Subject access – important new high court judgment

Posted on | by Anya Proops KC

It is a strange feature of the DPA subject access regime that, despite having extremely far reaching legal effects, to date it only rarely been the subject of judicial analysis. This is in no small part because the costs of bringing disputes over the application of the legislation before the courts are generally prohibitive. As readers of this blog will know, there have been some fairly recent county court judgments which have considered the application of the regime (see in particular the posts on the judgments in Elliott and Abadir here and here). However, jurisprudence emanating from the High Court has been decidedly thin on the ground. Today however the High Court has handed down an important judgment on the application of the regime: In the Matter of the Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Admin). Readers will want to note in particular that part of the judgment where the court considered the relevance of the applicant’s purpose or motive in making a subject access request (SAR) – as discussed below.

The background to the case is somewhat unusual. In summary, a company which is a member of the Lehman Brothers group of companies, Southern Pacific Loans Limited (C), had gone into voluntary liquidation. Prior to the liquidation proceedings, C had been in the business of offering loans to customers, secured by means of a second mortgage on the customer’s property. C had used a third party company (A) to process data relating to certain of the loans and indeed A continues today to hold data relating to tens of thousands of redeemed loans (“the data”). C had received and was continuing to receive numerous subject access requests in respect of the data. The requests had principally been made by claims handling companies which were using the SARs as a device to obtain data relevant to claims which might potentially be brought by C’s customers. In effect therefore the data was being sought in order to advance the customers’ position in the context of prospective litigation rather than for the purposes of ensuring that the customers’ privacy was being properly protected in the context of the processing of their data by C. The costs to C of dealing with the requests was very substantial, averaging at least £40,000 per month (or £455 per request). The liquidators were concerned that a continuation of such costs would potentially have a material impact on the distribution of funds to creditors of C in the liquidation. In a sense this raised the question of whether the right of data subject’s under the DPA could trump those of creditors in a liquidation. The liquidators, seeking to protect the position of the creditors, made an application to the court for declaratory relief which would have the effect of: (a) enabling further subject access requests to be refused and, further, (b) enabling the liquidators to dispose of the data, which were no longer required by C for business purposes.

The following important points emerge from the ratio of the judgment of David Richard J:

  • liquidators cannot be regarded themselves as ‘data controllers’ in respect of data processed by a company in liquidation. This is because liquidators do not act as ‘principals’ in respect of the data but rather as ‘agents’ acting on behalf of the company in liquidation. This is the case irrespective of whether liquidators are acting in the context of voluntary of compulsory liquidations. Thus, liquidators are not personally responsible for ensuring compliance with s. 7 DPA (paras. 17-35)

 

  • so far as the disposal of data is concerned, regard should be had to the fifth data protection principle which obliges data controllers to ensure that data is not processed longer than is necessary for the purposes for which it was processed. Looked at from a DPA perspective, this meant data should be ‘disposed of as soon as possible’ (para. 39). The question was therefore whether there were any legal requirements which, in the present case, acted as impediments on the disposal of the data. There were two impediments potentially in play in the present case:

 

  • first, data could not be disposed of if retention of that data was required in order to enable C to fulfil its statutory subject access obligations in respect of extant SARs (s. 8(6) DPA)

 

  • second, data could not be disposed of if retention of that data was necessary in order for the liquidators to be able to discharge properly their statutory duties as liquidators. In the present case, that meant that particular data could not be disposed of if retention of the data was required in order to deal with claims which may be lodged against C.

Importantly, however: ‘The liquidators are not under a duty to retain data so that it can remain available to be mined by former customers or claims handling companies with a view to making claims against third parties’ (para. 40). The liquidators were at liberty to dispose of all the data, subject to the two qualifications outlined above (para. 41).

The court also made a number of obiter comments which are particularly worthy of note

  • data subjects are not entitled to use the SAR to demand disclosure of documents. Their entitlements extend merely to data rather than to documents (para. 43). (This is of course an important consideration as and when applicants are using the SAR regime to obtain advantages in litigation against the data controller or a third party)

 

  •  properly understood, the Court of Appeal’s judgment in Durant v Financial Services Authority is not authority for the proposition that requests under s. 7 DPA may be refused by the data controller if they are being made for the purposes of furthering the data subject’s position in litigation, as opposed to protecting their privacy. The question of whether SARs could lawfully be refused in these circumstances was a question for another day. However, following Durant, the question of the applicant’s purpose was a factor which was relevant to the exercise of the court’s discretion in the context of an application for enforcement made by the applicant under s. 7(9) DPA (para. 46). This last point will come as some relief to the data controller who is facing a heavily litigation-preoccupied data subject.

The court expressly declined to consider the question of the impact of s. 8(2) DPA (the ‘disproportionate effort’ provision). Thus, it did not examine the question previously considered in Ezsias v Welsh Ministers as to whether data controllers can lawfully limit their searches for personal data by reference to what is reasonable and proportionate in all the circumstances (paras. 47-49).

11KBW’s Robin Hopkins acted for the Information Commissioner.

Anya Proops