The Court has clarified the requirements in respect of complying with data subject access requests under the Data Protection Act 1998.
In the case of Holyoake v Candy and CPC Group Limited, the claimant alleged that the defendants had not carried out adequate searches in relation to his subject access requests, listing amongst the defendants’ alleged shortcomings the failure to search directors’ personal email accounts. The claimant also questioned the validity of the first defendant’s contention that legal professional privilege (LPP) applied to some of the data and that such data was therefore exempt from disclosure.
The defendants had originally refused to comply with the claimant’s subject access request on the basis that they did not consider it to have been made for a reason conforming with the purpose of the Data Protection Act and that in any event it would be disproportionate to carry out the extensive searches required. The defendants also asserted that some of the data would be obtained by Mr Holyoake in the litigation which Mr Holyoake and Hotblack Holdings Limited had brought against Mr Candy, CPC Group Limited and three of CPC’s directors. The defendants subsequently disclosed a limited number of documents in response to a narrowed version of the claimant’s original subject access request.
The judge held that a data controller’s obligation to carry out a search is to be limited to what is proportionate and reasonable. He rejected the claimant’s allegation that the search was not proportionate because searches were limited, except in the case of the first defendant, Mr Candy, to corporate email accounts and not personal ones. Whilst a company director who has used a personal email account for corporate business may owe the company a duty to allow access to that account, the company is not obliged to ask directors whether they have used their personal email accounts for business purposes unless there is some sufficient reason to do so. The judge held that, as the defendants’ searches were reasonable and proportionate, there was no basis on which to require the defendants to carry out further searches, as the claimant had wished.
The judge also upheld Mr Candy’s reliance on the LPP exemption. Mr Holyoake had suggested this exemption should not apply, either because any surveillance of him by the defendants was tainted by criminal conduct and/or because these activities resulted in an unjustified interference with his fundamental right to privacy. The judge held that a speculative case that documents may involve or evidence “iniquity” (which the courts define for these purposes as including criminal conduct) is insufficient to displace legal professional privilege. The test is whether there is a “strong prima facie case” of iniquity and this was not held to be the case here. The judge also declined Mr Holyoake’s request that he read the material filed by Mr Candy to consider whether the exemption claimed ought to apply, stating that the Court would review documents covered by legal professional privilege “only as a last resort”.
The defendants’ arguments that much of the data sought by Mr Holyoake would be disclosed in litigation proceedings, within the protection of CPR 31, is particularly timely given the pending judgments from the Court of Appeal on the question of whether it is an abuse to seek to use a subject access request in order to facilitate disclosure in other legal proceedings.