When can you refuse to comply with a SAR if there is disproportionate effort required?
In the case of Dawson-Damer and others v Taylor Wessing LLP the Court of Appeal provided useful clarification on the extent to which a data controller can rely on the legal privilege exemption, disproportionate effort exemption or the data subject’s motivation when refusing to comply with a subject access request (SAR).
The Court of Appeal provided the following useful guidance on compliance with SARs:
- When can the legal professional privilege exemption be relied upon?
This exemption should only be relied upon for legal proceedings recognised in the UK.
- When can the disproportionate effort exemption apply?
The DPA limits a data controller’s obligation to provide copies of data if it would involve disproportionate effort. Confusingly though, the Information Commissioner’s Subject Access Code of Practice suggests that this exemption only applies to the process of supply. The judgment clarifies that the difficulties to be considered when relying upon the disproportionate effort exemption are those which occur throughout the process of complying with the request, which may include supply of the information.
However, a mere assertion that the search would be difficult is not sufficient. As far as possible the SAR should be enforced and the data controller will be required to produce evidence to show what attempts have been made to comply with the SAR.
- Should a SAR be complied with if the motivation for the request is litigation?
It was apparent in the Dawson-Damer case that the motive behind the data subject access request was litigation. However, the law does not limit the purpose for which a SAR can be made. The Judge stated that a SAR will not be made invalid if made for the collateral purpose of assisting litigation.
This judgment is very data subject friendly and data controllers should take note of the guidance it provides. Particularly the Judge’s indication that “most data controllers can be expected to know of their obligations to comply with SARs and to have designed their systems accordingly”.
It is very clear from this case that a data controller will be expected to carry out a comprehensive and extensive search for documents in an attempt to comply with a SAR before being able to rely on the exemption that such compliance would involve disproportionate effort.