(Data subject) access all areas

Current or former employees often make data subject access requests (SARs) where there is a grievance, or when litigation looms. Post GDPR, significant penalties potentially apply for non-compliance with SARs; and orders for compliance, and damages including for distress, can be made by the civil courts. The High Court Case of Rudd v Bridle & J&S Bridle Ltd focuses on SAR compliance. Although the relevant law was the pre-GDPR Data Protection Act 1998, the key principles remain relevant in the post-GDPR world.

Rudd, an expert in asbestos-related illness, submitted a SAR to Bridle, an asbestos campaigner who had reported Rudd to the General Medical Council. Bridle disclosed little data, arguing that much was exempt from disclosure because of legal privilege, or statutory exemptions for journalism and regulatory authorities.

Rudd brought court proceedings, seeking disclosure of data, and damages for distress. The court considered a number of important points:

campaigning is not 'journalism'; furthermore, the defence did not show that the statutory test for this exemption was properly made out: similarly, the regulatory exemption 'belongs' to the regulator, not someone communicating with them: all this data was disclosable
litigation privilege needs to be scrutinized and argued carefully: this data was disclosable
details of recipients of personal data must be given in a SAR response, but this may not extend to identifying individuals: descriptions of categories of recipients may suffice
however, actual sources of the data should be disclosed, subject to third-party data rights
there is no obligation to disclose more information beyond personal data, to give context
describing the purposes of processing the data need not be done on a document-by-document basis.

There are two key takeaways for employers:

if relying on an exemption from disclosure under a SAR, you need to explain why the exemption applies, in detail, by reference to the legislation
remember that in responding to a SAR, there is additional information to be given, such as the recipients and sources of the data.

contact PAUL MANDER

USEFUL RESOURCES

VIEW our privacy policy for details on how we handle your personal data

OUR OFFICES

London

Basingstoke

Cambridge

Guildford

Oxford

Reading

San Francisco

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales (Registered No. OC311575) and authorised and regulated by the Solicitors Regulation Authority. References to ‘partner’ include members and employees/consultants of equivalent standing within the LLP and its associated undertakings or businesses operating overseas. A list of the members is open to inspection at its registered office, 125 Wood Street, London, EC2V 7AW.

You can read the full text about your rights as a data subject and our data privacy statement on our website at www.penningtonslaw.com/privacy-policy

Employment alert