A decision by the Data Protection Commissioner ordering Dublin Bus to release CCTV footage to an individual who was simultaneously undertaking a personal injuries action against Dublin Bus (arising from an alleged fall on a bus whilst a passenger) has been recently upheld by the High Court.
Dublin Bus appealed against an earlier order of the Circuit Court that it provide the CCTV footage to the applicant, requesting that the High Court find that the existence of legal proceedings between a requester seeking data and the relevant data controller bars the requester from making an access request under applicable data protection legislation.
In dismissing Dublin Bus's claim, Mr Justice Hedigan found that the existence of proceedings between a data requester and the data controller does not preclude the data requester making an access request under Section 4 of the Data Protection Acts 1988 and 2003 (the "Acts"), and nor does it justify the data controller refusing the request. In reaching this decision Justice Hedigan also noted that in effect "the appellant is seeking to carve out a new exception in the Acts, to the effect that whenever a data requester has instituted litigation against a data controller he or she is precluded from making a data access request under the Acts".
Both the Commissioner (in January 2011) and Judge Linnane in the Dublin Circuit Court (in July 2011) had previously found in favour of the requester.
Subject Access Requests
The subject access request (SAR) is a process under the Acts allowing individuals with the right to access any of their personal data held by third parties on payment of a fee, provided their request meets certain procedural requirements. Under Section 3 of the Acts, a requester has a right to find out, free of charge, if a person (an individual or an organisation) holds information about them. They also have a right to be given a description of the information and to be told the purpose(s) for holding their information. Under Section 4 of the Acts, a requester can obtain a copy of their personal data, whether held electronically or on paper, as photographs or as CCTV images. The applicant is also entitled to know where the information was obtained, how it has been used and if it has been disclosed to another party. The access request was rejected by Dublin Bus, on the grounds that any such information was prepared in anticipation of potential litigation, and as such was privileged. While an exemption exists under the Acts for the withholding from release of data which would be subject to legal professional privilege in court (Section 5(1)(g)) this was found not to be applicable in this case.
The concept that individuals should have a right to access data held about them has been core to data protection legislation for some time now. However this High Court ruling is an interesting decision for a number of reasons. Firstly SARs are now a common tool employed by litigants, notably in advance of any formal discovery orders or were actions are being taken in tribunals or forums which do not have formal discovery mechanisms. Secondly answering such SARs can be both time consuming and risky (in terms of exposure by disclosure of damaging/damning material). Given that many data controllers view SARs as effectively pre-discovery "fishing expeditions", it is unsurprising to learn that question has previously arisen as to whether such requests can be refused, e.g. on the basis that Section 4 of the Acts compels an organisations to reveal documentation during litigation but outside of the rules of court discovery.
When considered by the Courts in the UK this has led to some predictable, albeit controversial decisions, most notably, in Durant v Financial Services Authority (a case discussed in the High Court's Dublin Bus decision) wherein the UK's Court of Appeal found that data controllers may be justified in refusing to comply with a access request in circumstances where the requester has initiated legal proceedings. A similar issue was recently considered in a UK County Court decision, Elliott v Lloyds TSB Bank, wherein that Court found that if the actual purpose behind the SAR is to obtain data which might assist the requester in a claim against a third party, this could be an improper use of this access right (and consequently there may be no obligation to comply with such a SAR), although the Court also found that where the motives are "mixed" the position is not so clear-cut (with a request then being less likely to be an abuse of process and to be struck out).
In any event the Dublin Bus case suggests the Irish courts are reluctant to follow the UK precedents. With the forthcoming reform of European data protection law it is possible that the position may change. The introduction of a European Regulation (without local transposing law) is likely to result in increased uniformity of data protection law across the EU. In its current form Article 15 of the draft Regulation on data protection suggests it will be for the European Commission to dictate how SARs will work in practice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.