Data Subject Access Requests: paper files and proportionate searches
In the long-running saga of Dawson-Damer v Taylor Wessing and ors the High Court (on remission from the Court of Appeal) has made a number of important findings that have relevance to data subject access requests (DSAR).
The claim was made by beneficiaries of a Bahamian Trust that its UK solicitors, Taylor Wessing, had failed to comply with DSARs made under the Data Protection Act 1998 (DPA).
There are two issues in the High Court's decision which are of particular interest to employers handling DSARs: what constitutes a relevant filing system and what is a proportionate search?
The High Court confirmed that Taylor Wessing's paper files were a "relevant filing system" for the purposes of the DPA 1998. The judge considered that as the files were arranged chronologically the personal data could be "easily retrieved" and that a page turning exercise through those files looking for personal data was not unduly onerous.
This departs from the Court of Appeal's more restrictive interpretation in Durant v FSA which was that a manual filing system would be a relevant filing system only if it was broadly equivalent to a computerised system in that it could be easily searched for personal data. The judgment recognised that Durant was decided before the right to protection of personal data was enshrined as a fundamental EU right. This has shifted the balance from the burden on the data controller to protecting the data subject. The question of whether data could be "easily retrieved" should not be looked at in isolation but alongside whether it was structured by reference to specific criteria "related to individuals". There are 35 paper files (made prior to electronic filing) which must now be searched through for personal data. However, it is understood that permission to appeal on this issue has already been granted.
On the question of what is proportionate, the deputy judge found that in relation to one of the categories of data, Taylor Wessing had not discharged the burden of showing that a search would be disproportionate because it had not served evidence setting out the time and cost involved in conducting a search for the claimants' personal data. However, in relation to documents held in Mimecast, a backup system, it was disproportionate to require Taylor Wessing to conduct searches of this as it would reveal confidential information about their employees or other unrelated clients. In contrast, the High Court held that searches of personal spaces of current employees (in which they could save documents and emails) would not be disproportionate.
Since the introduction of GDPR, employers are reporting a significant increase in the number of DSARS. Although this decision concerned the DPA 1998 (which has now been replaced by the DPA 2018), the Court's decision is relevant as GDPR contains similar provisions in relation to filing systems and requests which are "manifestly unfounded or excessive". It emphasises the importance of evidencing the time and cost involved where alleging that compliance is disproportionate.
For more information, please contact Robert Thomas.
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
Amelia Goodwin and Georgina O'Sullivan write for Pharmacy Business on managing employee performance
Why contractors should prioritise performance management of employees as a regular feature of their business strategy.
The UK’s New Skilled Worker & Intra-Company Visa Routes: a closer look
Taking a closer look at the UK’s new visas to assist UK businesses.
Have your say: MAC call for evidence on Intra-Company Visa Route
The MAC, has launched a call for evidence on the Intra-Company Transfer (ICT) immigration route.
Sleep-in workers not entitled to NMW for entire shift
A unanimous ruling by The Supreme Court in the Royal Mencap v Tomlinson-Blake and another case.
Amelia Goodwin quoted by People Management, Home Care Insight and Care Home Management on the implications of the Supreme Court's ruling in Royal Mencap Society v Tomlinson-Blake
The court found that care providers do not have to pay the minimum wage to staff for time that they are asleep but on call during shifts.
It’s all about the data…why has the government delayed hospitality reopening again?
Michael Powner quoted by People Management on the implications of Uber's decision to pay drivers minimum wage
Uber’s rollout of living wage will put further pressure on other gig economy firms to follow suit.
Rose Carey, Kelvin Tanner and Kate Gamester write for Compliance & Risk on navigating the UK's new immigration system
The article highlights the compliance pitfalls and how organisations can adapt to avoid them.
The UK’s post-Brexit rules for skilled workers – Key implications for the construction industry
As a result of the new Points Based Immigration System , UK companies in the construction sector will not be able to sponsor labourers.
How to manage redundancies: employee rights on redundancy
What rights do employees have when a redundancy exercise is carried out?
Michael Powner quoted by Personnel Today on the implications of the Uber Supreme Court ruling on the gig economy
While the case is fact specific, the decision is likely to be a very persuasive authority for tribunals ruling on others in the gig economy.
Michael Powner quoted by Bloomberg, PA Media and People Management on the Supreme Court's ruling on the employment status of Uber drivers
The Supreme Court unanimously found that Uber drivers are workers under UK law.
Nick Hurley quoted by the Daily Mirror on 'no jab, no job' policies
'No jab, no job' may seem clear and concise, but mandatory policies requiring the Covid-19 vaccine are far from straightforward.
How to manage redundancies: practical steps
What are the practical considerations when carrying out a redundancy exercise?
EMI share options, Covid-19, and Brexit – where are we now?
What are the new measures to employers operating EMI schemes that have been affected by the pandemic?
Jonathan McDonald and Rahim Hirji write for LawInSport on the relationship between data protection and referee reports in English football
Is data in reports submitted by referees to the Football Association subject to the General Data Protection Regulation?
Next Generation Cloud for Europe
Next Generation Cloud for Europe