The right to access to one’s own “personal data”, subject to certain exemptions and limitations, has now been part of UK law for some 30 years. Under the current Data Protection Act 1998 (DPA) an individual dissatisfied with the response to his or her “subject access request” (or “SAR”) can effectively choose whether to enforce those rights via the courts, or via the UK regulator, the Information Commissioner’s Office (“ICO”).
However (perhaps inevitably, given that complaints to the ICO carry no costs implications for complainants), court judgments on SARs are still relatively unusual. The recent ruling of Mr Justice Baker in AB v Ministry of Justice ( EWHC 1847 (QB)) provides an interesting addition to the limited case law in this area, in particular on the issue of compensation for distress caused by the defendant’s failure to respond appropriately to an SAR.
Although the judgment leaves the precise facts of the case deliberately unclear (see further below) we know that AB was a solicitor seeking information from the Ministry of Justice (MOJ) under the DPA (as well as the Freedom of Information Act 2000) following his wife’s tragic death in 2007, and subsequent discussions with the MOJ about whether a full post-mortem would be required.
In summary, the judge concluded that the MOJ had wrongly withheld one piece of information, and failed to provide other information within the statutory time limits, awarding AB nominal damages of £1, and (most controversially) a sum of £2,250 in compensation for distress as a result of the MOJ’s breach of the DPA.
Compensation for distress
The most interesting element of this case is the award for compensation. Under s 13(2)(a) DPA, individuals are entitled to compensation for “distress” caused by a breach of the DPA only where “damage” is also suffered (recoverable under s 13(1)). For many years the courts have applied the rationale of Morland J at first instance in the landmark privacy case of Campbell v MGN  EWHC 499(QB): “In my judgment ‘damage’ in section 13(1) and 13(2)(a) means special or financial damage in contra-distinction to distress in the shape of injury to feelings“. That view has since been upheld by the Court of Appeal in Johnson v Medical Defence Union  EWCA Civ 262, although the narrowness of this interpretation was queried (without ruling) by the same court in another privacy case, Murray v Big Pictures (UK) Ltd  EWCA Civ 446.
This latest case does not challenge the longstanding position per se, in that the claimant was awarded a “nominal” sum of £1 under s13(1) in respect of his (unquantified) financial loss arising from time and expense in pursuing the disclosure of information. However, by this nominal award the judge was effectively able to “side-step” the requirement for financial damages, and award the more substantial sum of £2,250 in compensation for the claimant’s emotional distress.
A similar approach was taken by the Court of Appeal in Halliday v Creation Consumer Finance Ltd (2013) EWCA Civ 333 in respect of mistakes on a DPA claimant’s credit record, where again nominal damages for financial damages enabled the court to award compensation of £750 for emotional distress. In the event, the defence conceded the point in that case, leaving practitioners without a definitive Court of Appeal ruling. However, the judgment in AB suggests the courts will be willing to use a “nominal” award of damages to “bolt-on” more substantial compensation for distress, unless and until this approach is definitively ruled out by the higher courts.
“Substantial” is here used merely as a distinction from “nominal”: the awards made to date are still relatively low, much as the early breach of privacy awards were. But with the ICO unable to compensate a complainant financially (and having not so far chosen to issue any monetary penalties for breaches of the subject access right) the prospect of litigating under their statutory rights may start to attract claimants seeking damages to a DPA claim, in cases which might previously have followed a common law route.
Protecting the claimant’s identity
Although not making a formal reporting restriction, the judge in this case sought to protect the claimant’s Article 8 rights throughout and made an order pursuant to CPR 5.4C. Thus not only has the claimant’s identity (“AB”) been kept private, but also the contents of the materials disclosed under the SAR. Although more often the domain of privacy injunctions, this is by no means unprecedented in the realm of data protection – the CJEU ruling in Joined Cases C-141/12 and C/372/12 YS, M, and S v Minister voor Immigratie in December 2013, concerning three former asylum seekers, is another example.
The rationale for privacy in certain DPA cases (including this one, given the emotive circumstances) needs little explanation, even if regarding the facts of the case it makes for less useful precedents. However, if current trends result in DPA claims appearing alongside or even supplanting certain claims in privacy or breach of confidence, we can expect to see many more initials and acronyms appear in reported DPA cases – even if they have not yet entered the territory of the much-discussed (but rarely-seen) “super-injunction”.
Disproportionate effort: the obligation to respond to a wide-ranging SAR
In some previous case law the courts have on occasion been willing to reject “disproportionate” requests, or those which apparently attempt to circumvent standard disclosure (see for example, Ezsias v Welsh Ministers  All ER (D) 65, Elliot v Lloyds TSB Bank PLC  EW Misc 7 (CC) and Durant v Financial Services Authority  FSR 28) In contrast, in AB the obligation to respond to a wide-ranging SAR appears to have gone unchallenged: of the four purported SARs which were the subject of AB’s claim, it was only the final, widest one – “please send me a copy of all the information you hold about me” – which both parties could agree was indubitably valid (“sufficiently wide to have encompassed the disclosed material“, in the judge’s words).
It is perhaps also worth remembering that whilst ICO guidance has long supported the principle of unrestricted access (whatever the circumstances, and however broad the request) it is at pains to assure data controllers it will not use its enforcement powers to “require organisations to take unreasonable or disproportionate steps to comply with the law on subject access“ (Subject Access Request Code of Practice, p.54) This rather undermines the usual assumption that the courts are likely to be more sympathetic to an organisation facing a wide-ranging SAR, than the ICO might be.
However, courts are too steeped in the guiding principle of proportionality to disapply it lightly: from the Overriding Objective through to Part 44 (costs), it is written through the Civil Procedure Rules like words in a stick of rock. It is perhaps on the costs point where a claimant may suffer unwelcome consequences with regard to proportionality, if he or she chooses to go down the Queen’s Bench route instead of using the ICO procedure. Whilst a breach of statutory duty will give rise to a presumption of costs in favour of the claimant, that claimant should certainly consider any reasonable offer made by the defendant (whether before or after issuing) – especially where a wide-ranging SAR may result in a disproportionate amount of evidence before the court.
What is a reasonable timeframe for responding to a SAR?
The DPA itself is clear on the “prescribed period” to respond to a valid request (40 days), as is ICO guidance. In practice, however, this is treated by some organisations as a guideline, given the relative lack of serious ICO enforcement action in this area. Again, however, AB apparently takes a harder line: compensating the claimant specifically for emotional distress arising from the delay in responding to his request. This may be of concern to organisations sympathising with the MOJ, dealing as they may do with innumerable SARs bordering on the vexatious (there is no suggestion this applies to AB, although – duly considering his sad personal circumstances – there can be no doubt that he was a repeat requester).
However, it should be noted that the delay in this case was particularly protracted (being 17 months in respect of some information, and six years in relation to others). Moreover, as above, a court may consider proportionality in making a costs award, in terms of whether a claimant was reasonable or premature in deciding to issue on the back of a SAR which the defendant was in good faith actively seeking to fulfil, or with which they had already substantially complied.
What is “personal data”?
The application of this issue to the present case is largely hidden under the fog of confidentiality. But the court did consider one interesting point in respect of a “cover letter” sent on behalf of the Coroner, enclosing two other documents which clearly did constitute AB’s personal data. Although, read by itself, the cover letter did not identify the claimant, he argued that it still qualified as “personal data” under the s 1(1) DPA definition, because he could be identified from the letter together with its enclosures. This can be a surprisingly tricky practical point for organisations responding to SARs: where information about an individual has been widely circulated, must an organisation disclose the emails or letters passing it on, or merely the information itself?
In this case the judge decided that the “cover letter” did not constitute personal data about the claimant, because even if he was identifiable from it together with the enclosures, it did not “relate” to him (as also required by the s 1(1) DPA definition). However, he did acknowledge firstly the claimant’s separate right to know the recipients of personal data about him (under s 7(1)(b)(iii) DPA), and also that had the cover email contained, for example information which might affect the claimant’s treatment, his decision might have been different.
The impact of legal privilege
Another letter disclosed pursuant to the SAR gave rise to a ruling on the role of legal advice privilege. Two issues were discussed: one, where advice is sought of a legal professional by a client, who may be said to be the client? And two, when is privilege waived by disclosure to a third party?
On the first point, the judge distinguished the authoritative Court of Appeal ruling in Three Rivers (No.5)  EWCA Civ 474, where a separate corporate entity was not authorised to seek legal advice on behalf of the defendant. In AB, it was the head of a different department – and the judge held he was acting on the defendant’s behalf in seeking legal advice from another department’s in-house lawyer.
Where the defence in the present case stumbled was on the second point, since an annotated version of the document was shown to a non-legal third party on a separate occasion to the request for legal advice. This much was again determined on the balance of probabilities from the covering note.
At first glance, this case makes rather alarming reading, in some respects, for organisations who may have assumed (based on previous case law) that the courts would take a more pragmatic approach SARs than the ICO. In fact, this case may well have turned on its (unusual and largely obscured) facts: so it seems unlikely to signal a real change of direction on wide-ranging requests for example, or strict adherence to the 40-day time limit.
However, the approach to compensation for emotional distress is indeed an interesting development, and if widely followed could begin to have a real impact, not just on SAR cases, but on all claims made under the DPA, or in respect of breach of privacy generally.
This Article was originally published in World Data Protection Report and is reproduced with permission and thanks.