High Court hands down significant judgment in subject access case

The High Court recently handed down what is generally being called a ‘significant’ judgment in a case regarding the refusal to comply with a subject access request (SAR). In passing judgment, in the case of Harrison v Cameron and Anor, the High Court has prompted data controllers and data protection professionals to consider their responses to SARs and the extent of redaction historically applied and the circumstances in which motive may allow them to balance and protect the rights of third parties, against a data subjects right to access information.

Background

The Claimant was the chief executive of a real estate investment company. The first Defendant owned and operated the second Defendant’s landscape gardening business. A dispute arose between the Claimant and Defendant’s about the work undertaken on the Claimant’s property. From around May 2022, the Claimant and first Defendant spoke and engaged in conversations over the phone, which were covertly recorded by the first Defendant, on the basis that he believed the Claimant’s conversation to be threatening.

As a result, the first Defendant shared the recording with the police, along with 12 other people, which included employees, family members and friends. Some family members also further shared those recordings, including the first Defendant’s wife, who shared transcripts of the recording.

In justifying his actions, the first Defendant insisted that he shared the records with family and friends to make them aware that he had been threatened, to obtain their advice and in case anything happened to him. Accordingly, the first Defendant alleged the recording was shared in his personal capacity.

The Claimant alleged that the recordings found their way into a wider circle of peers and competitors in the industry, consequently causing significant financial damage to his own company, including the loss of the acquisition of a shopping centre, amounting to losses in the region of £10 million.

Subsequently, the Claimant made two SARs, to the first Defendant and the second Defendant (being the company of the first Defendant). Both SARs were rejected, on the basis that the first Defendant was acting outside of the UK GDPR and was sharing the information in a “purely personal and household” context, in line with the exemptions provided for in the UK GDPR. Similarly, the first Defendant alleged he personally was not a data controller of personal information. In respect of the second Defendant, it alleged that it was unable to disclose information, as doing so would affect the data protection rights of third parties.

In pursuing a claim, these points we put before the Court and considered before reaching a decision.

The Law

Article 15 of the UK GDPR provides individuals, referred to in the legislation as ‘Data Subjects’, a right to access information being processed about them by a data controller, known as a SAR. The legislation then provides a standard statutory timescale of one month, before a data controller is required to confirm to the Data Subject what personal data is being processed about them, and unless an exemption applies, provide a copy of the personal data they hold.

The obligation is on a data controller of personal data, such as schools, to comply with the right of access, within the timescales provided for in the legislation.

For schools, a common sources of SARs can include current and/or former employees asking for information held about them in relation to their employment and parents/ guardians of pupils, asking for information held in relation to that pupil.

There are a number of exemptions to the right of access provided for in the Data Protection Act 2018, these include where the information requested contains confidential management information, confidential reference, or most commonly, where the disclosure affects the data protection rights of third parties, which is the exemption the second Defendant chose to rely on in this case.

The recitals to the UK GDPR also includes an exemption from the need to comply with the data protection legislation, which is described by the UK data protection regulator, the Information Commissioner’s Office, as applying to circumstances where the information is being processed in the course of a “purely personal or household activity, with no connection to a professional or commercial activity.” This exemption is commonly applicable to individuals activity in their personal capacity, as part of everyday life, which is what the first Defendant alleged in his response to the claim.

Outcome

The Claimant’s claim was ultimately dismissed, though in commenting on the scope of the UK GDPR, Mrs Justice Steyn commented that whilst she agreed the first Defendant was not a data controller in his own right and so was not under an obligation to comply with the SARs personally, the recording had clearly been taken by him in his capacity as a director of the second Defendant, as he was speaking to the Claimant as a client of the second Defendant and his decision to terminate his contract with the second Defendant. Mrs Justice Steyn did not accept the suggestion that the first Defendant was sharing the information for “purely personal” reasons and had instead sought support in relation to the termination of a contract within his business. It was therefore considered that the processing did not place outside the scope of the UK GDPR.

In respect of the second Defendant’s decision to refuse the SARs on the basis of protecting the identity of third parties, Mrs Justice Steyn surmised that in principle, the Claimant would be entitled to information relating to the categories of recipient his personal data had been disclosed to, though this does not necessarily mean their identities in every case. In this case, it was decided that the Claimant was not entitled to have the identities of the recipients as the Claimant had established a clear motive to pursue legal action, if he was able to identity the individuals concerned. Mrs Justice Steyn accepted the second Defendant’s submission that disclosing this information placed individuals recipients at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation” and it was not unreasonable for the second Defendant to have record to the Claimant’s conduct as a relevant factor when balancing his right to access, against the recipients’ right to privacy.

Lessons for schools

This judgment is significant, particularly for schools, who are seeing an ever increasing demand to respond to SARs, particularly in the face of hostile complaints and/or employment proceedings.

Whilst the judgment promotes a need for caution, when considering the extent of information an individual may be entitled to have access to, it also provides support for considering the wider circumstances of a SAR, where motive may suggest that an individual may have more “menacing” intention than to simply understand the information being processed about them. In those circumstances, this judgment provides schools and other data controllers with comfort that it is reasonable to give some consideration to the privacy rights of third parties, when considering what information to disclosure.

That being said, motive will not always be present when an individual makes a SAR and so schools are advised seek further advice and support from data protection practitioners, before making the decision to withhold information and/or refuse a request outright.