Ruling shows that deleting personal data can remove burdens brought by data subject access requests, says expert

Out-Law News | 13 Aug 2013 | 10:23 am | 4 min. read

A ruling by the High Court on the issue of dealing with data subject access requests highlights the positives that can be derived by businesses that decide to dispose of personal data records they no longer need, an expert has said.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind, said that businesses can at times look upon data retention checks as being a regulatory burden favouring to hold on to data to maximise "remote potential benefits". He said, though, that businesses that observe good data destruction practices can not only ensure compliance with data protection laws but can also protect themselves from incurring potentially significant liability arising out of responses to  subject access requests (SARs) from individuals or claims management companies that may wish to use the information.

Scanlon was commenting after the High Court issued a ruling on the extent to which liquidators of a personal loans company would have to adhere to SARs made to that company.

According to the judgment, Southern Pacific Personal Loans Limited (SPPLL) has been receiving approximately 88 SARs a month since entering into liquidation and faces more than £500,000 in annual costs just to comply with those SARs. Most of the SARs have been made by claims management companies with a view to determining whether individuals have a claim to compensation over the mis-selling of payment protection insurance (PPI), the judgment said.

The liquidators for SPPLL argued that being forced to sustain such large costs in relation to complying with SARs would impact on the amount of money they would be able to distribute to SPPLL's creditors. They challenged the extent to which they would need to comply with the requests and asked whether they could delete personal data records held by the company that were no longer needed.

Under the Data Protection Act (DPA) organisations are generally required to provide a copy of the personal data they hold about an individual when that individual requests access to it within 40 days of receiving that request. In order to comply with SARs, organisations must generally provide the information in an "intelligible form". The copy must also be in "permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise."

A separate section of the DPA also requires data controllers to make sure that personal data is "not ... kept for longer than is necessary" for the purpose or purposes for which it is to be processed.

In its ruling the High Court said that businesses are under a duty to respond to all SARs they receive but said they do not need to think about all possible future related claims that they could face when deciding whether to delete personal data records.

There is no duty "to retain data so that it can remain available to be mined by former customers or claims handling companies with a view to making claims against third parties", Mr Justice Richards said in his ruling.

The judge, though, said that there were two considerations that liquidators specifically would have to make before pressing ahead with the deletion of personal data records held by a company they are winding up.

"The company must retain sufficient data to enable it to respond to [data] SARs made to the company before the disposal of the data," Mr Justice Richards said. "The second qualification is that the liquidators must retain sufficient data to enable them to deal with any claims that may be made in the liquidation."

Mr Justice Richards also said that courts can take into account the purpose for which SARs are served on companies when deciding on whether to order compliance with such a request. However, he rejected the idea that previous case law had already established that a data controller can flatly refuse to respond to SARs on the grounds of the purpose of those requests.

The judge ruled that liquidators cannot be held responsible for data processed by the companies they are engaged in winding-up. In such cases they are not 'data controllers' and cannot therefore be held liable for any breach of the Data Protection Act by the companies, such as the non-compliance with the rules on SARs, he said.

However, liquidators are required to register as 'data controllers' in order to process and retain personal information in connection with performing tasks in their role as liquidators, the judge said.

"Some of the duties of a liquidator are undertaken by him as principal in that capacity and not on behalf of the company of which he is the liquidator," the ruling said. "For example, where he receives and adjudicates upon proofs of debts submitted by those claiming to be creditors of the company, he does so as the liquidator and not as an agent of the company. Data, some of which is likely to be personal, will be processed and retained by the liquidator in the course of performing those duties. It follows that he is required to register as a data controller."

In the case before him, Mr Justice Richards said that the liquidators were free to dispose of data processed by or on behalf of the SPPLL providing it was in line with rules laid out in the DPA and subject to the two qualifications listed. He backed plans by the liquidators to set a deadline for claims to be raised with it over the mis-selling of PPI by SPPLL or its brokers and to advertise the deadline on such claims before deleting data that does not relate to the claims lodged in time.

In his ruling the judge also said that SARs can be complied with without disclosing whole documents to requesters. Individuals' right to access their personal data extends only to the information itself, he said.

"The decision is a good reminder to businesses that robust data destruction policies, which are in accordance with the DPA, are a protection against future claims and administrative costs," Luke Scanlon of Pinsent Masons said.

The Information Commissioner's Office issued a new code of practice on dealing with SARs last week.