Current or former employees often make data subject access requests (SARs) where there is a grievance, or when litigation looms. Post GDPR, significant penalties potentially apply for non-compliance with SARs; and orders for compliance, and damages including for distress, can be made by the civil courts. The High Court Case of Rudd v Bridle & J&S Bridle Ltd focuses on SAR compliance. Although the relevant law was the pre-GDPR Data Protection Act 1998, the key principles remain relevant in the post-GDPR world.
Rudd, an expert in asbestos-related illness, submitted a SAR to Bridle, an asbestos campaigner who had reported Rudd to the General Medical Council. Bridle disclosed little data, arguing that much was exempt from disclosure because of legal privilege, or statutory exemptions for journalism and regulatory authorities.
Rudd brought court proceedings, seeking disclosure of data, and damages for distress. The court considered a number of important points:
campaigning is not 'journalism'; furthermore, the defence did not show that the statutory test for this exemption was properly made out: similarly, the regulatory exemption 'belongs' to the regulator, not someone communicating with them: all this data was disclosable
litigation privilege needs to be scrutinized and argued carefully: this data was disclosable
details of recipients of personal data must be given in a SAR response, but this may not extend to identifying individuals: descriptions of categories of recipients may suffice
however, actual sources of the data should be disclosed, subject to third-party data rights
there is no obligation to disclose more information beyond personal data, to give context
describing the purposes of processing the data need not be done on a document-by-document basis.
There are two key takeaways for employers:
if relying on an exemption from disclosure under a SAR, you need to explain why the exemption applies, in detail, by reference to the legislation
remember that in responding to a SAR, there is additional information to be given, such as the recipients and sources of the data.