UK: Useful court guidance on dealing with subject access requests
In this case Dr Rudd, a medical expert on exposure to asbestos, made a SAR to Mr Bridle, a lobbyist for the asbestos industry, after he alleged that Dr Rudd was part of a wider conspiracy to provide false evidence about the risks associated with white asbestos. On the basis that the response to his SAR was inadequate, Dr Rudd brought a claim against Mr Bridle and his company, seeking an order that they provide further information.
The court ruled that the SAR response was inadequate and that Mr Bridle should provide a further SAR response, disclosing significant additional information. The Court said that:
• None of the exemptions relied on by Mr Bridle, namely journalism, regulatory activity and privilege, had been made out
• The information provided to Mr Rudd in response to his SAR was inadequate as it did not include any information about the nature, status or identities of the person, firm or company to whom emails in question were sent. The identities of those who allegedly conspired, assisted or collaborated with the claimant was part of his personal data.
The information was focused on the claimant and so is biographically significant. This also applied to those identified as persons to whom allegations of fraud had been made.
The court ordered the defendants to provide a further SAR response which must include descriptions of the recipients of personal data, the identities of persons who had been communicating with Mr Bridle about Mr Rudd and any information as to the sources of the personal data and the purposes for which it was processed.
Comment
Although this SAR was lodged prior to 25 May 2018 and so this case was considered under the previous legislation, the court’s conclusions and guidance are relevant under the GDPR.
In relation to the approach to disclosing the identity of recipients of an individual’s personal data and to the purposes of processing data, this guidance is helpful for employers in clarifying their obligations.
That said, employers will not welcome the fact that this decision demonstrates the breadth of the obligations in relation to SARs and means that an individual’s personal data may in some circumstances include the identity of third parties.
For a detailed update on this decision, see Useful court guidance on dealing with subject access requests.[https://www.clydeco.com/blog/the-hive/article/useful-court-guidance-on-dealing-with-subject-access-requests]
Rudd v Bridle and J&S Bridle Limited [2019] EWHC 893 (QB) [https://www.bailii.org/ew/cases/EWHC/QB/2019/893.html]