Complying with Subject Access Requests

The Court of Appeal has recently overturned an earlier High Court decision which had previously allowed a law firm to reject a Subject Access Request made against it on the basis that to review the information held would involve disproportionate effort.

The Data Protection Act 1998 gives all individuals a right to access information that any organisation holds about them on payment of a nominal fee of £10.

Complying with subject access requests can be very burdensome on an organisation receiving such a request absorbing a substantial amount of time and effort and sometimes third party costs. The law does not allow additional charges to be levied and the Court of Appeal has confirmed that it is not possible to reject a subject access request where complying will be expensive or time consuming. The court has retained a test of proportionality but has made clear that there is a high threshold to be proven for this to apply.

As in this case, subject access requests are often used by individuals as a means to gain access to evidence to use in a potential court case. The Data Protection Act grants the right for individuals to access their data without specifying the reason for access. The Court of Appeal has confirmed that judges should not refuse to enforce subject access requests where the reason for the request is to gain evidence for other legal proceedings.

James Tarling who leads our data protection advice comments: “This particular case is somewhat unusual involving a dispute amongst the beneficiaries of a very substantial trust fund held in the Bahamas, however the principles apply to all organisations who process personal data. It is essential that all organisations have in place adequate processes to deal promptly with subject access requests and take advice where seeking to rely on any of the exemptions to disclosure. This is particularly important in the light of the new General Data Protection Regulation (GDPR) coming into effect in May 2018 which shortens the period to respond to a subject access request from 40 days to one month and also removes the ability to charge the nominal £10 fee.”. Contact James for advice on responding to subject access requests or other data protection compliance.”