Monday, November 11, 2013

What is the purpose of subject access requests?

This article asks more questions than it answers. All of this is stuff that presumably all of you know, but which I figured out recently (anything clever in this emerged in a conversation that I was having about this issue with someone much brighter than me).

I finally read all of Durant about ten days ago. I  have been like one of those lazy children who only reads the bit of the set text that he thinks he will be tested on. But now I have read it all and I am bloody confused.

Naively, I had assumed that the point of a SAR was to see what horrid stuff a data controller held on you. And then I read Durant, para 27:

"In conformity with the 1981 Convention and the Directive, the purpose of section 7, in entitling an individual to have access to information in the form of his "personal data" is to enable him to check whether the data controller's processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides, for example in sections 10 to 14, to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties." [my emphases]

And now this makes perfect sense to me. Of course, the whole point of the DPA and the directive on which it is based on is to ensure lawful processing. So, one of the first steps to ensuring that your friendly data controller was playing ball would be to understand what it had.

But that it not how SARs are worded. Often, they are from people unhappy with the outcome of a dispute who are fishing to see if they can take the matter further. And the responses that they get might help them. But often they don't.

I saw a couple from my time in the NHS where the data subject had had an altercation with a fellow patient and made a SAR for the report or log of the incident.

But once the third party data was cut out, they would get nothing at all.

Alan pummelled Zac half to death. Zac bled all over the floor. Alan laughed and said 'you deserved that'.

got turned into:

XXXXXXXXXXXXXXXXXXX Zac bled all over the floor. XXXXXXXXXXXXXXXXXXXX.

Which is not exactly helpful (although, my redactions are open to debate). Not if you're going to court. So, all the effort was wasted.

Now, it seems that judges are not that excited about subject access being used in lieu of pre-action disclosure. I only heard about this recently - it's that thing where, if you are going to court, you get to see what papers are held by relevant parties. See MoJ and particularly Annex A (there is specific guidance for all sorts of court actions on the MoJ website). In some instances, use of SAR has been deemed an abuse of process by courts. More than that, it is almost always totally useless when it comes to figuring out what information is held about you with a view to getting justice.

So, when someone sends in a SAR and says explicitly that they want to go to court, can we suggest to them that this is not a useful route to getting the information they want? Well, it might not be useful, but it is hard to deny anyone their subject access right. I am sure that the ICO would frown.

In the end, I bet hardly anyone putting in a SAR is actually wondering whether the information is being processed lawfully - mostly, they want some specific information or want to know what big brother has seen.








1 comment:

Jon Baines said...

Durant is much-criticised, and it would be tremendously helpful to get a fresh view from higher authority, but it's important to note that the Court of Appeal were keen to stress the fact that the Act gives effect to the Directive, and that the Directive and its recitals have a "primary objective" to "protect individuals' fundamental rights, notably the right to privacy and accuracy of their personal data held by others...whilst at the same time facilitating the free movement of such data between Member States of the European Union" (para 4). I think there's a risk (I've been guilty of this) of seeing Durant solely as a case of domestic judges disapproving of back-door disclosure through subject access, but, as you note, the CoA were at pains to stress subject access's basis in European law (see Buxton LJ at para 79).

What I do find surprising, in this context, is the fact that the ICO, in his recently-published Code of Practice on Subject Access Requests, fails to explain the basis in this way (it calls subject access a "fundamental right" but leaves things hanging there, as though it has some free-standing basis).

To this extent, I would argue (contrary to what you perhaps indicated in your twitter discussion earlier) that it is not always as straightforward as the ICO agreeing with the EC, and the courts disagreeing.