Business backed in withholding data in subject access request response

Data protection law experts Malcolm Dowden and Stephanie Lees of Pinsent Masons said the ruling by the High Court in London is a useful authority on various issues under UK data protection laws, in particular on the application of the third-party data exemption, which entitles organisations to withhold certain information when handling data subject access requests.

Individuals have a general right, under UK data protection law, to access information from organisations about the personal data they hold about them and pertaining to the processing of their personal data.

According to the court, Mark Harrison, chief executive of real estate investment company Praxis Group Ltd, was covertly recorded making threats to Alasdair Cameron in two telephone conversations in May 2022. Cameron, owner of gardening business Alasdair Cameron Ltd (ACL), shared the recordings with 12 different people, including employees of his company, family members, and friends. The recordings were subsequently passed on to three other people.

Harrison has claimed that the recordings have been shared more widely with professional peers and competitors, causing Praxis to lose out on the acquisition of a shopping centre – a deal he claims caused him financial loss in excess of £10 million.

Harrison submitted a ‘subject access request’ to Cameron in his personal capacity, seeking the disclosure of the names of the recipients of the recordings. He sent similar subject access requests to other individuals too, including employees of ACL.

While Harrison has not made any claim for compensation or damages against Cameron, he did ask the High Court to make an order against both Cameron and ACL, to force disclosure of the names of the 15 people that have been identified as having obtained a copy of the recordings. The court dismissed his application.

An initial issue the court had to unpick before it considered the substance of Harrison’s application was whether Harrison’s subject access request was made to Alasdair Cameron in his personal capacity or Alasdair Cameron in his capacity as director of ACL – and whether in either case this made Cameron himself a ‘controller’ of Harrison’s data for the purposes of UK data protection law.

The processing of personal data in the course of a purely personal or household activity falls outside the scope of UK data protection laws. Mrs Justice Steyn DBE considered that the “personal or household” processing exemption did not apply in this case since Cameron had made the recordings in the context of his business and in his capacity as director of ACL. Therefore, it was ACL that was the controller, as opposed to Cameron.

The judge also considered that Cameron was not acting as a “rogue” director, outside the scope of his directorship, and so was not himself fixed with responsibility of a controller, and that he had no responsibility in his individual capacity to respond to Harrison’s subject access request. The claim against Cameron in his personal capacity was therefore dismissed.

The judge then had to consider whether ACL had met its obligations under UK data protection law in respect of its handling of Harrison’s subject access request, by failing to provide Harrison with a list of all specific recipients with whom the recordings had been shared.

Article 15(1)c) UK GDPR entitles data subjects to receive information about the recipients or categories of recipient, to whom their personal data has been shared, except where it is manifestly unfounded or excessive.

On this issue, case law developed by the Court of Justice of the EU (CJEU) known as the Austrian Post case, was considered. In that case, the court found that data subjects are entitled to choose whether to access information as to specific identities of recipients, or categories of recipients.

The judge said the CJEU’s interpretation of the requirements of Article 15(1)c) of the EU General Data Protection Regulation’s (EU GDPR’s) was correct and consistent with requirements arising under the UK GDPR.

According to the judge, this means that, in general, a data subject’s rights in the UK include the right to be informed of the specific recipients of their personal data – including the names of individuals who have received personal data relating to the requestor. The data subject is also entitled to information allowing them to check and establish that their personal data is being processed in accordance with the law. Because of this, the starting point in this case was that ACL should disclose the names of those individuals who received the call recordings.

However, the judge said that ACL was entitled to rely on an exemption to the disclosure obligations, known as the “third party data” exemption. This exemption is contained in Schedule 2, paragraph 16, of the UK’s Data Protection Act (DPA) 2018 and applies where a subject access request response would involve disclosing personal data relating to another individual, to the requestor. The exemption does not apply if the other individuals have consented to disclosure, or if it is reasonable to disclose the information to the data subject, without the consent of the other individual.

To decide whether it is “reasonable” to disclose third party data, the judge found that it was necessary to apply a balancing test and consider the provisions specified in the DPA, such as the type of information, any duty of confidentiality and refusal of consent by the individuals concerned.

Citing lead authorities on the third-party data exemption under the old DPA 1998 – the cases of DB v GMC and Durant – the judge acknowledged that the controller is the “primary decision maker” in assessing reasonableness and has a “wide margin of discretion” to do so.

The judge said that that right should be given effect where possible and that there is no blanket rule that the names of individual recipients can be withheld in a subject access request response.

However, in this case, the judge determined that it was clear that none of the 15 recipients of the recordings had consented to their names being disclosed to Harrison, in part because of concerns that they would be exposed to the abusive and threatening behaviour, due to Harrison’s conduct captured in the call recordings.

Given those safety concerns, the judge found it would not be “reasonable to disclose the information to the data subject without the consent of the other individual”. It was therefore permissible for ACL, in those circumstances, to withhold the names of individual recipients of the call recordings in this case.

Dowden said: “The outcome in this case is not surprising, but the ruling provides a useful run through of some important issues other businesses may have to consider in their handling of subject access requests – including around identifying who the controller is, and the interaction between the disclosure obligations pertaining to subject access requests that arise under Article 15 of the UK GDPR and the exemption to disclosure under Schedule 2, paragraph 16, of the DPA 2018.”

Lees said: “The case is a helpful authority, as previous leading cases on the third-party exemption largely fall under the old DPA1998 regime. The case is welcome in reiterating that a controller is best placed to decide whether it is reasonable to withhold third-party information. However, the court’s agreement with the Austrian Post case is more concerning. Organisations may struggle to comply with a data subject’s demands to know each specific recipient their data has been shared with. Accordingly, controllers should ensure their records of processing and data inventories are regularly updated, so they can provide this information upon request.”