, the judge indicated that a general description confirming the essence of what the data controller is doing with the data will suffice. The data controller need not provide this explanation on a document by document basis.
Other exemptions
Mr Bridle was also unable to persuade the Court that the exemptions covering journalism, regulatory activity and legal professional privilege applied in these circumstances to justify non-disclosure of the material which Dr Rudd sought.
Remedy
In determining the appropriate remedy on a successful complaint of inadequate compliance with a DSAR, the Court must take into account the various non-exhaustive criteria identified by the Court of Appeal in the Ittihadieh case. These include whether there is a more appropriate route to obtaining the information, the nature and gravity of the breach, the reason for the DSAR having been made, whether making the DSAR was an abuse of the data subject’s rights procedurally or in terms of imposing a burden on the data controller, whether the real quest is for documents rather than information and whether the personal data is of no real value to the data subject. If the data subject has already received the information by some other means, this may be a reason not to make an order, whereas if the data subject legitimately wishes to check the accuracy of his personal data, this may be a reason for exercising the discretion to make an order. The discretion to order compliance will normally be exercised if there are no other material factors other than a valid DSAR and the data controller having breached its obligations to conduct a proportionate search.
Applying these principles to this case, the Court took into account the gravity of the accusations made against Dr Rudd by Mr Bridle, the validity of the DSARs lodged, that the defendants’ breaches were not merely minor and trivial and that the further information sought was significant. The Court ordered that Dr Rudd be provided with:
- descriptions of the recipients, actual or intended, of the personal data. They did not, however, need to be specifically identified;
- the identifying details of the person, firm or company other than a recipient of the personal data who had previously been redacted;
- any information available to the controller regarding the sources of specified information; and
- a description of the purposes of the processing of the personal data.
This order was made only against the first defendant, Mr Bridle, as the Court was not satisfied that the second defendant was a data controller in relation to the claimant – Mr Bridle did not control the relevant data in his capacity of a director of the second defendant.
Conclusions
Whilst this claim was brought under the DPA 1998, the introduction of the GDPR and the Data Protection Act 2018 is unlikely to have changed the proper analysis of what constitutes personal data. Those receiving DSARs will wish to take account of what the decision says about the recipients and sources of personal data as well as the legitimacy of only disclosing data which forms an excerpt from a paragraph or sentence and as the description required to be given about the processing being conducted.
Rudd v Bridle (1) J&S Bridle Limited [2019] EWHC 893 (QB), Warby J 10 April 2019.