The old Data Protection Act 1998 not only gave Data Subjects a right to see their personal data held on computer but also that which was held on paper records which were held in a “relevant filing system”. A recent case, albeit under the DPA 1998, has an impact on the way Data Controllers deal with subject access requests under the GDPR.
The question of what constitutes a “relevant filing system” under the DPA 1998 has always been a vexed one, particularly since the 2003 Court of Appeal ruling in Durant v Financial Services Authority . The Court of Appeal’s interpretation of this term has been criticised in various quarters for being too restrictive and particularly for focussing on the burdens and costs imposed on Data Controllers rather than the rights of the data subjects. Therefore the recent decision by the High Court in in Dawson-Damer v Taylor Wessing LLP . May be welcomed by those who believe a more ‘rights- based’ approach is appropriate.
The case involved subject access requests made by Mrs Dawson-Damer and her two children to Taylor Wessing LLP (an English law firm). In short, the firm did not act for the Data Subjects, but it did hold personal data about them in a series of trust files in which they were potential beneficiaries. Taylor Wessing refused to provide their personal data, and this resulted in protracted litigation. One of the key questions that the High Court had to address was whether the Trust files constituted a “relevant filing system” for the purposes of the DPA 1998. The Court also considered whether the law firm could rely on S. 8 of the DPA 1998 which removes the obligation on a Data Controller to provide a copy of the personal data where it would involve disproportionate effort.
For further details of the Dawson-Damer request and the litigation that followed see our more detailed case note.
The definition of relevant filing system under DPA 1998
Readers familiar with the DPA 1998 will recall that it defined:
- Data as data processed or intended to be processed by equipment operating automatically and ‘manual’ data recorded as part of a ‘relevant filing system.
- Personal as ‘data’ which relate to a living individual who can be identified from those data, or from that data and other information, which is in the possession of, or is likely to come into the possession of, the Data Controller.
In Durant, the Court of Appeal interpreted the concept of a ‘relevant filing system’ as a system of files in which the files forming part of it are:
- Structured or referenced in such a way as clearly to indicate at the outset of a search whether the personal information of a person requesting the information is held within the system, and if so in which file or files it is held.
- The structuring or referencing mechanism of the filing system had to be sufficiently sophisticated and detailed to indicate whether and where the requestors information could be located.
The key feature of this interpretation is the focus on the way in which the system is structured by reference to individuals and the ease with which specific information could be accessed. Personal data held in an unstructured manual filing system did not fall within the scope of the DPA 2018 (although there was an amendment for such data held by public authorities subject to FOI).
The Trust Files: Do they form part of a relevant filing system?
The case concerned a series of paper files that were held by Taylor Wessing prior to 2005, when it moved over to an electronic filing system. The manual files were labelled by reference to the law firm’s clients or the respective Trusts and they contained correspondence and advice that was arranged chronologically. Taylor Wessing argued that the only way it could determine if the files contained the personal data of the requestors was to go through each file page by page and therefore the any personal data was not easily accessible. On this basis the law firm argued that the files did not form part of a “relevant filing system” as interpreted by the Court of Appeal in Durant. The requestors argued that the files did form part of relevant filing system and that the law firm had failed to carry out a reasonable and proportionate search of them.
The 2019 High Court decision
The High Court decided that in the light of recent domestic and European case law the decision in Durant was too restrictive and the requirements of a relevant filing system are that:
- The data must be structured by reference to specific criteria; and
- The criteria must be “related to individuals”; and
- The specific criteria must enable the data to be easily retrieved.
The Court decided that some 35 Trust files formed part of a relevant filing system.
They were filed under the description of the relevant Trust and the client is recorded as the Trustee. The files clearly related to Trusts in which the requestors were potential beneficiaries. On this basis the High Court was satisfied that this was sufficient to satisfy (a) and (b). Turning to point (c) the Court said that since the files were arranged chronologically this would of course require someone to ‘turn the pages’ of the files to locate the personal information. However, the Court did not think that this would be an onerous task and the search would enable the personal data of the requestors to be easily retrieved. In any event the Court acknowledged that the law firm must have done this exercise in order to reach its conclusion that the majority of the personal data it held was subject to legal professional privilege.
For details about the Court’s reasoning see our more detailed case note.
The disproportionate effort issue
The High Court rejected the law firm’s arguments that a search through the files would involve a disproportionate effort. The decision makes it very clear that the onus is on the Data Controller to provide evidence about the time and cost involved in conducting searches. Taylor Wessing had failed to do this.
Implications of the decision
The case was considered under the DPA 1998. The GDPR and DPA 2018 now provide a subtly different definition of a filing system. However, the case shows that the approach of the Courts to the interpretation of data protection laws is more focussed on the rights of data subjects rather than the burdens faced by Data Controllers. It is also clear that Data Controllers need to produce clear evidence in terms of time and costs if they wish to argue it would involve disproportionate effort to supply personal data. This will impact on the way subject access requests (and other rights) are dealt with under GDPR. Article 12(5) allows Data Controllers to refuse requests where they are “manifestly unfounded or excessive.” The burden of demonstrating this is on the Data Controller.