Employers control the extent of information that they provide employees – from how well they are meeting KPIs, to internal discussions about grievances, remuneration and disciplinary actions. In the majority of cases, employers have no obligation to provide to employees information setting out the basis for remuneration or disciplinary outcomes including information which is part of internal investigation or notification to a regulator. A lack of access to such information may make it more difficult for an aggrieved employee to bring a claim against their employer. Increasingly, employees are issuing data access requests (DARs) under the Personal Data (Privacy) Ordinance (PDPO) to seek information related to internal investigations and remuneration or disciplinary outcomes of which they have been the subject. This information may then be used to form the basis of a claim against the employer. We consider the obligations of employers when receiving a DAR and how DAR may be used as a litigation strategy by aggrieved employees.
Tag: subject access requests
The recent High Court judgment in Rudd v Bridle & J&S Bridle Ltd provides some useful guidance on subject access requests under the Data Protection Act 1998 (equally relevant to the new GDPR regime).
Dr Rudd, a medical expert on exposure to asbestos, was the subject of a campaign by a lobbyist for the asbestos industry, Mr Bridle, who attempted (unsuccessfully) to get Dr Rudd struck off by the GMC and alleged that Dr Rudd conspired with others to commit a fraud to deceive the courts in supporting spurious legal claims. Dr Rudd made a subject access request in order to learn more about Mr Bridle’s activities and claimed that Mr Bridle’s responses were inadequate. (Dr Rudd has also sought an order preventing further processing and compensation, but without properly pleading his case as to how processing was unwarranted and had caused distress, meaning that those aspects of the claim were stayed.)
Warby J’s judgment highlights a number of points:
- The judge emphasised that subject access rights are to data ie information, not to the disclosure of documents. “A claim for documentary disclosure … is likely, almost always, to be misconceived”.
- A data controller is only required to act reasonably and proportionately in terms of the scope of its search for personal data, but this does not mean that the same latitude is appropriate when determining whether one of the exemptions from the subject access provisions applies. The fact that the data controller’s solicitor has reviewed material and identified that it is covered by an exemption will not be conclusive. It is likely that a court may exercise its discretion not to make a disclosure order where the data controller has acted with reasonable diligence in determining whether an exemption applies and there is no reason of substance to doubt the validity of the conclusions arrived at. However, this was not the case here. The solicitor who concluded that the exemptions applied was relying on Mr Bridle, who had been held to be an unreliable witness, and there was no evidence pleaded to establish the necessary constituents of the journalism or regulatory exemptions claimed.
- In relation to the regulatory exemption, the judge gave his view that this may only apply to processing by the regulatory body itself and not to processing by an individual reporting to a regulator, although it was not necessary for him to decide this. Further, given that the regulatory exemption only applies to the extent to which the provision of subject access would be likely to prejudice the proper discharge of the regulatory functions, the judge considered that it would have been hard to argue this at a time several years after the regulator had rejected the complaint and its involvement had ceased.
- In relation to the claim to legal professional privilege, the judge noted that evidence from a solicitor that they have reviewed the material and concluded the exemption applies should carry more weight than in relation to the journalism and regulatory activity exemptions. There was sufficient evidence to justify the legal advice privilege claims, but the judge was not prepared to accept the claim to litigation privilege given that no litigation or prospective litigation had been identified. A claim that Mr Bridle expected to act as an expert witness in relevant legal cases was insufficient given the lack of supporting evidence and the unreliable nature of the witness.
Identity of individuals
- Dr Rudd argued that there was an obligation to disclose the identity of the recipients of emails from Mr Bridle containing the personal data. The judge noted that both the statutory wording and the ICO’s Subject Access Code make clear that the right in relation to an individual recipient is to a description of the recipient (eg “a medical practitioner”), not to their name; where the disclosure is made to a class of recipient, the right is to a description of the class (eg “the readership of the Daily Globe”).
- The identities of third parties alleged to have conspired with or assisted or collaborated with Dr Rudd in the alleged fraud, or whom he is alleged to have helped to attack others, was information amounting to Dr Rudd’s own personal data, as the information focussed on him and was biographically significant. The same was true in relation to the identities of the ‘victims’ of his alleged fraud and those to whom allegations that Dr Rudd was guilty of fraud have been made. (In contrast, information as to who had been sent Dr Rudd’s personal data was not itself his personal data.) The data controller’s decision as to whether it is reasonable to disclose the identities of those individuals without consent is a decision that must be made on a case-by-case basis and not by applying a blanket policy, as stated in the ICO’s Code of Practice.
- The requirement to provide “any information available to the data controller as to the source of the data” means providing the actual identity of the source, not just a description or class of source. The judge noted that Mr Bridle must know who the lawyers are that provided him with copies of Dr Rudd’s expert witness reports and that there was clearly much source information available to Mr Bridle “including but not necessarily limited to the names of the solicitors’ firms involved” that should have been disclosed. The judgment is unclear whether disclosing the name of the company or firm which is the source of data would suffice or whether there is also a requirement to disclose the name of the individual at that legal entity who has provided the data on its behalf (subject to consent and/or reasonableness of disclosure without consent).
- Dr Rudd argued that the disclosure only of extracts from paragraphs, largely just incomplete sentences, rendered the disclosures unintelligible and that the whole of the relevant paragraphs should have been included “given the gravity of the allegations made about him”. The judge rejected this argument, noting that information can be presented in “in an intelligible form” as required without the need to provide its full context or even the whole of the sentence in which it appears.
- In light of the principle of proportionality, the requirement to describe the purpose of the processing need not be done on a document-by-document basis, but can be met by setting out the essence of what the controller is doing with the data.
The judge also ruled that Mr Bridle was the data controller, and not the company controlled by Mr Bridle and his son, given that the processing was part of Mr Bridle’s lobbying activities conducted by him individually and not as part of his company’s commercial operation.
The rulings that the description of the purposes of processing and the recipients of personal data can both be general, and the fact that contextual data is not required, will be welcome to those facing subject access requests. The endorsement of the ICO’s Code of Practice is also helpful. Less helpful is the ruling that a controller must disclose the actual sources of data and not just a description or class of source, if the controller has that information available. Controllers will also need to bear in mind that an applicant’s personal data could include the identities of some other individuals, for example the co-conspirators in this case, and that if they intend to rely on an exemption, sufficient evidence will need to be pleaded (for example that disclosure would likely prejudice an ongoing regulatory investigation).
Employers faced with a subject access request should ensure they refer to the updated guidance recently issued by the Information Commissioner’s Office. The guidance has been amended to reflect recent case law (summarised here) and notes (at pages 43-44) that data controllers are only required to carry out only a reasonable and proportionate search for personal data. However, it stresses that there is a high expectation that information will be provided in response to a SAR and that the burden of proof will be on the data controller to show that it took all reasonable steps to comply. The guidance states that it is good practice to have an open conversation with the applicant about the information they require and that, if a complaint is lodged, the ICO may take into account the data controller’s willingness in this respect as well as the level of co-operation from the applicant. The guidance also reflects the case law confirming that an applicant’s motive for making the SAR is not relevant, although an abuse of process is one of the factors that may influence the court when exercising its discretion to order compliance (page 64).
HR practitioners know only too well what an effective weapon a subject access request (SAR) can be in the hands of an aggrieved employee or ex-employee. Even if no 'smoking gun' is unearthed for the purposes of litigation, at the very least it will consume substantial amounts of the employer's time and money. The burden for employers has been exacerbated by uncertainty over the precise scope of their obligations.
The greater clarity provided by the Court of Appeal in the recent judgments of Deer v University of Oxford, heard together with Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd, and Dawson-Damer v Taylor Wessing LLP will therefore be welcome. There is also some (limited) good news for employers as to the lengths to which they must go in searching for data although, on the downside, the rulings also lay to rest the possibility of refusing to comply with a SAR simply because its purpose is to aid litigation.
The cases provide useful guidance for employers facing SARs, and the facts and decisions are discussed in more detail in our briefing here. The key practical points for employers responding to a SAR are summarised below:
The Court of Appeal has clarified that non-compliance with a subject access request (SAR) cannot be justified on the ground that the requester has a purpose other than verifying or correcting the data (usually to assist in litigation). Statements in prior case law used to argue that there is a 'no other purpose rule' have been misunderstood. When exercising its discretion to enforce a SAR, the court should not consider the motive for the SAR, save perhaps where the application would be an abuse of the court's process (which the mere holding of a collateral purpose would not normally be) or where the requester represents a party and his and their purposes might conflict.
Refusing to comply with a subject access request may contribute to the unfairness of a subsequent dismissal, where the tribunal considers that the refusal materially impairs the employee's ability to defend themselves in disciplinary proceedings. In McWilliams v Citibank, the refusal to comply with the SAR meant that the employee had to rely on the employer's own investigation, which the tribunal held to be inadequate, and as a result her dismissal was unfair.
- On 14 April the European Parliament voted to approve the new Trade Secrets Directive aimed at harmonising the definition and protection of trade secrets and undisclosed know-how across Europe. The Council is expected to approve the Directive this month and it could take effect in June this year, with Member States then having a two year window in which to implement its provisions. For further details, see our January briefing (but note that the numbering of the Articles has since changed).
- The European Parliament also approved the new General Data Protection Regulation on 14 April 2016; the text is available here. It will apply from 25 May 2018. The Regulation is directly applicable in all EU member states and supersedes and replaces the previous European data protection directive and any national data protection regulations based on it (ie, the Data Protection Act 1998 in the UK). Our February briefing on the General Data Protection Regulation is available here.
- The Business Secretary is reported to have launched a review of employment tribunal fees in light of inaction from the Ministry of Justice (see here). The findings are to be published 'in a few weeks'.
- Section 56 of the Data Protection Act 1998 will come into force on 10 March 2015. It will be a criminal offence (punishable by an unlimited fine) for an employer to require job applicants or existing employees to obtain a copy of their criminal records by making a subject access request and supply it to the employer (known as enforced subject access).
To register to listen to the recording or download as a podcast please contact Jane Webber who will send you confirmation of your log-in details.
Data protection is a key issue particularly for clients operating in multiple jurisdictions. With the background of the new EU Data Protection Regulation being debated in Europe, with more significant financial penalties on the horizon, this webinar looks at employment-related data protection issues clients with operations across Europe should be considering now as well as what they should be thinking about going forward.
At this webinar, the second of our data protection for employers series, we will consider the following topics on a pan-European basis (focusing particularly on France, Germany, Spain and the UK): Continue reading
To register to listen to the recording or download as a podcast please contact: Jane Webber who will send you confirmation of your log-in details.
Data protection as a topic generates heated public discussions (including recent issues around "the right to be forgotten" and the use of personal data). It also impacts on dealings with employees.