Monday 21 January 2013

Vexatious requests

Occasionally, organisations hear from people who feel very strongly that their rights have not been fully respected. Less frequently, they embark on a course of behaviour that causes the organisation to consider what steps should be taken to protect the legitimate rights of their employer. Much less frequently, a call needs to be made as to whether there is a statutory obligation to disclose what has been requested.

The Information Rights Tribunal has recently issued more guidance on vexatious requests. While the behaviour at hand related to Freedom of Information legislation, I’ve wondered whether such guidance might also be relevant when dealing with Subject Access Requests.

According to the Tribunal: “The ICO has published a series of criteria which public authorities are invited to apply when considering this issue. Such guidance is undoubtedly helpful but, as the guidance itself recognises, a judgement as to whether a request is vexatious must not become a box – ticking exercise. Plainly, “vexatious” does not mean annoying. It represents conduct, here a request or requests for information, which bear no sensible proportion to the supposed objective. The proper objective of a FOIA request is the obtaining of reasonably accessible information of public importance. It is not to force the authority to change its policy through an unending battery of interrogation, to which the answers are irrelevant, in the sense that they will never stem the flow of requests."

How might this apply to Subject Access Requests? 

Well, the current law remains what was said in the Royal Courts of Justice back in December 2003. Yes, the Durant case.  The anoraks will be able to recite paragraphs 26-31 by heart. The highlights are:The intention of the Directive, faithfully reproduced in the Act, is to enable an individual to obtain from a data controller’s filing system ... his personal data, that is, information about himself ...  to enable him to check whether the data controller’s processing of it unlawfully infringes his privacy and, if so, to take such steps to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties. As a matter of practicality and given the focus of the Act on ready accessibility of the information - whether from a computerised or comparably sophisticated non-computerised system - it is likely in most cases that only information that names or directly refers to him will qualify. 

It follows from what I have said that not all information retrieved from a computer search against an individual’s name or unique identifier is personal data. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. 

Looking at the facts of this case, I do not consider that the information of which Mr. Durant seeks further disclosure - whether about his complaint to the FSA about the conduct of Barclays Bank or about the FSA’s own conduct in investigating that complaint – is "personal data" .. . Just because the FSA’s investigation of the matter emanated from a complaint by him does not, it seems to me, render information obtained or generated by that investigation, without more, his personal data. For the same reason, either on the issue as to whether a document contains "personal data" or as to whether it is part of a "relevant filing system", the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it ... It cannot have been the intention of Parliament that ... any document held by the FSA generated by and/or arising out of the FSA’s investigation of such a complaint should itself be disclosable. .....

In short, Mr. Durant does not get to first base in his claim against the FSA because most of the further information he sought ... is not his "personal data"... It is information about his complaints and the objects of them, Barclays Bank and the FSA respectively. His claim is a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further investigation, an exercise, moreover, seemingly unrestricted by considerations of relevance."

The ICO covers this matter in the latest draft Subject Access Code of Practice, currently under consultation, using language which is very different to that of the Durant judgment. While the document does not offer much guidance on what personal data actually is, there is guidance on deciding what should be supplied:Documents or files may contain a mixture of information that is the requester’s personal data, personal data about other people and information that is not personal data at all. This means that sometimes you will need to consider each document within a file separately, and even the content of a particular document, to assess the content of the information they contain. It may be easier (and will be more helpful) to give a requester a mixture of all the personal data and ordinary information relevant to their request, rather than to look at every document in a file to decide whether or not it is their personal data – this approach is likely to be appropriate where none of the information is particularly sensitive or contentious.” 

According to the ICO: “If a requester asks for ‘all the information you hold’ about them, they are entitled to do that. You may ask them to provide information about the context in which information about them may have been processed, and about the likely dates when processing occurred, if this will help you deal with the request.

It may be particularly difficult to find information to which a SAR relates if that information is contained in emails which have been archived and removed from your ‘live’ systems. Nevertheless, the right of subject access is not limited to the personal data to which it would be ‘reasonable’ for you to provide access. Subject to certain exemptions, you must provide subject access to all personal data you hold, regardless of how difficult it is to find. You may, of course, ask the requester to provide you with contextual information to help you find the personal data they have requested."

This is going to be fun. I expect an interesting debate between applicants who want to see material because it has their name on it, and organisations that insist the material be withheld because there is no legal obligation to make it available.

Appeal No: EA/2012/0163

Neutral Citation No: [2003] EWCA Civ 1746

Image credit: