This article asks more questions than it answers. All of this is stuff that presumably all of you know, but which I figured out recently (anything clever in this emerged in a conversation that I was having about this issue with someone much brighter than me).
I finally read all of Durant about ten days ago. I have been like one of those lazy children who only reads the bit of the set text that he thinks he will be tested on. But now I have read it all and I am bloody confused.
Naively, I had assumed that the point of a SAR was to see what horrid stuff a data controller held on you. And then I read Durant, para 27:
"In conformity with the 1981 Convention and the
Directive, the purpose of section 7, in entitling an individual to have
access to information in the form of his "personal data" is to enable
him to check whether the data controller's processing of it unlawfully
infringes his privacy and, if so, to take such steps as the Act
provides, for example in sections 10 to 14, to protect it. It is not
an automatic key to any information, readily accessible or not, of
matters in which he may be named or involved. Nor is to assist him, for
example, to obtain discovery of documents that may assist him in
litigation or complaints against third parties." [my emphases]
And now this makes perfect sense to me. Of course, the whole point of the DPA and the directive on which it is based on is to ensure lawful processing. So, one of the first steps to ensuring that your friendly data controller was playing ball would be to understand what it had.
But that it not how SARs are worded. Often, they are from people unhappy with the outcome of a dispute who are fishing to see if they can take the matter further. And the responses that they get might help them. But often they don't.
I saw a couple from my time in the NHS where the data subject had had an altercation with a fellow patient and made a SAR for the report or log of the incident.
But once the third party data was cut out, they would get nothing at all.
Alan pummelled Zac half to death. Zac bled all over the floor. Alan laughed and said 'you deserved that'.
got turned into:
XXXXXXXXXXXXXXXXXXX Zac bled all over the floor. XXXXXXXXXXXXXXXXXXXX.
Which is not exactly helpful (although, my redactions are open to debate). Not if you're going to court. So, all the effort was wasted.
Now, it seems that judges are not that excited about subject access being used in lieu of pre-action disclosure. I only heard about this recently - it's that thing where, if you are going to court, you get to see what papers are held by relevant parties. See MoJ and particularly Annex A (there is specific guidance for all sorts of court actions on the MoJ website). In some instances, use of SAR has been deemed an abuse of process by courts. More than that, it is almost always totally useless when it comes to figuring out what information is held about you with a view to getting justice.
So, when someone sends in a SAR and says explicitly that they want to go to court, can we suggest to them that this is not a useful route to getting the information they want? Well, it might not be useful, but it is hard to deny anyone their subject access right. I am sure that the ICO would frown.
In the end, I bet hardly anyone putting in a SAR is actually wondering whether the information is being processed lawfully - mostly, they want some specific information or want to know what big brother has seen.