Subject access requests and further judicial clarification: 7 key points to note from the Rudd v Bridle judgment

May 14, 2019

The High Court has very recently ruled on the case of Rudd v Bridle, dealing with a contentious subject access request. A short report and link to the full judgment has already been published on scl.org but, in summary, it dealt with a SAR from a doctor specialising in asbestos to an “asbestos consultant” and his company. It appears that they had some disagreements about the role of asbestos in causing cancer, and history of complaints, with the asbestos consultant criticising the doctor.

It is a lengthy judgment but deals with several important points about handling subject access requests so I thought it would be helpful to pick out the most salient ones as listed below

1) A data controller needs to carry out only a “reasonable and proportionate search” for data potentially in scope of a SAR (paragraph 71)

“It is indeed clear law, at least domestically, that a data controller on which a SAR is served is only required to conduct a reasonable and proportionate search for the applicant’s personal data. This principle, first identified by Judge Hickinbottom (as he then was) in Ezsias v Welsh Ministers (unreported, 23 November 2007) at [97], is authoritatively confirmed in the passages cited from Ittihadieh. 

One consequence is that compliance “does not necessarily mean that every item of personal data relating to an individual will be retrieved”: Ittihadieh [103] (Lewison LJ).”

2) If a controller is going to rely on “litigation privilege” as an exemption, it must have evidence as to why it applies (paragraphs 92-97)

This exemption — now in paragraph 19 to Schedule 2 to the DPA 2018 — is “absolute and unqualified, and does not depend on proof that the defendants held a reasonable belief in anything”.

In terms of the proof that the exemption is made out, the court held that “evidence from a solicitor that he or she has reviewed the documents and concluded that they are protected by the exemption should carry more weight than a similar claim in respect of the Journalism and Regulatory Activity Exemptions; and the same would be true of evidence that an associate had carried out such a task, provided always that the Court could see that no error of law had been made.”

However, the court restated the criteria for litigation privilege from Starbev GP Ltd v Interbrew Central European Holdings, and held that there was insufficient evidence that it applied.

As such, to rely on the exemption in respect of litigation privilege, the controller must have evidence as to how it has applied the four conditions from Starbev.

The court also held that “evidence, sparse though it is, is sufficient to justify the claim to legal advice privilege”, but that this was not the focus of the claim. A controller should consider whether it can rely on both types of privilege, rather than just focussing on one.

3) Third party names within communications / data sets may be personal data of the applicant, and should not be redacted in a blanket manner

The court held that third party names within communications / data sets may be the personal data of the applicant and so cannot be automatically excluded as “not personal data” of the applicant (paragraph 116).

Instead, the controller has to assess whether they should be excluded in line with the rules about not disclosing information relating to another individual. (These rules are now in paragraph 16, Schedule 2, DPA 2018.)

This requires a case-by-case consideration, and, even where a controller does not have the consent of the individual, it may still have to disclose the individual’s name if it is reasonable to do so without their consent.

A controller doing blanket redaction of names within correspondence (within it, not as a source / recipient) should reconsider their approach.

4) The names of recipients of personal data are not personal data of the applicant, but the controller must still describe who they are to the recipient (if it cannot rely on a class description)

The court held that the names of recipients were not the personal data of the applicant (paragraph 116):

“[A]pplying the criteria in Durant and the ICO Code the identities of those to whom these personal data have been communicated are not personal data relating to Dr Rudd. It is not information relating to him. It is perfectly easy to understand what is being written about Dr Rudd in the extracts provided, without knowing to whom it is being written.” [125]

The court endorsed the ICO’s guidance on this point (paragraph 106):

“The ICO’s Subject Access Code of Conduct says at p41, “The right to a description of other organisations or people to whom personal information may be given is a right to this information in general terms; it is not a right to receive the names of those organisations or people.” I agree with that interpretation, which fits the statutory wording.”

However, it concluded that (paragraph 107):

“if disclosure has been or will be made to a class, a description of the class will suffice (for example, “I will or may disclose these data to the readership of the Daily Globe”), but if there is a single recipient, the data controller must describe that recipient (for example  “on 14 October 2017 I told a medical practitioner that I had caught measles from the claimant”)”.

As such, a controller does not have to name a recipient, but:

a) if they are a class, it must describe the class; and

b) if they are an individual, it must describe (but not necessarily name) the individual.

5) The names of sources of personal data are not personal data of the applicant but, if held, they must be disclosed unless exempt

The court used the same logic as with recipients, to hold that sources of personal data are not, in themselves, personal data of the applicant (paragraph 121).

However, if information relating to a source is held by the organisation then it must be disclosed (paragraph 122), as the duty is to provide “any available information”, and this is “broad” (paragraph 123).

It may be possible to withhold information about individuals if the test in paragraph 16, Schedule 2, DPA 2018 can be met.

6) A subject access request does not afford a right to documents

A nice, clear statement (paragraph 127):

“The claimant has no right to documents, nor does he have a right to know the full contents of documents. His right is to the information in personal data … Information can be presented in intelligible form without the need to provide its full context, or even the whole of the sentence in which it appears.”

In my view, this is likely to remain the case under the GDPR, where Article 15(1) provides “access to the personal data” and 15(2) to “a copy of the personal data”: in each case, the right relates to the personal data, not to the document itself.

The court did not address the issue of documents which could, as a whole, be regarded as “relating to” the data subject; this was not pertinent to the documents at issue.

7) A breach does not give an automatic entitlement to damages

The court reiterated (paragraph 22) the earlier ruling of Lloyd v Google LLC [2018] EWHC 2599 (QB) (paragraph 56 of Lloyd), that a claimant cannot recover compensation just because there has been a contravention of the law. He must prove that he suffered distress or other damage, and show a causal link between that damage and one or more of the contraventions he has established. 

This comment relates to s13 DPA 1998 — the old law — but seems equally applicable under Article 82(1) GDPR.

Neil Brown is Director of decoded:Legal, a telecoms, technology and Internet law firm. @neil_neilzone