SARs, Subject Access Requests, are a complicated part of the various data protection regulations that are now prevalent in almost every country.
The High Court ruling that was handed down by The Honourable Mr Justice Warby in the High Courts of Justice in London in April 2019 could come as a shock to those who believe that the UK’s DPA (Data Protection Act) and the European Union’s GDPR (General Data Protection Regulation) only exist to ensure that data does not fall into the wrong hands.
Had either the claimant or the defendant received essential training in compliance with these complicated laws and regulations, the case would probably not have come to court at all, and time, stress and large sums of money would have been saved. Mr Justice Warby might well have been of that opinion too, as in Paragraph 58 of his ruling he stated: “It will be obvious that the parties’ approach to this case has been not only fractious but also undisciplined and disorderly, bordering at times on the chaotic.” That paragraph ended with the sentence “It is a matter for dismay that the parties have generated such a procedural muddle.”
Neither the claimant nor the defendant was under-educated. Dr Robin Rudd is a medical expert on asbestos-related diseases who had provided expert evidence in legal claims for damages for illnesses caused by asbestos, and Mr John Bridle had worked for most of his life in the asbestos industry, and had acted as a lobbyist for that industry. Both probably believed that they knew enough about compliance with the laws and regulations applying to their fields of expertise.
And yet they found themselves in the High Courts of Justice engaged in a complicated and expensive case which was centred on the way in which exemptions apply to Subject Access Requests.
The case was brought by Dr Rudd because Mr Bridle had complained to the UK’s General Medical Council (GMC) that Dr Rudd had made false claims in the courts. He asked the GMC to strike Dr Rudd off the official register of medical practitioners. The GMC rejected the complaint, but Dr Rudd felt that Mr Bridle had launched a damaging campaign against him. Dr Rudd, therefore, made some SARs, in which he sought to find out the identities of the third parties who had collaborated with Mr Bridle and also to discover the source of the information held by Mr Bridle, and the recipients of his personal data. Mr Bridle claimed that the information was privileged, but did disclose some information. Dr Rudd saw that information as inadequate and brought a claim under the UK Data Protection Act 1998, which was then still in force.
Although the asbestos industry was the field in which both claimant and defendant had the expertise, no representative of the industry took part in the case: Dr Rudd and Mr Bridle were to all intents and purposes two private individuals. There was a first costs estimate of £122,000; this was for the costs of one party only. A case of this nature between two commercial organisations, which might involve substantial damages, could see that initial sum multiplied many times over; an illustration of the heavy financial risks involved in ignoring compliance training.
As a general rule, people are entitled to know what personal data are held about them, and how that information is used. But there are strict limits as to how much of that information may be disclosed in response to a Subject Access Request, and any Data Controller needs to be aware of those limitations.
If a Data Controller is not fully trained in compliance with the GDPR regulations in this sector, he or she is very likely to make a mistake, and either refuse to divulge information to which the claimant is entitled, or to hand over too much, and in doing so breach the privacy of a third party. Either eventuality could result in legal action.
There are various exemptions including information subject to legal professional privilege or the duty of confidentiality, information required to be disclosed by law or in connection with legal proceedings, and data processed for journalistic, academic, artistic or literary purposes.
Even the term “Data Controller” was a matter of dispute in this case. Was Mr Bridle himself the Data Controller, or was that the Company he had founded, and later wound up? In this case, the judge decided that Mr Bridle himself was the Data Controller.
Another important issue for the court was the question whether Dr Rudd was entitled to be told, in addition to the personal data held about him, the sources of those data which had been acquired by Mr Bridle. The judge said that the identities of those who, within the personal information disclosed, were alleged to have assisted Dr Rudd in the alleged fraud did indeed qualify as part of his personal information; Dr Rudd was therefore entitled in this case to limited third party information; but the ruling made clear that this would not apply in every case.
The ruling also states that the data will have to be disclosed “in an intelligible form”.
Well-trained Data Controllers, with a training reference library at their fingertips, will be in the best possible position to avoid the complicated, stressful and expensive legal outcome of getting things wrong. And if the worst does come to the worst, and a case has to be brought or defended, effective compliance training will ensure that the legal team taking over the case will have clear documentation and an audit trail, which will save considerable time and money, and the judgement will not include the scathing comments that Mr Justice Warby found it necessary to deliver.