Employment Insight – Clarity on the limits to a data controller’s obligations when dealing with DSARs

Employees, as data subjects, have the right to find out what information their employer is holding about them by exercising their rights to make a data subject access request (‘DSAR’) under section 7 of the Data Protection Act 1998 (‘DPA’). Section 7 states that (subject to the other provisions of the Act):


“An individual is entitled –

(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b) if that is the case, to be given by the data controller a description of –
(i) the personal data of which that individual is the data subject,
(ii) the purposes for which they are being or are to be processed, and
(iii) the recipients or classes of recipients to whom they are or may be disclosed,
(c) to have communicated to him in an intelligible form –
(i) the information constituting any personal data of which that individual is the data subject, and
(ii) any information available to the data controller as to the source of those data…”

Dealing with a DSAR can be extremely onerous for an employer and it is precisely because of this that DSARs are sometimes used by employees as a tactical weapon. They can be a very effective tool, especially where the employer knows or suspects that ‘unhelpful’ information will be revealed. In the case of long-serving employees the employer may well have a great deal of available information which has accumulated over time, and may make complying with the DSAR administratively burdensome. Further, guidance from the Information Commissioner’s Office has previously stressed that merely because an employer finds it onerous to deal with a DSAR, this no excuse for non-compliance.

A recent Court of Appeal decision (Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd & Others) has clarified the extent of an employer’s obligation as being to conduct searches for personal data that are proportionate and reasonable. It does not necessarily mean leaving no stone unturned in order to track down every piece of personal data, if that goes further than is proportionate and reasonable.

The Court of Appeal’s route to this conclusion was not based on a detailed examination of the words used in the DPA itself. It reached its conclusion on the basis that the DPA derives from the EU Data Protection Directive, and that EU law is subject to a general ‘proportionality principle’. The Court expressed the view that “…the EU legislature did not intend to impose excessive burdens on data controllers” and that “while the principle of proportionality cannot justify a blanket refusal to comply with a DSAR, it does limit the scope of the efforts that a data controller must take in response”.

This ruling is therefore likely to provide a degree of welcome relief for employers and other data controllers, and may take some of the ‘sting’ out of DSARs made primarily for the purpose of mischievously putting the employer under an onerous burden. The Court of Appeal also considered the legal position when an employee making a DSAR has some collateral purpose other than that for which the DPA was primarily enacted. Common examples include obtaining information for the purposes of formulating a claim against the employer, or obtaining early disclosure in the context of a litigation case. The Court held that such purposes are not normally to be regarded as an improper exercise of the s.7 right and therefore would not absolve the employer of its duty to comply fully with its DPA obligations.

As a practical point, organisations that are unnecessarily hoarding masses of employee personal data may wish remind themselves about the ‘7 principles of data processing’ (as set out in the DPA) with which all data controllers are expected to comply. Particularly relevant in this context is the fifth principle: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”. As well as potentially being in breach of the ‘Principles’, organisations might well consider themselves, at least in part, the authors of their own misfortune if dealing with a DSAR becomes administratively onerous in consequence.

Legal Professional Privilege and one way of losing it

It is also worth remembering that the DPA contains a number of exemptions to the data controller’s duty to provide information about personal data it processes. The exemptions that are particularly relevant in the employment context are those relating to: provision of confidential references; personal data processed for management forecasting and planning purposes; in connection with negotiations; to avoid self-incrimination by the data controller; and for the purposes of claiming legal professional privilege.

These potentially available exemptions are subject to meeting additional conditions specific to each. The legal professional privilege exemption is expressed as follows:

“Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications could be maintained in legal proceedings” 

Legal professional privilege (and, along with it, an exemption from disclosure of information about personal data under the DPA) may be claimed in relation to communications passing between client and lawyer.

A full discussion of legal professional privilege is outside the scope of this note, but two important points about it are worth flagging here. Firstly, the privilege ‘belongs’ to the client. Secondly, the privilege will only continue to apply to communications that remain confidential in nature. If a document loses its confidential status, the client is likely also to lose the right to claim legal professional privilege in respect of it and legal professional privilege could then not “be maintained in legal proceedings”. The exemption allowing the data controller to exclude the document from disclosure under a DSAR would cease to be available.

An obvious practical point to bear in mind for organisations wishing to minimise the risk of losing legal professional privilege (and the associated exemption from DPA disclosure) is to maintain the confidentiality of the document by avoiding all unnecessary dissemination and, where dissemination is unavoidable, to impress upon the recipient the confidential nature of the document.

This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.

All content on this page is correct as of March 17, 2017.