Financial institutions often receive a subject access request made under the Data Protection Act 1998 (“SAR”) from individual customers as pre-cursor to a formal complaint or a legal claim.
That is because a SAR enables the customer to access a significant amount of information held by the organisation about him or her. A customer can thereby access potentially sensitive information, effectively by way of advance disclosure at minimal cost which can then enable a customer to build a legal case against the institution.
SARs cannot be ignored and must be responded to promptly and in any event within 40 days of receipt.
In the recent case of Dawson-Damer v Taylor Wessing LLP, the Court of Appeal made three important points about SARs:
- A SAR will be valid and must be responded to even if a collateral purpose is to obtain information for the purposes of litigation.
- The exemption in the Data Protection Act 1998 (DPA) that allows data controllers to withhold material that is subject to legal professional privilege does not extend to other protected information, such as information that can be withheld under trust law principles. .
- It is not necessary to supply personal data in response to a SAR if to do so would involve disproportionate effort (section 8 (2) of the DPA). The Court said that assessing proportionality includes looking at the work needed to find the relevant personal data and then to produce copies.
The final point is likely to be welcomed by financial institutions facing broad and unreasonable SARs. But other aspects of the decision are not so helpful and we may see an up-tick in individuals using SARs in disputes, directing the SAR to both counterparties and their solicitors.