Last month, the Court of Appeal in the case of
Dawson-Damer v Taylor Wessing LLP (read the full
judgementhere) held that in
searching for information organisations, in
certain circumstances, could claim disproportionate effort when
dealing with Subject Access Requests (SAR). But why is this good
news for employers – please read on!
What is a SAR?
A SAR is a written request made by an individual under the Data
Protection Act 1998 (DPA) to access personal information that an
organisation holds about the individual.
SARs are becoming an increasingly popular tool for disgruntled
employees seeking to obtain documentation held by their employer or
ex-employer, usually in situations where there is a grievance,
dispute or dismissal.
Why was this case before the courts?
Mrs Dawson-Damer and her two adopted children are the
beneficiaries of various Bahamian trusts. Back in 2014, the
Dawson-Damers sought disclosure of personal data from the
solicitors (Taylor Wessing) acting on behalf of the trusts. The SAR
was made in connection with a dispute regarding the trusts which
was raised in the Supreme Court of the Bahamas.
Among other matters, Taylor Wessing asserted that they did not
need to provide the requested information because it was not
reasonable or proportionate to carry out a search for the
information and to assess what was covered by privilege and what
What did the Court of Appeal say?
The DPA allows organisations to refuse a SAR where the supply of
the information requested would involve "disproportionate
effort". The ICO's Subject Access Code of Practice
suggests that only the work in producing copies is
relevant in terms of this proportionality assessment.
However, the court found that when assessing whether responding
to a SAR would have a disproportionate effort, consideration should
be given to both:-
the work needed to supply
copies of the relevant information; and
the work needed to
search for the relevant information.
Why is case important for employers?
Whilst in this particular case, the Court of Appeal overturned
the High Court's earlier finding and found that in this case
complying with the request would not create disproportionate
effort, the ruling itself does appear to widen the scope of the
exception to include the work needed to search for relevant
information which could assist employers when dealing with
In passing its judgement, the court indicated that searches for
information should rarely be disproportionate as organisations
should be designing their systems and procedures in such a way that
assists them in responding to SARs (and certainly this should be
case as we near ever closer to GDPR implementation). Whilst noting
that in so far as possible a SAR should be enforced there is
perhaps greater scope to argue disproportionate effort in genuine
Look out for our upcoming blog which looks at why this case
is also detrimental to employers dealing with SARs.
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
A fundamental aspect of all fair and lawful processing of personal data under the current data protection rules is the requirement for the party who is the data controller to meet one or more conditions ("the conditions for processing").
The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).