Subject access request ruling could have implications for confidentiality of businesses' internal reports, says expert

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that a High Court judgment potentially extends the circumstances in which the qualified criminal enforcement exemption to subject access request (SAR) rules under the Data Protection Act could be applied.

While the judgment focuses on criminal investigations conducted by law enforcement authorities, it may provide some guidance for businesses on how they might determine whether personal data processed during internal security or fraud investigations needs to be disclosed to data subjects, he said.

The High Court case concerned a request by two men for the disclosure of personal data held about them by the Metropolitan Police. The men face criminal charges in Thailand over the murders of two British tourists and face the prospect of being sentenced to death if they are found guilty.

The men wanted access to their personal data which is contained in a confidential report the Met had compiled into the murders with the assistance of the Thai authorities so as to identify whether it could be used as evidence in the legal proceedings brought against them in Thailand.

However, the Met argued against disclosure. It claimed that should it be forced to disclose the information it could jeopardise the willingness of foreign authorities to cooperate with it due to the threat to the confidentiality of information shared with them.

The Met argued that the Data Protection Act (DPA) allowed it to withhold the information the men sought.

Under the DPA people have a right to obtain a copy of the personal data organisations hold on them upon filing a request for that information. Those requests are called data subject access requests (SARs) and must generally be complied with. Courts have the power to order organisations to comply with SARs if they consider those organisations have withheld the data unfairly.

The Act, though, contains exemptions from the SARs rules. Section 29 of the Act allows organisations to withhold personal data that people have requested to access if the data is processed for the purposes of "the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty or of any imposition of a similar nature" if disclosure of the data "would be likely to prejudice" any of those purposes being pursued.

Mr Justice Green, the judge in this case, had to consider whether the purposes of the Met's processing of the two men's personal data was within the scope of this section 29 criminal enforcement exemption.

The Met had stated that it had compiled its report so as to "provide reassurance to the families of the victims about the investigation being conducted by the Thai authorities", according to the ruling.

Mr Justice Green determined that the purpose of this processing was within the scope of the exemption.

"The pursuit of an investigation for the purpose of family liaison is within the scope of section 29," the judge said. "Of course the paradigm case is where the foreign engagement is for the purpose of collecting evidence to be used in this jurisdiction as part of a criminal investigation or for advising and assisting in a foreign prosecution. However, modern thinking is to accept that the criminal justice system is not exclusively about pursuing and punishing the guilty; it is also about protecting the victims and this can include their families."

Scanlon said Mr Justice Green's views may indicate that the "trigger" for the section 29 rules to apply need not just be where organisations process personal data of people they suspect are responsible for criminal acts, but where they do so to protect victims and their families.

"Obviously, this is a serious criminal law matter and very different from a commercial context. But if you substitute the crime in this case with one against the Computer Misuse Act, and the victims with individuals who suffer loss as a result of a data breach, then it seems that the judgement may give greater scope for businesses to investigate incidents without being constrained by potential disclosure obligations which would otherwise apply", said Scanlon.

Mr Justice Green said that organisations which handle SARs must weigh up the interests of disclosing the data against the interests in withholding it where the criminal enforcement exemption is engaged.

The judge said that this "balancing exercise" needs to be undertaken for each individual piece of personal data that is within the scope of the section 29 rules and cannot be undertaken on an overarching, single determinative basis. The intensity of the balancing exercise that will need to be conducted will depend on what outcome is at stake, he said.

Mr Justice Green said he had applied an "'anxious' and intensive review of the evidence and the approach adopted by the [Met] in arriving at its refusal decision" and did not "accord the [Met any] … material margin of appreciation or discretion" when conducting the balancing exercise because he was conducting it in a death penalty case. He said: "In another case where the interests at stake are less acute the intensity of the approach adopted by the Court might be different".

After conducting the balancing exercise for each piece of personal data that the two men had asked the Met to disclose, Mr Justice Green rejected their request for him to order the Met to make that disclosure.

The judge said that there was no piece of personal data in the Met's report which referred to the two men in which the interests of disclosure outweighed the interests of withholding the information.

"My ultimate conclusion is that there is nothing in the personal data which would be of any real value to the [two men]," Mr Justice Green said. "I have not identified any particular piece of information to which I would attribute any really substantial weight to be set against the [Met's] objectives. As such I accept that the objections to disclosure raised by the [Met] to defeat the application are valid and, on the facts of the case, suffice to outweigh the [two mens'] otherwise strong interest in access."