The purpose of an individual’s right to access a copy of their personal data via Article 15 of the UK General Data Protection Regulation (GDPR) is an often overlooked consideration when data controllers are working to comply with a Data Subject Access Request (DSAR). As set out in Recital 63 to the GDPR, the right exists and should be exercised by the data subject “in order to be aware of, and verify, the lawfulness of the processing” of their personal data.
The impact of this recital is significant for data controllers seeking to respond to a DSAR. At its most basic level, requestors do not need to be routinely provided with copies of data such as emails and messages to which they were a party, or documents which the data controller knows have previously and sufficiently recently been provided. In such instances, the individual is already aware of that data and its processing.
At the deeper level, the recital is relevant when considering what the data subject is trying to achieve.
As many data controllers will be aware, the right of access to data is often invoked by disgruntled individuals seeking to obtain evidence which they believe will enable them to pursue a grievance, complaint, or legal claim. It is now standard practice for a litigant, or their lawyers, to lodge a DSAR at the pre-action stage in an attempt to circumvent the impact of pre-action disclosure rules that only allow for limited and targeted sharing of documentation.
Requestors often mistakenly believe that under the right of access to data they are entitled to obtain copies of original documents. They also misunderstand the scope of the right – which is limited to an individual’s own data (not that of third parties) and does not include material covered by multiple exemptions which are set out in the Data Protection Act 2018 (DPA 2018). There is no need to supply entire documents or even redacted ones – extraction of the relevant personal data suffices provided it is understandable. When those requestors do not obtain the disclosure they seek, a complaint to the Information Commissioner and allegations that the data controller has breached the data protection rights of the requestor soon follow.
There is limited judicial comment in this area, but a notable contribution was made by Mrs Justice Farbey in X v. The Transcription Agency and Master Jennifer James [2023] EWHC 1092 (KB), in a case concerning a refusal to make disclosure in response to a DSAR where the requested data was exempt. Mrs Justice Farbey stated that the right of access “has a specific and limited purpose, which is to enable a person to check whether a data controller's processing of his or her "personal data" unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides … It is impermissible to deploy the machinery of the Act as a proxy for the wider purpose of obtaining documents with a view to litigation or further investigation.” [emphasis added]
Data controllers should keep these comments in mind when processing DSARs. Pre-action disclosure and DSARs are entirely separate and must be treated as such to minimise risk and avoid exacerbating what may be an already difficult situation.
To find out more about DSARs you can catch up with our recent webinar series here.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.