March 27, 2017

The Court of Appeal’s judgment covers two separate appeals brought by two individuals against decisions not to order compliance with their subject access requests.

The first appeal brought by Mr Ittihadieh concerned a subject access request (SAR) he had made to the management company of the block of flats in which he lived as a result of a dispute he was involved in concerning the running of the building.

The second appeal was brought by Dr Cecile Deer against Oxford University in connection with two SARs that she had submitted whilst involved in various pieces of litigation with the university.

The judgment contains a useful summary of the law in relation to the meaning of “personal data” in the context of compliance with an SAR, reminding practitioners that just because a document contains “personal data”, for example the subject’s name, does not make the whole document “personal data”.

The judgment also provides a summary of the meaning of “data controller” according to case law, as well as a useful analysis of the meaning of the personal and household processing exemption. The court found that the exemption does not necessarily only apply to matters occurring inside the data controller’s own household. It rejected Mr Ittihadieh’s argument that to the extent that a resident in a block of flats communicated with his neighbours about matters of mutual concern or interest about the block, any personal data processed in that communication fell outside the scope of the exception.

As for SARs and their purpose, the court reminds practitioners that an SAR is not a request for documents, but for information. In addition, there is now a considerable body of domestic case law that recognises that it is no objection to an SAR that it is made in connection with actual or contemplated litigation and the recent decision in Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 put the point “beyond doubt”.

The court also confirmed that on receipt of an SAR, a data controller must take “reasonable and proportionate steps to identify and disclose the data he is bound to disclose”.

Finally, in terms of the discretion the court can exercise under s 7(9), the Court of Appeal said that a balance needs to be struck between the prima facie right of the data subject to have access to his personal data on the one hand, and the interests of the data controller on the other. The court can take into account a wide range of factors. There is no exhaustive list, but it can include the nature and gravity of the breach and the reason for having made the SAR.

Applying the above, the Court of Appeal dismissed both appeals finding that the judges below had not erred and had been entitled to find as they did. (Alireza Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd [2017] EWCA Civ 121 (3 March 2017) — to read the judgment in full, click here.)