Data Protection – How to deal with Subject Access Requests?
Rudd v Bridle
Following the arrival of GDPR there has been a notable increase in the number of subject access requests (SARs) whereby individuals have made formal requests to receive details of the personal data held on them by a business. As these requests can be time-consuming and expensive to deal with, it is no surprise that businesses have been seeking to minimise their efforts responding to a SAR.
The recent important decision in
Rudd v Bridle has examined the whole area of SARs and a number of important principles have been confirmed:
- Who is the data controller in relation to personal data? The simple answer is that this is the party who ultimately decides the purposes and manner in which personal data is being processed – in this case, the court decided that the facts pointed clearly to Mr Bridle being the data controller and not his company – his had important implications as the final court order made was against Mr Bridle personally;
- No right to receive documentation – the person making a SAR has no right to receive documents, but only a right to receive the information comprising his/her personal data –accordingly, businesses can feel emboldened to reject requests for documents;
- What type of information is covered by the term “personal data”? The court decided that the identity of recipients of information relating to the individual making a SAR can be part of the relevant personal data and subject to disclosure where this information is significant in a biographical sense and where its main focus is the individual making the SAR – consequently, “personal data” can be an elastic concept and is not limited to the personal attributes of an individual;
- Withholding information relating to third parties – although the relevant legislation allows certain information relating to third parties to be withheld in certain circumstances, the court was at pains to point out that this did not provide a blanket ban on any third party information being disclosed at all and criticised Mr Bridle for his attempts to do so;
- Exemptions from responding to a SAR – Mr Bridle’s attempts to avoid responding further to the initial SAR were based on the journalistic, regulatory activity and legal privilege exemptions and, in each case, the court held that the exemptions did not apply and that in order to rely upon them, the recipient of a SAR had to have clear evidence that they applied;
- Was the initial SAR response adequate? This was the only issue where the court found in favour of Mr Bridle: as long as the SAR is reasonably intelligible, there was no additional requirement to provide complete paragraphs or sentences in making a response – short, factual statements/comments would be sufficient.
Businesses on the receiving end of a SAR need to be particularly aware of the fact there is a potential risk to directors who could incur personal liability if found to be the data controller and they also need to realise that “personal data” can have a surprisingly wide scope. At the same time, businesses should be comforted by the fact that there is a clear ruling that the SAR does not entitle the individual to receive actual documents.
Getting out of onerous contracts – The Brexit effect
Whatever your views on Brexit, the ongoing saga is recognised in many quarters as being bad for UK Plc due to great uncertainty as to whether Brexit will actually take place, and if so, on what terms the UK will leave the EU.
Data breaches by rogue employees – employers still liable: Vicarious liability applies
The Court of Appeal recently upheld a decision of the High Court that found Morrisons Supermarkets vicariously liable for the malicious and criminal actions of a rogue employee who intentionally damaged Morrison’s reputation by misusing the personal data of almost 100,000 Morrison employees.
ICO gets tough: Equifax fined £500,000 under the “old” rules for very serious data breach
The recent introduction into UK law of the more stringent General Data Protection Regulation rules (GDPR) has certainly raised awareness of data protection and security. The Information Commissioner’s Office (ICO) has just announced a record fine in relation to a very serious breach that took place in 2017, which meant that the fine was imposed under the Data Protection Act 1998 rules rather than the new rules enshrined in the Data Protection Act 2018.
The importance of insurance in exclusion of liability clauses
Goodlife Foods Limited v Hall Fire Protection Limited
This decision has once again shown that the courts often place considerable importance on the availability of insurance in interpreting the validity (or not) of an exclusion of liability clause in a commercial contract. It also shows the courts being generally supportive of businesses limiting liability through contractual terms â€“ limitation and exclusion clauses are important in all commercial contracts but particularly in the technology sector where potential losses can be far higher than the underlying contract value.
Countdown to GDPR day – Top tips 1: Consent and the GDPR
Under the GDPR, consent needs to be â€œ…freely given, specific, informed and unambiguous…â€� In other words, consent will only be validly given where there is a clear statement or conduct by an individual which indicates his/her acceptance of the proposed processing. Accordingly, the following will no longer be satisfactory evidence of consent:
Database rights: Technomed v Bluecrest Health Screening
Databases can be protected by database right and/or copyright. A recent spat between the supplier of an internet-based electrocardiogram (ECG) reporting system known as the â€œECG Cloudâ€� has led to the conclusion that a simple PDF document relating to the ECG Cloud was protected by both database right and copyright.
Brexit will not save you from new EU data protection rules!
On 25 May 2018, the largest ever overhaul of data protection laws in the EU will take effect. Businesses must comply with the changes or face fines of â‚¬20m or 4% of worldwide annual turnover. Despite this, many organisations have not yet started preparing for the changes.