Refusing a subject access request: proportionality, anxious scrutiny and judicial discretion

Zaw Lin and Wai Phyo v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB), a judgment of Green J handed down today, is an interesting – if somewhat fact-specific – contribution to the burgeoning body of case law on how subject access requests (SARs) made under the Data Protection Act 1998 (DPA) should be approached, both by data controllers and by courts.

The Claimants are on trial in Thailand for the murder in September 2014 of British tourists Hannah Witheridge and David Miller. They could face the death penalty if convicted.

Under the Police Act 1996, and following high-level discussions (including at Prime Ministerial level), it was agreed that the Metropolitan Police Service (MPS) would send an officer to observe and review – but not assist with – the Thai police investigation. The MPS compiled a detailed Report. They agreed to keep this confidential, except that it could be summarised verbally to the families of the victims so as to reassure about the state of the investigation and proceedings. The Report has never been provided to the families or the Thai authorities.

The Claimants made SARs, seeking disclosure of the MPS’ Report. Green J summarised their objectives as follows (para 29):

“The Claimants have endeavoured to clothe their arguments in the somewhat technical language of the DPA.  It seems to me that the bottom line of these arguments, stripped bare of technical garb, can be put in two ways.  First, the views of the MPS carry weight. Scotland Yard has an international reputation.  If the Report is seen as favourable to the prosecution and contains material supportive of the RTP [Royal Thai Police] investigation (which is in effect how the Claimants say it has been presented in public by the families) then they should have the right to see the personal data so they can correct any misapprehensions.  Secondly, that in any event they should be able to use any personal data which is favourable to their defence.”

The Claimants were entitled to request disclosure of at least some of the contents of the Report, though Green J estimated that only a small percentage of its contents constituted their personal data (para 25).

The MPS refused the SARs, relying on the exemption for crime and taxation under section 29 DPA.

In determining the claim under section 7(9) DPA, Green J considered arguments as to the applicability (or not) of Directive 95/46/EC (which contains exceptions for criminal matters: see Articles 3 and 13) and the European Convention on Human Rights. His view was that not much turned on these points here (para 49). At common law, the court’s scrutiny must always be fact- and context-specific. In a life-and-death context, anxious scrutiny would be applied to a data controller’s refusal. See para 69:

“… when construing the DPA 1998 (whether through common law or European eyes) decision makers and courts must have regard to all relevant fundamental rights that arise when balancing the interest of the State and those of the individual.  There are no artificial limits to be placed on the exercise.”

Green J expressed his discomfort about the application of section 15(2) DPA, which allows the court – but not the data subject – to view the withheld information. This, together with the prospect of a closed session, raised concerns as to natural and open justice. Given the expedited nature of the case before him, it was not appropriate to appoint a special advocate, but that may need to be considered in future cases where the stakes are very high. Green J proceeded by asking questions and hearing submissions on an open basis in a sufficiently generic and abstract way.

In expressing those procedural misgivings, Green J has touched on an important aspect of DPA litigation which has received little attention to date.

He also took a narrower view of the breadth of his discretion under section 7(9) DPA than has often been assumed. At para 98, he said this of the ‘general and untrammelled’ nature of that judicial discretion:

“If Parliament had intended to confer such a broad residual discretion on the court then, in my view, it would have used far more specific language in section 7(9) than in fact it did. In any event I do not understand the observations in the authorities referred to above to suggest that if I find that the MPS has erred that I should simply make up and then apply whatever test I see fit.  If I find an error on the part of the MPS such that I must form my own view then I should do in accordance with the principles set out in the DPA 1998 and taking account of the relevant background principles in the Directive and the Convention. My discretion is unfettered by the decision that has gone before, and which I find unlawful, but I cannot depart from Parliament’s intent.”

Such an approach to section 7(9) could make a material difference to litigation concerning SARs.

Green J then set out and determined the issues before him as follows:

Issue I: Who has the burden of proof of proving both the right to invoke the exemption? What is the standard of proof?

Following R (Lord) v Secretary of State of the Home Department [2003] EWHC 2073 (Admin), the answer is that the data controller bears the burden. “The burden of proof is thus upon the MPS in this case to show its entitlement to refuse access and it must do this with significant and weighty grounds and evidence” (para 85).

Issue II: Was the personal data in the MPS report “processed” for purposes of (a) the prevention or detection of crime or (b) the apprehension or prosecution of offenders?

Green J’s answer was yes. Although the purposes behind the Report differed from the usual policing context, there should be no artificially narrow interpretation of the ‘prevention and detection of crime/apprehension or prosecution of offenders’.

Issue III: Would granting access be likely to prejudice any of those purposes?

This required a balancing exercise to be performed between the individual’s right to access and the interests being pursued by the data controller in refusing disclosure. This called for a “classic proportionality balancing exercise to be performed” (para 78).

Here, the starting point was the Claimant’s prima facie right to the personal data. This was bolstered by the life-and-death context of the present case.

The MPS’ refusal, however, pursued legitimate and weighty objectives. In assessing those objectives, it was relevant to consider what precedent would be set by disclosure: the “focus of attention was not just on the facts of the instant case but could also take account of the impact on other cases” (as per Lord).

On that basis, and in light of the evidence, the MPS’ ‘chilling effect’ argument was powerful. See para 107:

“… I accept their judgment and opinion as to the risks that release of the Report would give rise to and in particular, their position on: the considerable benefit to the public interest (in relation to crime enforcement and public security) generally in the MPS (and other relevant police authorities) being able to engage with foreign authorities; the high importance that is attached by foreign authorities to confidentiality; and the risk that not being able to give strong assurances as to confidentiality would pose to the ability of the MPS and others to enter into meaningful working relationship with such overseas authorities.”

It was also important to avoid any potential interference with a criminal trial in a foreign country.

The Claimants’ SARs were not made for any improper purposes, i.e. for purposes other than those which Directive 95/46/EC sought to further. In that respect, the present case was wholly unlike Durant.

The balancing exercise, however, favoured the MPS. Having considered each item of personal data, Green J said his “ultimate conclusion is that there is nothing in the personal data which would be of any real value to the Claimants” (para 125). He expressed his unease with both the procedure and the outcome. Permission to appeal was granted, though Panopticon understands that an appeal is not being pursued by the Claimants.

Anya Proops and Christopher Knight acted for the Defendant.

Robin Hopkins @hopkinsrobin

Privacy and data protection – summer roundup

August tends to be a quiet month for lawyers. There has, however, been little by way of a summer break in privacy and data protection developments. Here are some August highlights.

Privacy injunction: sexual affairs of sportsman (not philosophers)

Mrs Justice Laing’s August does not appear to have begun restfully. Following a telephone hearing on the afternoon of Saturday 1 August, she granted what became a widely-reported privacy injunction (lasting only until 5 August) restraining the publication of a story about an affair which a prominent sportsman had some years ago: see the judgment in AMC and KLJ v News Group Newspapers [2015] EWHC 2361 (QB).

As usual in such cases, Article 8 and Article 10 rights were relied upon to competing ends. There is no automatic favourite in such contests – an intense focus on the facts is required.

In this case, notwithstanding submissions about the extent to which the affected individuals ‘courted publicity’ or were not ‘private persons’ – there was a reasonable expectation of privacy about a secret sexual affair conducted years ago. The interference needed to be justified.

The right to free expression did not constitute adequate justification without more: “I cannot balance these two incommensurables [Articles 8 and 10] without asking why, and for what purposes, X and R seek to exercise their article 10 rights… The public interest here is, I remind myself, a contribution to a debate in the general interest”.

On the facts, there was insufficient public interest to justify that interference. The sportsman was not found to have hypocritically projected himself as ‘whiter than white’, and his alleged deceits and breaches of protocols in the coducting of his affair were not persuasive – especially years after the event. In any event, the sportsman was a role model for sportsmen or aspiring sportsmen: “he is not a role model for cooks, or for moral philosophers”. The latter point will no doubt be a weight off many a sporting shoulder.

Subject access requests: upcoming appeals

Subject access requests have traditionally received little attention in the courts. As with data protection matters more broadly, this is changing.

Holly Stout blogged earlier this month about the High Court’s judgment in Dawson-Damer and Ors v Taylor Wessing and Ors [2015] EWHC 2366 (Ch). The case concerned legal professional privilege, manual records and relevant filing systems, disproportionate searches and the court’s discretion under section 7(9) DPA. That case is on its way to the Court of Appeal.

So too is the case of Ittihadieh [2015] EWHC 1491 (QB), in which I appeared. That case concerned, among other issues, identification of relevant data controllers and the domestic purposes exemption. It too is on its way to the Court of Appeal.

Subject access requests: the burden of review and redaction

There has also been judgment this month in a County Court case in which I appeared for the Metropolitan Police Service. Mulcahy v MPS, a judgment of District Judge Langley in the Central London County Court, deals in part with the purposes behind a subject access request. It also deals with proportionality and burden, which – as Holly’s recent post discusses – has tended to be a vexed issue under the DPA (see Ezsias, Elliott, Dawson-Damer and the like).

Mulcahy deals with the proportionality of the burden imposed not so much by searching for information within the scope of a subject access request, but for reviewing (and, where necessary, redacting) that information before disclosure. This is an issue which commonly concerns data controllers. The judgment is available here: Mulcahy Judgment.

Privacy damages: Court of Appeal to hear Gulati appeal

May of 2015 saw Mr Justice Mann deliver a ground-breaking judgment on damages awards for privacy breaches: see Gulati & Ors v MGN Ltd [2015] EWHC 1482 (Ch), which concerned victims of phone-hacking (including Paul Gascoigne and Sadie Frost). The awards ranged between £85,000 and £260,250. The judgment and grounds of appeal against the levels of damages awards are explained in this post by Louise Turner of RPC.

Earlier this month, the Court of Appeal granted MGN permission to appeal. The appeal is likely to be expedited. It will not be long before there is a measure of certainty on quantum for privacy breaches.

ICO monetary penalties

Lastly, I turn to privacy-related financial sanctions of a different kind. August has seen the ICO issue two monetary penalty notices.

One was for £50,000 against ‘Stop the Calls’ (ironically, a company which markets devices for blocking unwanted marketing calls) for serious contraventions of regulation 21 of the Privacy and Electronic Regulations 2003 (direct marketing phone calls to persons who registered their opposition to such calls with the Telephone Preference Service).

Another was for £180,000 for a breach of the seventh data protection principle. It was made against The Money Shop following a burglary in which an unencrypted server containing customers’ personal information was stolen.

Robin Hopkins @hopkinsrobin

Section 7(9) DPA is about privacy, not employment disputes

Disputes about subject access requests under section 7 of the Data Protection Act 1998 only rarely make their way to the Higher Courts. The leading – and often bedevilling – case of Durant is, for example, now 9 years old. Given this scarcity of precedent from the High Court and Court of Appeal, up-to-date illustrations of the judiciary’s approach to the DPA are most usefully sought in County Court judgments – see for example Panopticon’s post on the case of Elliot v Lloyds TSB Bank from earlier this year.

The most recent notable judgment is that of the County Court (HHJ May QC) in Professor Karim Abadir v Imperial College.

The applicant is an eminent econometrics professor employed by Imperial and has been since 2005. In 2011, Professor Abadir took issue when another professor at Imperial began to assess the academic staff by means of subjective metrics. The applicant objected to this, considering those metrics to be inappropriate for the academic staff in his department, and sought disclosure of the discussions that had taken place prior to their implementation.  Aggrieved, he made a subject access request. He was given some information, apparently of the human resources variety in the main. He objected to the nature of some of the comments which had been circulated about him and took the view that some of the emails he sought had been deleted. Imperial informed him in July that it would be implementing an email system upgrade and change of server in August. The applicant feared that some of the emails he wished to obtain would be permanently deleted. He sought an injunction preventing the systems work and requiring Imperial to search for and disclose to him “every document where reference is made” to him, including in deleted files.

Professor Abadir’s application was refused for a number of reasons.

Two reasons were matters of form, in that they related to what was missing from the application. The application was “objectionable” on the grounds that the applicant had not specified the nature of the underlying claim he would bring in due course. Also, assuming the underlying intended claim to be under section 7(9) of the DPA, the Judge expected the applicant to provide a draft order specifying exactly what information or searches he sought. The applicant had not done so. Instead, he asked for “generalised search of all computer systems, to include deleted data”.

Two further reasons were fatal in substantive terms. One was that there was no evidence to support the claim that the systems work would lead to the permanent loss of relevant emails. In fact, Imperial’s evidence contradicted that. There was thus no urgency to justify granting an injunction.

The final reason concerned the purpose or motive behind Professor Abadir’s claim. It was confirmed that his purpose was “to obtain disclosure of documents for purposes of deciding how to frame and pursue against Imperial College employment grievances which Prof Abadir believes he has. Put this way, the process by which documents are sought, given the purpose to which they are intended to be put, is much more akin to an application for pre-action disclosure.  It is disclosure, not right of access to personal data, which Prof Abadir is really seeking from Imperial College.”

On this point, HHJ May QC concluded that “disclosure is sought is not for the purposes of protecting Prof Abadir’s privacy but for the purposes of pursuing a claim against his employer.  To use the provisions of the DPA to pursue such a purpose is an abuse: Ezsias v The Welsh Ministers”.

Unusually, the Judge also awarded the University costs on an indemnity basis. In part, this was because the applicant had failed to identify the underlying cause of action, or to contact Imperial to make enquiries about its server changes before issuing his application for an injunction. HHJ May QC also concluded as follows: “to the extent that the injunction was sought for the purposes of supporting an intended action for DPA disclosure, it was clearly misconceived.  To seek disclosure under the DPA for the purposes of considering an employment claim is an abuse.  In any event, as DPA proceedings are for the purposes of protecting privacy, deletion/destruction of documents would not be contrary to those purposes, quite the reverse.”

It is apparent, therefore, that Courts continue to be unimpressed by the pursuit of subject access requests motivated by prospective litigation, and that they tend to see privacy concerns (rather than employment grievances) as the underlying rationale for the right of access to personal data. This will be welcomed by many data controllers.

Anya Proops appeared for Imperial College.

Robin Hopkins

SUBJECT ACCESS REQUESTS – MIXED MOTIVES AND PROPORTIONATE SEARCHES

There are two questions which are frequently posed by data controllers in receipt of wide-ranging subject access requests. First, if the request is made in circumstances where the requester is pursuing litigation against the data controller, the data controller will often query whether the request can be refused on the ground that it is being pursued for improper collateral purposes. Second, if responding to the request comprehensively would be disproportionately resource intensive, the data controller will typically ask whether it is entitled to limit its search to one which is reasonable and proportionate in the circumstances. As the recent case of Elliot v Lloyds TSB Bank PLC & Anor (Case No: 0LS51908) illustrates, answering such questions is rarely straightforward.

The background to Elliott was that Mr Elliott was pursuing a grievance against Lloyds in connection with certain commercial matters. With a view to furthering his grievance, Mr Elliott submitted a request to Lloyds for pre-action disclosure. That request was refused on the ground that it did not comply with CPR 31.16. Thereafter, Mr Elliott submitted wide-ranging subject access requests to Lloyds. A considerable amount of information was disclosed by Lloyds in response to the requests. However, Mr Elliott was not satisfied with the material disclosed to him. He considered that further searches ought to be undertaken. Accordingly, he brought a claim against Lloyds in the County Court under s. 7(9) DPA (s. 7(9) affords the court a wide discretion to order a data controller to comply with a subject access request if it is satisfied that the data controller has not dealt with the request in accordance with the legislation). Lloyds sought to resist the claim on two grounds: first, the claim was an abuse of process as it was being pursued for the collateral purposes of furthering Mr Elliott’s interests in prospective commercial litigation against Lloyds; second, the claim should fail on the basis that the further searches for data which Mr Elliott was insisting should be conducted would be disproportionate in all the circumstances. Thus, both Mr Elliott’s motive and the issue of the proportionality of Lloyd’s searches were at stake in the litigation.

The Motive Issue

Mr Elliott’s case on the motive issue was that he was pursuing the claim for a legitimate purpose, namely that he wanted to find out whether Lloyds had been misusing his personal data (e.g. by improperly disclosing it to a third party). Lloyd’s position on the motive issue was as follows: either Mr Elliot was pursuing the claim purely in order to further his interests in the prospective commercial litigation or this was the dominant motivation for the claim; either way the s. 7(9) claim was being pursued for an improper collateral purpose and, as such, amounted to an abuse of process.

Following Durant v Financial Services Authority [2003] 1746, the judge (HHJ Behrens) readily accepted that, if the claim was being pursued purely for the collateral purpose of furthering Mr Elliott’s position in other prospective litigation, that would amount to an abuse of process which would justify the claim being struck out. However, he went on to query what the position would be if Mr Elliott in fact had mixed motives (i.e. he wanted the data in order to further the prospective commercial litigation but also wanted to discover whether his data had in fact been misused by Lloyds). Having considered the judgment of the High Court in Iesini v Westrip Holdings [2011] 1 BCLC 498, the judge took the view that, in a case involving mixed motives, the test which should be applied was a ‘but for’ test. Thus, if the claim would not have been brought but for the claimant’s collateral purpose in furthering his interests in the other litigation, the claim would have been brought for an improper purpose and would be liable to be struck out as an abuse of process. On the other hand, if the s. 7(9) claim would have been brought irrespective of the other prospective litigation, then it was not an abuse of process. Notably, the judge rejected an alternative test proposed by Lloyds, namely that the s. 7(9) claim would be an abuse of process if the ‘dominant purpose’ of the claim was an improper collateral purpose. The judge concluded that the dominant purpose test could not be reconciled with the approach approved by the court in Iesini.

With respect to Mr Elliott, the judge concluded that: he had mixed motives in bringing the s. 7(9) claim; however, he would still have brought the claim in the absence of the prospective commercial litigation and, as such, his claim under the DPA was not an abuse of process.

Proportionate Search

On the proportionate search issue, Mr Elliott argued that a data controller was not entitled to limit the scope of its search for personal data by reference to concepts such as reasonableness and proportionality. Insofar as the concept of proportionality was relevant at all under the DPA, it was relevant not to the search process per se but rather to the process of supplying the data to the applicant once it had been located (see further s. 8(2)(a) DPA which disapplies the general duty to provide the applicant with ‘a copy of the information in permanent form’ in circumstances where the supply of such a copy ‘is not possible or would involve disproportionate effort’). In support of these arguments, Mr Elliott relied on guidance published by the Information Commissioner.

Lloyds argued that this was not the correct approach and that, following Ezsias v Welsh Ministers [2007] All ER (D) 65, it was not obliged under the DPA to conduct a search requiring unreasonable or disproportionate effort. Lloyds further contended that, to the extent that the Commissioner’s guidance took a different view of the principles approved in Ezsias, the guidance was wrong and ought not to be followed. Lloyds argued that it would be disproportionate to conduct the further searches demanded by Mr Elliott. The judge accepted Lloyds’ case on the disproportionate effort issue. He agreed that the further searches sought by Mr Elliott were disproportionate and, hence, were not required under the DPA.

The court’s judgment on the proportionality issue is likely to offer considerable relief to data controllers, many of whom struggle under the burdens imposed by wide-ranging subject access requests. It remains to be seen whether the Commissioner will, in response to this judgment, seek to review his guidance. As for the judgment on the motive issue, it is worth noting that the court heard evidence directly from Mr Elliott on this issue and, further, that it found him to be ‘an honest witness’.

Finally, it is worth noting that, despite having won on the disproportionate search issue, Lloyds was still required to pay a substantial part of Mr Elliott’s costs. This was in no small part because Lloyds had disclosed a substantial amount of new data following the lodging of Mr Eliott’s claim. 11KBW’s James Cornwell acted for Lloyds.

Anya Proops