Data Subject Access Requests: paper files and proportionate searches
In the long-running saga of Dawson-Damer v Taylor Wessing and ors the High Court (on remission from the Court of Appeal) has made a number of important findings that have relevance to data subject access requests (DSAR).
The claim was made by beneficiaries of a Bahamian Trust that its UK solicitors, Taylor Wessing, had failed to comply with DSARs made under the Data Protection Act 1998 (DPA).
There are two issues in the High Court's decision which are of particular interest to employers handling DSARs: what constitutes a relevant filing system and what is a proportionate search?
The High Court confirmed that Taylor Wessing's paper files were a "relevant filing system" for the purposes of the DPA 1998. The judge considered that as the files were arranged chronologically the personal data could be "easily retrieved" and that a page turning exercise through those files looking for personal data was not unduly onerous.
This departs from the Court of Appeal's more restrictive interpretation in Durant v FSA which was that a manual filing system would be a relevant filing system only if it was broadly equivalent to a computerised system in that it could be easily searched for personal data. The judgment recognised that Durant was decided before the right to protection of personal data was enshrined as a fundamental EU right. This has shifted the balance from the burden on the data controller to protecting the data subject. The question of whether data could be "easily retrieved" should not be looked at in isolation but alongside whether it was structured by reference to specific criteria "related to individuals". There are 35 paper files (made prior to electronic filing) which must now be searched through for personal data. However, it is understood that permission to appeal on this issue has already been granted.
On the question of what is proportionate, the deputy judge found that in relation to one of the categories of data, Taylor Wessing had not discharged the burden of showing that a search would be disproportionate because it had not served evidence setting out the time and cost involved in conducting a search for the claimants' personal data. However, in relation to documents held in Mimecast, a backup system, it was disproportionate to require Taylor Wessing to conduct searches of this as it would reveal confidential information about their employees or other unrelated clients. In contrast, the High Court held that searches of personal spaces of current employees (in which they could save documents and emails) would not be disproportionate.
Since the introduction of GDPR, employers are reporting a significant increase in the number of DSARS. Although this decision concerned the DPA 1998 (which has now been replaced by the DPA 2018), the Court's decision is relevant as GDPR contains similar provisions in relation to filing systems and requests which are "manifestly unfounded or excessive". It emphasises the importance of evidencing the time and cost involved where alleging that compliance is disproportionate.
For more information, please contact Robert Thomas.
Dismissal for refusing vaccination found to be fair
An employment tribunal found that the summary dismissal of a care assistant who refused to be vaccinated, was fair.
Out of Office – 5 tips for employers considering a more flexible approach to where we work
AI and HR - How can employers reduce the risks associated with using artificial intelligence to help manage their workforce?
Online safety – 2022 begins with regulatory developments in both the UK and the EU
Last week saw developments within the UK and EU in their attempts to ensure online businesses do more to address illegal online content.
Nick Hurley quoted by People Management on whether employers can reduce sick pay for unvaccinated staff
Nick comments on the legal risks for companies opting not to provide company sick pay to isolating unjabbed workers.
On the employment horizon – 2022
We set out some of the key changes we anticipate over 2022 in employment law, and how to best prepare for them.
Becky Lawton and Francesca Charlton write for P3 Pharmacy on employment issues for pharmacies in light of the Omicron variant
What can owners and managers do if staff refuse to comply with latest restrictions?
Charles Russell Speechlys advises Acora on the acquisition of M9 Holdings
The acquisition of M9 Holdings marks the latest stage in Acora’s growth journey.
Jonathan McDonald quoted by The Guardian and the Evening Standard on the Google Supreme Court decision
Jonathan comments on the implications of Lloyd v Google LLC.
Charles Russell Speechlys advises Puma Private Equity on their investment into Everpress
Puma Private Equity offers a wide range of award-winning investments that help to support investors.
Michael Powner and Isabella MacPherson write for People Management on whether employers can enforce compulsory retirement ages
In light of a recent case, Michael Powner and Isabella MacPherson explore what firms can do to avoid age discrimination claims.
Fairhurst v Woodard: Property audio and video surveillance system breached GDPR
A recent judgment from Oxford County Court raises significant questions about the increasing use of smart doorbells and cameras.
Michael Jones quoted by CDR Magazine on the criminal provisions within the Pension Schemes Act 2021
Michael underlines the importance of sponsoring employers engaging in a dialogue with the scheme and TPR.
Top 5 Data Protection Tips
Jonathan and Marc-Us explore the top 5 data protection tips
Closing the Cookie Jar
Opportunistic claims for misuse of online tracking cookies are on the rise. Proactively ensuring compliance is key to avoiding claims.
Regulating AI – the impact of two key recent proposals: the UK’s National AI Strategy and the EU’s proposed Artificial Intelligence Regulation
With the hype surrounding artificial intelligence continuing to gather pace, we pause and consider some of the proposed regulatory changes.
Review of the Department for Digital, Culture, Media & Sport consultation
On 10 September 2021 the Department of Digital, Cultural, Media and Sport (DCMS) published a consultation titled ‘Data: a new direction’.
China’s Personal Information Protection Law – keeping up with the Joneses or increased cyber-security?
Up until recently, China’s data protection rules could be found through a number of laws and guidelines
Charles Russell Speechlys advises shareholders of eCommonSense on sale to ECI Software Solutions
eCommonSense is a technology solutions provider focused on the construction and building materials supply sectors.
Amelia Goodwin and Georgina O'Sullivan write for P3 Pharmacy on the key to managing performance
Day-to-day management is time consuming enough, so if you have a workforce with no apparent issues, performance may not be on your radar.