Data Subject Access Requests - the extent of the obligation

Data Subject Access Requests - the extent of the obligation

A recent decision in the County Court has given valuable guidance on the following issues:

  •     What is the obligation of a data controller (typically an employer) in receipt of a subject access request (SAR) served by an individual under section 7 of the Data Protection Act 1998 (DPA)?  
  •     Can a data controller refuse to comply with the SAR if it suspects that the request is being made as part of a “fishing expedition” for the purposes of litigation?


Section 7 of the DPA provides an individual with a right of access to personal data, entitling him or her to know whether a data controller is processing any personal data and relevant details.  The Court clarified the obligation as follows:

  •     A recipient of a SAR only needs to supply such personal data as is found after a reasonable and proportionate search.
  •     If it is suspected that the SAR was prompted by mixed motives, the correct approach is to apply a “but for” test, and ask whether the individual would still have served the SAR regardless of the prospect of litigation.  If so, the application will not be an abuse of process.


For more information on data protection issues, please contact Beverley Flynn on +44 (0)1483 734264 or email beverley.flynn@stevens-bolton.com or Andrew Quick on +44 (0)1483 734249 or email andrew.quick@stevens-bolton.com
 

Contact our experts for further advice

Search our site