Out-Law / Your Daily Need-To-Know

Purpose of a subject access request should not be relevant to compliance says expert

Out-Law News | 12 Mar 2015 | 5:41 pm | 2 min. read

The purpose individuals are pursuing when submitting subject access requests should not be as heavy an influence on whether organisations need to comply with them as a High Court judge has made out, a legal expert has said.

Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said discussion on the purpose of SARs in a recent judgment issued by the High Court in London (8-page / 485KB PDF) was "misguided".

EU and UK data protection laws give individuals a right to obtain a copy of the personal data organisations hold on them upon filing a request for that information. Those requests are called data subject access requests (SARs) and must generally be complied with.

Courts have discretion whether or not to order a SAR to be complied with if asked to rule on the issue by an individual whose request for disclosure of their personal data had previously been refused by an organisation.

In the case before the High Court, Mr Justice Dingemans had to consider whether the Metropolitan Police (the Met) had been wrong to refuse a man's SAR.

Ali Babitu Kololo had asked the Met to disclose to him all records that the force held on him and said the disclosure was "required urgently", according to the judgment, predominantly because he believed the information could help him overturn a conviction for robbery with violence and kidnapping and to avoid the death penalty he has been sentenced to.

However, the Met refused Kololo's SAR because it felt the request was an "abuse of process". It thought the SAR was filed to "circumvent provisions" of other UK laws on the mutual assistance on criminal matters between the UK and other countries. The Met was involved in the investigation of the crimes Kololo allegedly committed as the victims were British.

Mr Justice Dingemans ruled that Kololo's SAR "is not an abuse of process". He came to that conclusion after assessing the purpose of the SAR.

The judge concluded Kololo's purpose in filing a SAR to the Met was "to determine whether there are inaccuracies in the data" the Met holds about him. He said that if inaccuracies were found it might help Kololo in his appeal against his conviction.

However, Scanlon said Mr Justice Dingemans had placed too much weight on the precise purpose of Kololo's SAR when determining whether to use his discretion to order the Met to comply with it.

"The discussion is misguided," Scanlon said. "From an EU law perspective, the motivation or purpose for a request to access data is not as relevant as the discussion on the court's discretion is making it out to be."

"The EU Data Protection Directive requires member states to 'guarantee' that people can access information about themselves 'without constraint'," Scanlon said. "To constrain the right to access data to only purposes which further other provisions of the DPA, such as to correct inaccuracies in data, ignores the fact that the aim of allowing people to access their data is a purpose of the legal framework that underpins the DPA itself – both the Data Protection Directive and the European Convention on Human Rights."

"That right of access ought to only be constrained where the specific exemptions or limitations included within the data protection legal framework apply, for example for national security reasons, not by analysing the possible reasons behind why someone would want to access information about themselves," he said.