The Data Protection Act 1998 (“DPA”) provides a right for individuals to request disclosure of their personal information which an organisation holds about them. Such a request is known as a Data Subject Access Request (“DSAR”).
Many schools will be familiar with the effort and disruption associated with responding to DSARs from employees and parents/pupils.
The school is obliged to conduct a reasonable search for the personal data. Personal data should be disclosed in an intelligible form unless this is not possible or would involve “disproportionate effort”.
The Information Commissioner’s Office (“ICO”) takes the view that schools must be prepared to make extensive efforts to locate data, the disproportionate effort exemption would apply only in the most exceptional cases and that it is never reasonable to refuse to respond to a DSAR because the search would be labour intensive or inconvenient for the school.
However, case law shows that the courts may be prepared to take a narrower approach to a data controller’s obligations.
In Dawson-Damer and others –v- Taylor Wessing LLP and others, the High Court has refused to order compliance with a DSAR, where it was found not to be reasonable or proportionate for the data controller to carry out searches for the data. In the case it would have been necessary for the data controller to search files dating back over 30 years to ascertain whether information requested was protected by legal professional privilege.
The Court held:
- The purpose of DSARS is to enable the data subject to check that data being held/processed is accurate and to ensure that it is amended accordingly so as to ensure lawful data processing. It is not to enable the data subject to obtain disclosure of documents that may assist him in litigation against the data controller or other party. It does not follow that a DSAR based on proper rationale will automatically be enforced in the data subject’s favour.
- It was not reasonable or proportionate to require the data controller to perform the necessary search and analysis to determine if data was disclosable, given the need to check whether data was protected by legal professional privilege.
- Where information was not stored in a sophisticated and ordered manner, so as not to provide ready access, it may not constitute a “relevant filing system” for the purposes of the DPA.
- There was no evidence that the data subject wanted to check and ensure the accuracy of data. Rather the Court took the view that the DSAR was brought to assist in ongoing litigation, which was not the proper purpose.
The case may show a departure by the courts from the strict approach endorsed by the ICO, although the decision has been appealed and will be considered in the Court of Appeal in due course.
While schools may draw some comfort from this decision, they should retain a cautious approach to DSARs. The ICO has stated that the DPA does not allow data controllers to refuse to respond to DSARs on the basis that the subject is considering litigation.
A school’s response to any DSAR will depend on the individual case and circumstances. It is always prudent to seek advice on the nature and extent of the school’s response.