Call +44(0)20 3828 0350

Proportionality and data subject access requests

Proportionality and data subject access requests

An employer must only conduct a proportionate search, and give a proportionate response, to data subject access requests it receives.

The Court of Appeal was faced with two cases concerning requests for further steps to be taken to comply with data subject access requests. In the first, Ittihadieh, the Claimant put in a DSAR to a right to manage company operating in respect of the building within which he owned a property. The Claimant expressed a concern that the members were “swapping, retaining and otherwise using personal information about him” and indicated that he intended to bring proceedings. The company disclosed 400 redacted documents, including one which referred to a separate file of documents which the company did not disclose.

In the second case, Deer, the Claimant had brought various claims against her former employer, Oxford University. She put in two wide-ranging DSARs; in response, the university disclosed some limited documentation but refused to provide information relating to the litigation. After the Claimant put in a further DSAR, the university eventually did disclose some more documents it had previously withheld. The Claimant, still dissatisfied with the extent of disclosure, applied for an order for further searches to be undertaken relating to 22 people within a specified date range. As the Court granted the order, the university reviewed a further 500,000 documents at a cost of £116,116. Having conducted this review, the university disclosed a further 33 documents.

The Court of Appeal refused to order either company to take further steps in relation to the DSARs. In Ittihadieh’s case, it was held that further searches would be “wholly disproportionate”, and in Deer’s case, that they would serve no useful purpose. It confirmed that data protection legislation was not intended to impose great burdens on data controllers and that a search can still be sufficient even if a controller has not searched high and low for personal data.

Employers faced with a DSAR from an existing or former employee therefore should not feel obliged to carry out an exhaustive search for personal data. If the person making the request then challenges that decision, employers should feel able to defend a little more bullishly against the suggestion that it should carry out overly lengthy or costly investigations.

Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd & others EWCA Civ 121


image_printPrint article