The coming into force of the General Data Protection Regulation (GDPR – now the UK GDPR) did not revolutionise data protection and the management of data nor preserve personal information to quite the extent that commentators had predicted it would. That is not to say that it was not effective in persuading many businesses that data protection had to be taken more seriously, and the vast majority certainly took steps to ensure that procedures and processes were put in place to address some, if not all, of the requirements of the regulation.
What the GDPR undoubtedly did do, however, was to raise awareness of data protection and to provide those who were, rightly or wrongly, unhappy with a service provider, organisation or business with a means to be, for want of a better word, difficult.
Many who are subject to data protection regulations and legislation have a fear of not doing the right thing – a fear that is no doubt exacerbated by the ever-looming threat of a major fine. The reality of the position, however, is that in many cases data protection laws are, and are interpreted to be, far more reasonable than might have been expected. Here we look at just two examples of how data protection takes a common sense approach to the regulations, namely:
- how data subject access requests can be dealt with and acted upon, and
- how the High Court responded with admirable pragmatism in relation to a claim arising from an alleged data breach.
The “aggressive” data subject access request
One area in which many businesses have seen an increase in data protection activity is in relation to data subject access requests (DSAR), which give individuals the right to ask that the holder of their personal data provide them with details of what data is held. The requirement is that this takes place within one month of receipt of the request. The problem with the DSARs, however, is that they are not only used as a tool whereby those with concerns can legitimately find out who is using their data. They are also used tactically, either to cause trouble to an organisation by requiring them to spend time finding and communicating details of the data they hold, or in connection with the litigation process – either to cause problems or to elicit information that would not otherwise have been forthcoming.
With many businesses already struggling to comply with their data compliance obligations, this only serves to increase the pressure upon them and, in the case of smaller organisation such as small law firms who may lack the resources to manage data effectively, it can prove to be the straw that breaks the camel’s back. Many are too afraid of the penalties that can be imposed for not providing information to actually take a step back and ask whether they actually have a duty to supply the information and the extent to which the information is disclosable or needs to be disclosed.
ICO Guidance
The ICO has, since the GDPR was first introduced, published revised guidance on many areas of GDPR interpretation of which not everyone is aware, and which expands upon data protection requirements. One area of guidance which is particularly useful relates to the DSAR, and in particular where the holder of the data believes that the DSAR is being used for unfounded or excessive purposes.
Back in December 2019, the ICO carried out a consultation in which they discovered that there were three key areas where businesses and organisations were experiencing problems. These were in relation to:
- Stopping the clock for clarification – many who responded stated that they often didn’t have enough time to respond. As a result, the position of the ICO now is that, in certain circumstances, the clock can be stopped – for example whilst the organisation is waiting for the data subject to clarify their request.
- What is a manifestly excessive request – to combat confusion over when to class a request as manifestly excessive, the ICO have provided additional guidance to clarify and broaden the definition.
- What can be included when charging a fee for excessive, unfounded or repeat requests – the ICO have taken the feedback on board about the fee for staff time involved in responding to manifestly unfounded or excessive requests, or responding to follow-up DSARs, and have updated what organisations can take into account when charging an administration fee.
The detailed guidance can be found on the ICO website at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/ .
Stopping the Clock for Clarification
The default position currently taken by the UK GDPR is that an individual whose data is being processed has the right to obtain from the controller of that data
- confirmation that they are processing the personal data,
- a copy of that personal data and
- other supplementary information.
This is what is referred to as a data subject access request (DSAR) and the data controller needs to respond to the request (subject to certain exceptions) within one month of the request being received. The exceptions set out in the UK GDPR are when the request is complex, or the data controller has received a number of requests from the individual whose data is the subject of the request. The ICO guidance referred to above provides details of what is considered to be a complex request.
However, in addition to being able to extend the period, guidance from the ICO now indicates that the one-month time limit may in certain circumstances be paused. This might apply where, for example:
- the data controller needs to clarify elements of the request with the data subject making that request,
- the data controller needs to verify the identity of the person making the request, or
- the data controller is entitled to raise a fee and the fee has yet to be paid.
So far as clarification is concerned, the approach that the ICO takes is that if the data controller processes a large amount of information about the data subject, then they can ask the data subject to be more specific as to what they require. Until that clarification is received, the clock can, effectively, be “stopped” so that the month for responding will not continue to run and the information supply will be put on hold. Whether the information is a “large amount” is to a degree a subjective test based upon the size of the data controller organisation and the resources available to deal with the request. Thus, the volume of information held may be less of an issue for a big organisation with significant dedicated resources than it would be to a smaller organisation with fewer and less sophisticated resources at its disposal.
Clarification should not be sought in every case – only where it is genuinely required to respond to the DSAR and a large amount of information about the individual making the request is processed. In other words, the data controller must be satisfied that it holds a large amount of information, and that it is not clear what information the individual is requesting.
The stop the clock approach was previously approved of by the ICO under the Data Protection Act 1998 and its re-introduction under the UK GDPR regime will be welcomed by many. However, stopping the clock must not be abused and must not be used simply as a delaying tactic. Data controllers must, therefore, make every effort to contact the data subject as quickly as possible, keep records of communications with data subjects about the scope of their request, explain to the data subject why further details are being sought, be able to justify their position to the ICO, if required to do so and not close the DSAR file too quickly if the data subject does not respond immediately to the request. The ICO take the view that at least a month should be allowed to elapse from the date upon which the further information was requested or even longer if the data controller genuinely believes that the data subject might be experiencing difficulties in providing the clarification.
In addition, if some information can be provided without clarification, then that should be provided, and the clarification limited only to that which is in doubt.
Further, on the topic of time scales, do bear in mind that the data controller may need to make reasonable adjustments for those with a disability. Some data subjects may experience communication difficulties and may therefore have difficulty making a DSAR. If that is the case, then the data controller has a legal duty to make reasonable adjustments and if the request is not straightforward or clear the data controller should ensure that any clarification sought (and indeed any information that may subsequently be provided) is in an accessible format which will depend on the specific needs of the individual. Thus, the data controller should take steps to find out how it can best meet the needs of the data subject – for example with the use of large print, audio formats, email or Braille.
A final point to mention in this section is that of entitlement to the information. All data controllers must be alert to whether the person making the DSAR is actually entitled to do so, and the clock can be stopped until such time as that confirmation is received. Again, the data controller must be reasonable in how it goes about proving to itself that the person is entitled to the information and should not simply have blanket policies to make all data subjects jump through identity hoops when it is clear that they are who they say they are. However, and from the perspective of a law firm this is a vital point, data controllers must make sure that in seeking identity confirmation they do not inadvertently breach the confidence of the person whose data they hold. In other words, simply acknowledging that they hold data may in itself be a breach of confidentiality if the person to whom they make that acknowledgement is not the data subject. It might simply have been a fishing exercise to find out who, if anyone, is representing a party. Infolegal subscribers have access to a number of precedents which will allow them to make enquiry in such a way as not to fall foul of this requirement.
Manifestly excessive requests
As we have already mentioned, it is not unusual for data controllers to receive requests which are intentionally excessive, for example those designed to inconvenience or which are being used a as a “tactic” in relation to some other dispute – for example court proceedings. This may be where the request is in effect a fishing exercise to obtain documents or information or to put pressure on the data controller or their representatives (e.g. a law firm) to divert resources away from the main issues.
At the outset it is worth pointing out that the reason behind a DSAR is not, of itself, relevant in deciding whether a data controller has a duty to respond to it. Thus, for example, simply because the purpose of the request was related to obtaining data for litigation does not of itself make the request unreasonable. This was decided in 2017 by the Court of Appeal in the case of Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 .
The guidance from the ICO continues to be that the purpose behind the request is irrelevant provided that the person making the request is entitled to the information. Thus purpose is different from excessive or unfounded.
So, that being the case, what is meant by manifestly unfounded or manifestly excessive?
The ICO take the view that a request may be manifestly unfounded if “the individual has no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purposes other than to cause disruption”.
It goes on to clarify this by stating that factors that may indicate malicious intent include:
- the person making the request has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;
- the request makes unsubstantiated accusations against the data controller or its employees;
- the person making the request is targeting a particular employee against whom they have some personal grudge; or
- the person making the request systematically or frequently sends different requests as part of a campaign with the intention of causing disruption, e.g. once a week.
Data controllers must not only not have a blanket policy as to how they deal with such requests but also should not use these factors as a simple tick list. Each request must be considered within the context in which it is made, and the onus is upon the data controller to be able to demonstrate that it is manifestly unfounded. The key word here is “manifestly”. It must be obvious or clear that the request is unfounded as opposed to one in which the data subject genuinely wants to exercise their rights – they just happen to have taken an aggressive stance in doing so. The tone of the request does not in itself make the request unfounded.
Another example of what an unfounded request might be is one where the data subject has no actual interest in the information – they are simply making the request so that they can offer to withdraw it in such a way as to gain a benefit from the organisation.
So far as excessive requests are concerned, the ICO considers that a request may be excessive if it is clearly or obviously unreasonable and if it, in particular:
- repeats the substance of previous requests and a reasonable interval has not elapsed; or
- overlaps with other requests.
There is still a duty upon the data controller to comply with a request where possible it is to do so and requests should not be regarded as excessive simply because a large amount of information has been requested, even if the data controller finds that responding to it is a burden. It is always open to the data controller to ask the data subject for more information to help them locate that element of the information that is relevant.
Likewise, just because the request deals with information that has been previously requested does not of itself make the request excessive. The data subject might want to check whether the data held has changed or the data controller might not have supplied all of the information that that the data subject requested. The data subject may even want to receive another copy of information they have requested previously. However, in this latter situation a reasonable fee can be charged for the administrative costs of providing this information – which is the preferred option rather than simply classifying it an an excessive request. The time that has elapsed since the request was last made may also be a factor to be borne in mind. This might, for example, depend upon how often the data is updated.
A repeat request may also not be excessive if a reasonable amount of time has passed since the last request. Factors that may be relevant here include:
- the nature of the data;
- the purposes of the processing;
- how often the data is altered; and
- the importance of the data to the data subject.
Another factor to be borne in mind is that of the ability of the data controller to deal with the request. This involves balancing the burden or costs in dealing with the request with the importance to the data subject of the information. Factors to take account of might include:
- the nature of the information asked for;
- the context of the request;
- the nature of the relationship between the data controller and the data subject;
- the extent to which refusal could lead to damage or injury to the individual;
- the extent to which the request repeats or overlaps with other requests.
Fees for excessive requests
The ICO takes the view that in most cases, a fee cannot be charged for complying with a DSAR. However, a ’reasonable fee’ for the administrative costs of complying with a request may be made if:
- it is manifestly unfounded or excessive; or
- an individual requests further copies of their data following a request.
In deciding this, the data controller can take account of the administrative costs of:
- assessing whether or not the data controller will process the information;
- locating, retrieving and extracting the information;
- providing a copy of the information; and
- communicating the response to the data subject.
The fee charged must be reasonable and there should not be a separate charge for the process of locating, retrieving and extracting information where that can be performed in one action.
A reasonable fee may include the costs of:
- photocopying, printing, postage and any other costs involved in transferring the information to the individual (eg the costs of making the information available remotely on an online platform);
- equipment and supplies (eg discs, envelopes or USB devices); and
- staff time.
When requesting a fee, data controllers should explain the costs to the data subject and inform them of the criteria used to calculate the charge.
Other factors to bear in mind
Complex requests – aside from stopping the clock referred to above, a data controllers can extend the DSAR response time by a further two months where the request is complex or where a number of requests have been received from the same data subject. In these circumstances the data controller must inform the data subject within one month of receipt of the request as to why the extra time is needed.
Individuals only entitled to their own personal data – as mentioned above under the issue of confidentiality, a data subject is only entitled to their own personal data and not that relating to other people, unless:
- their data also relates to other individuals; or
- they are exercising another individual’s right of access on their behalf;
and only then if certain criteria are satisfied.
Rolfe & Ors v Veale Wasbrough Vizards LLP
Finally in this article on data protection we come to the decision in the case of Rolfe & Ors v Veale Wasbrough Vizards LLP [2021] EWHC 2809 (QB) which was decided in September 2021.
The case involved a distress-only damages claims brought by the claimant under Article 82 of the UK GDPR which provides, at paragraph 1 that:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”.
In this claim, the claimant alleged that worry and upset had been caused as a result of the breach but failed to provide accompanying evidence of financial loss or medical evidence.
The claim involved a law firm (Veale Wasbrough Vizards LLP) that had inadvertently sent the details of the claimants’ address and some financial data to a third party as a result of a typo in an email address. The recipient of the incorrectly sent information had immediately informed the law firm that they were not the intended recipient and had deleted the email.
The claimants sought damages for distress under Article 82(1) GDPR (now the UK GDPR), Section 169(1) Data Protection Act 2018 and for breach of confidence, misuse of confidential information and negligence.
The claimants stated that they had suffered distress as a result of the breach, including losing sleep worrying and being made to feel ill from the “fear of the unknown” as a consequences of the breach.
Veale Wasbrough Vizards applied for summary judgment based on the fact that the there could not have more than a de minimis level of suffering experienced by the claimants.
The court found in favour of the defendant. Master McCloud held that “There is no credible case that distress or damage over a de minimis threshold will be proved. In the modern world it is not appropriate for a party to claim, (especially in the in the High Court) for breaches of this sort which are, frankly, trivial. The case law … provides ample authority that whatever cause of action is relied on the law will not supply a remedy in cases where effectively no harm has credibly been shown or be likely to be shown”.
From a data protection perspective (if not necessarily from the perspective of the SRA Standards and Regulations) this case provides welcome clarity for those who fear claims being made against them as a result of what are in effect minor breaches. It may also mark the beginning of a useful test in such cases – namely the “ordinary fortitude test”. Master McCloud commented:
“What harm has been done, arguably? We have here a case of minimally significant information, nothing especially personal such as bank details or medical matters, a very rapid set of steps to ask the incorrect recipient to delete it (which she confirmed) and no evidence of further transmission or any consequent misuse (and it would be hard to imagine what significant misuse could result, given the minimally private nature of the data). We have a plainly exaggerated claim for time spent by the Claimants dealing with the case and a frankly inherently implausible suggestion that the minimal breach caused significant distress and worry or even made them ‘feel ill’. In my judgment no person of ordinary fortitude would reasonably suffer the distress claimed arising in these circumstances in the 21st Century, in a case where a single breach was quickly remedied”.