Data Subject Access Requests: paper files and proportionate searches
In the long-running saga of Dawson-Damer v Taylor Wessing and ors the High Court (on remission from the Court of Appeal) has made a number of important findings that have relevance to data subject access requests (DSAR).
The claim was made by beneficiaries of a Bahamian Trust that its UK solicitors, Taylor Wessing, had failed to comply with DSARs made under the Data Protection Act 1998 (DPA).
There are two issues in the High Court's decision which are of particular interest to employers handling DSARs: what constitutes a relevant filing system and what is a proportionate search?
The High Court confirmed that Taylor Wessing's paper files were a "relevant filing system" for the purposes of the DPA 1998. The judge considered that as the files were arranged chronologically the personal data could be "easily retrieved" and that a page turning exercise through those files looking for personal data was not unduly onerous.
This departs from the Court of Appeal's more restrictive interpretation in Durant v FSA which was that a manual filing system would be a relevant filing system only if it was broadly equivalent to a computerised system in that it could be easily searched for personal data. The judgment recognised that Durant was decided before the right to protection of personal data was enshrined as a fundamental EU right. This has shifted the balance from the burden on the data controller to protecting the data subject. The question of whether data could be "easily retrieved" should not be looked at in isolation but alongside whether it was structured by reference to specific criteria "related to individuals". There are 35 paper files (made prior to electronic filing) which must now be searched through for personal data. However, it is understood that permission to appeal on this issue has already been granted.
On the question of what is proportionate, the deputy judge found that in relation to one of the categories of data, Taylor Wessing had not discharged the burden of showing that a search would be disproportionate because it had not served evidence setting out the time and cost involved in conducting a search for the claimants' personal data. However, in relation to documents held in Mimecast, a backup system, it was disproportionate to require Taylor Wessing to conduct searches of this as it would reveal confidential information about their employees or other unrelated clients. In contrast, the High Court held that searches of personal spaces of current employees (in which they could save documents and emails) would not be disproportionate.
Since the introduction of GDPR, employers are reporting a significant increase in the number of DSARS. Although this decision concerned the DPA 1998 (which has now been replaced by the DPA 2018), the Court's decision is relevant as GDPR contains similar provisions in relation to filing systems and requests which are "manifestly unfounded or excessive". It emphasises the importance of evidencing the time and cost involved where alleging that compliance is disproportionate.
For more information, please contact Robert Thomas.
Flexible working requests: 5 tips for employers
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Nick Hurley quoted by the Society for HR Management on the UK government's proposals to prevent workplace sexual harassment
The U.K. government introduced legislation in July 2021 for employers to take proactive steps to prevent sexual harassment on the job.
Olivia Crane writes for The Grocer on the importance of robust data protection policies for checkout-less stores
The ‘personal data footprint’ created by this type of service and technology isn’t something that should be overlooked.
Returning to work post-lockdown: FAQs for employers
We look at some of the main issues employers may face and the key steps to consider as restrictions ease.
Covid passports - are they workable or just a shambles?
Amelia Goodwin writes for Civil Society on a recent employment tribunal ruling which found that anxiety constitutes a disability
The tribunal found that an anxiety state constitutes a disability for the purposes of the Equality Act 2010.
Face coverings at work post lockdown
While the legal requirement has been lifted, employers may consider face coverings as an appropriate safety measure in certain workplaces.
Charles Russell Speechlys advises Apposite Capital on acquisition of i2a Diagnostics
i2a is a leading provider of laboratory instruments, software and reagents for the clinical microbiology market in France.
Brace yourselves: dentists could be liable for actions of self-employed staff
Olivia Crane quoted by SoGlos on the increasing issue of cyber fraud being faced by businesses in Gloucestershire
Cyber fraud has cost Gloucestershire businesses around £369,800 in the last 13 months.
Nick Hurley interviewed by GB News on the legal ramifications of employers insisting employees have the COVID-19 vaccine
Nick considers the potential dangers of employers setting a precedent by adopting a 'No Jab, No Job' policy.
Government to introduce duty on employers to prevent sexual harassment
Record success for Charles Russell Speechlys’ Private Wealth practice in Chambers HNW 2021 directory
We are delighted to have once again been recognised as a leader in our field in the Chambers High Net Worth 2021 Guide.
Michael Powner writes for People Management and explains how employers can carry out an equal pay audit
How do employers carry out an equal pay audit?
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Changes to Right to Work Checks from 1 July 2021
EEA citizens and their family members are required to evidence immigration status in the UK, in the same way as other foreign nationals.
Changes to Right to Rent Checks from 1 July 2021
Following the UK’s departure from the EU, the right to rent checks grace period of six months will end on 30 June.
Michael Powner and Laurence Whymark write for The Caterer on the implications of the new tipping laws on the hospitality industry
Operators will soon have to pass on tips to staff without deductions.
Post-Brexit business visitors and working in France, Germany, Spain and the UK
Watch the final session in a series of webinars on post-Brexit mobility.