Latest insights from our experts
Case Update – Searches in Response to a Subject Access Request Sufficient if “Reasonable and Proportionate”
In the recent case of Holyoake v Candy and CPC Group Limited , the High Court refused an application to order compliance with a subject access request (SAR) under the Data Protection Act 1998 (DPA) on the basis that the data controller’s searches had been “reasonable and proportionate” and legal professional privilege had been properly claimed.
Mr Holyoake is involved in a High Court dispute against Mr Candy and CPC Group Limited (CPC) involving an unsecured loan agreement worth £12 million. The trial is due to be heard later this month. Part way through proceedings, Mr Holyoake made a SAR to CPC. CPC responded to the SAR but relied on the legal professional privilege exemption in relation to some documents. Mr Holyoake did not consider that CPC had complied with his SAR; in particular, he argued that the private emails of CPC’s directors should be searched. He applied to the court to order compliance.
Section 7 of the DPA allows an individual to request access to their personal data by making a SAR. Following such a request, the data must be provided unless this is “not possible or would involve disproportionate effort” (section 8(2) DPA). If someone has made a SAR and is not satisfied that their request has been complied with, they can make an application to the court to order compliance.
In order to consider Mr Holyoake’s application, the High Court had to determine; i) whether CPC had carried out adequate searches when responding to the SAR; and ii) whether the documents in question fell under the legal professional privilege exemption. The Court held that a data controller’s obligation to carry out a search on receipt of a SAR is limited to what is “reasonable and proportionate.” In this case, it was not necessary for CPC to search its directors’ private email accounts as there was no evidence that these accounts had been used for company business. The Court noted that the searches undertaken by CPC in response to Mr Holyoake’s SAR involved a review of over 17,000 documents and generated time charges in excess of £37,000 and therefore concluded that the searches carried out were reasonable. In addition, the Court found that CPC had correctly identified some of the documents as privileged and as such these documents could be excluded from disclosure to Mr Holyoake. Mr Holyoake’s application was therefore dismissed.
What does this mean?
SARs can often involve enormous amounts of data, particularly in large organisations, and this decision is helpful to data controllers in that it limits the search for personal data to what is “reasonable and proportionate.” The decision also provides helpful guidance on whether data controllers should consider searching directors’ private email accounts when responding to a SAR. The Court recognised that there may be some occasions where this is necessary, but stressed that the company is not required to ask directors if they use their private email for company business “unless there is some sufficient reason to do so”. The Court also stated that a company may not access private email accounts to check the position. This decision is important as it establishes that there is a limit to what you are obliged to do in response to a SAR and for that reason it will no doubt be welcomed by data controllers.
For further advice in relation to SARs or your obligations under the DPA, contact our specialist employment team on 01392 207020 or e-mail firstname.lastname@example.org.