ON APPEAL FROM THE HIGH COURT, QUEEN’S BENCH DIVISION
His Honour Judge Seymour QC
(sitting as a High Court Judge)
HQ15X00982
Royal Courts of Justice
Strand, London, WC2A 2LL
Before :
LORD JUSTICE LEWISON
LORD JUSTICE LLOYD JONES
and
LORD JUSTICE McCOMBE
Between :
A2/2015/1599 ALIREZA ITTIHADIEH | Appellant |
- and - | |
(1) 5-11 CHEYNE GARDENS RTM COMPANY LTD (2) CLAUDE GREILSAMER (3) PAUL ANTHONY KNAPMAN (4) STEPHEN CHARLES MAY (5) JAMES ALEXANDE MCCONNELL ORR (6) HMR LONDON LTD (7) SUSAN METCALFE | Respondents |
IN THE COURT OF APPEAL (CIVIL DIVISION)
ON APPEAL FROM THE QUEEN’S BENCH DIVISION, OXFORD DISTRICT REGISTRY
His Honour Judge Harris QC
(sitting as a High Court Judge)
30X90052
Between :
A2/2015/1520 & 1524 DR CECILE DEER | Appellant |
- and - | |
THE UNIVERSITY OF OXFORD | Respondent |
And Between | |
A2/2015/1524 THE UNIVERSITY OF OXFORD | Appellant |
- and - | |
DR CECILE DEER | Respondent |
THE INFORMATION COMMISSIONER | Intervener |
A2/2015/1520 & 1524
Mr Philip Coppel QC & Ms Ruchi Parekh (instructed by Taylor Wessing LLP) for the Appellant
Mr Robin Hopkins (instructed by Stitt & Co) for the 7 Respondents
A2/2015/1524
Rhodri Williams QC (instructed by Blake Morgan Solicitors) for the Appellant
Mr Timothy Pitt-Payne QC (instructed by Simmons & Simmons LLP) for the Respondent
Mr Julian Milford & Mr Christopher Knight (instructed by Information Commissioner’s Office) for the Intervener
Hearing dates : 29/30 November and 1 December 2016
Judgment Approved
Lord Justice Lewison:
The issues
These two appeals, which were heard together, raise issues under the Data Protection Act 1998 (“the DPA”). Shortly stated, the main issues are:
The scope of the definition of “personal data” in section 1 of the DPA;
Who is a “data controller”;
What constitutes a subject access request (a “SAR”);
Whether the duty to comply with a SAR is limited to a duty to carry out a reasonable and proportionate search;
The extent of the exemption from data protection duties for data processed only for the purposes of an individual’s personal, family, or household affairs;
The extent of the court’s discretion under section 7 (9) of the DPA to order or to decline to order a data controller to comply with a SAR.
We were aware, at the hearing, that another constitution of this court had recently heard an appeal in Dawson-Damer v Taylor Wessing, which we understood raised issues about the exercise of discretion which might have a bearing on the outcome of these appeals. We therefore informed the parties that we would delay giving judgment in these appeals until judgment had been given in Dawson-Damer and they had had an opportunity to make written submissions about it. Judgment in Dawson-Damer was handed down on 16 February 2017 ([2017] EWCA Civ 74). We received written submissions on 21 February 2017 and further submissions on 23 and 24 February 2017.
There are other, more case specific, issues raised by the appeals which I will come to in due course. I begin with the basic facts.
Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd
Mr Alireza Ittihadieh owns flat 5/6 in a residential building at 5-11 Cheyne Gardens where he has been living for 20 years. The building is a block of 10 Victorian houses which were converted into 15 interlinked flats in the 1960s. Mr Ittihadieh is also the beneficiary of a trust which indirectly holds a 999-year lease in two other flats in the building, as well as a reversionary interest in another flat. 5-11 Cheyne Gardens RTM Company Ltd (“the RTM company”) is a right-to-manage company of certain parts of the building. The second to fifth respondents are residents in various flats in the building, as well as being directors of the RTM company. HMR London Ltd, the sixth respondent, is a company that is the company secretary to the RTM company and the seventh respondent is a director of the sixth respondent.
Until 2010 the Cadogan Estate owned the freehold of the building and the head leaseholder was August Building Ltd. In October 2010 a company owned by Mr Ittihadieh bought the head lease. In 2010 the non-corporate owners of flats in the building, but excluding Mr Ittihadieh and his partner, established and became members of the RTM company under the Commonhold and Leasehold Reform Act 2002. Four residents (the second to fifth respondents) were appointed directors of the RTM company and the fourth was elected chairman. Later that year Mr Ittihadieh, his partner and his companies became members of the RTM company. However, Mr Ittihadieh’s attempt to get representation on the RTM company by having his solicitor appointed a director was blocked. Later attempts by Mr Ittihadieh himself to be appointed a director so as to enable him to raise his concerns about the running of the building were also blocked.
During the course of the disputes that have been going on between Mr Ittihadieh and his fellow residents, Mr Ittihadieh became concerned that his fellow residents had been swapping, retaining and otherwise using personal information about him. He formed the view that they had gone beyond what was permissible and had been keeping a specific file on him. There was such a file known as “the Alireza file”.
In consequence he made a SAR on 3 November 2014 contained in a letter from his solicitors, Taylor Wessing. The letter was addressed to the directors of the RTM company and it stated that it was also being sent to each of the other respondents to this appeal. In addition to containing the SAR the letter made a number of other complaints. It said, for instance, that Mr Ittihadieh intended to bring proceedings against the RTM company “its directors and company secretary, both in their capacity as directors and company secretary and personally” for discrimination, harassment and victimisation. The SAR began:
“Our client is aware that the RTM Company holds personal information about him. He also believes that the RTM Company holds information about our client which is, amongst other things, defamatory.
We hereby request, pursuant to Section 7 (1) of [the DPA], that you provide him with all information and documents which our client is entitled to receive under Section 7 (1) (a) – (d). We demand that you confirm to us in writing whether the RTM Company or anyone acting on its behalf is processing personal data (including emails) about our client. For the avoidance of doubt, we expect this to include personal data processed by [the respondents] personally acting in their capacity as directors or company secretary of the RTM Company or otherwise in the RTM Company’s business.
For example, please provide a copy of the information constituting any personal data of which our client is the data subject, including, without limitation, a copy of all personal data which may be held in the form of handwritten notes, meeting and other attendance notes, letters, emails, SMS text messages and word-processed documents. It is likely that some data may be held in back-up or archive form or may have been deleted but is still recoverable. This can be identified through the use of search tools, and should be considered part of your search criteria.”
The letter also said:
“The fee of £10 was sent to Mr Peter Crawford of Stitt & Co. We are awaiting confirmation that he will be forwarding this to you.”
It ended by saying:
“Our client will in due course be issuing a claim against the RTM Company, its directors and company secretary, both in their capacity as directors or company secretary and personally, for the discrimination against, harassment and victimisation of our client, as set out above.”
Stitt & Co’s reply of 25 November 2014 said that any personal information which had been requested “will amount also to personal information about those other individuals which they are unlikely to consent to disclose.” The reply also said that the request was “a fishing expedition and an abuse of process. It will involve the RTM Company in wholly unnecessary costs which will have to be passed on through the service charge provisions in the lease…”
Under cover of a letter of 12 December Stitt & Co disclosed a number of documents (some 400 in all) and said that some of the documents had been redacted in order not to disclose personal information about other individuals who had not consented to disclosure. One of the disclosed documents referred to an “Alireza file”. On 19 December Taylor Wessing asked for disclosure of the “Alireza file;” but on 22 December Stitt & Co replied to the effect that they would not comment on the documents withheld and that the RTM Company, its directors and managing agents had fully complied with their obligations.
On 2 March 2015 Mr Ittihadieh issued a claim form in the Queen’s Bench Division, seeking an injunction and damages. A few days later he made an application for an order under section 7 (9) of the DPA requiring the respondents to provide witness statements giving the information required under section 7.
HHJ Seymour QC heard the application on 5 May 2015. He decided that the SAR was directed only to the RTM company and not to the other respondents; that none of the other respondents was a “data controller” for the purposes of the DPA, and that if any of them had processed data in a personal capacity they were entitled to an exemption in respect of that data on the ground that the data were processed only for the purposes of an individual’s personal, family, or household affairs. As far as the RTM company was concerned, the judge said that no attempt had been made to show him that the 400 pages of disclosed documents failed to provide all the information to which Mr Ittihadieh was entitled, and that to make an order would be disproportionate. He therefore refused to exercise his discretion under section 7 (9).
That left the “Alireza file”. The judge had looked at the file over the lunch adjournment with the agreement of both parties. He refused to make an order relating to that file for reasons which he said he had given at the resumption of the afternoon session. There is a complaint of procedural irregularity amounting to injustice about the judge’s treatment of this issue, to which I will need to return.
Deer v Oxford University
Dr Cécile Deer has been engaged in litigation with the University of Oxford for some eight years. Part of that litigation has already been the subject of an appeal to this court (Deer v University of Oxford [2015] EWCA Civ 52, [2015] ICR 1213). I take a summary of the background to the current appeals from the judgment of Elias LJ in that case.
Dr Deer is a former DPhil student and ex-employee of the University. She was employed by the University from October 2000 to March 2008 as a contractual research fellow at an organisation known as SKOPE, based in the department of economics and department of education. In 2008 she brought a sex discrimination claim against the University relating to treatment she had received at the hands of the University and the University Football Club. This was compromised in June 2008 on terms which included the payment of £25,000 to Dr Deer and also an agreed reference which the University undertook to provide. Between 2009 and 2011, after she had left the employment of the University, she presented five claims in the employment tribunal. In each she alleged that she had been victimised because she had advanced the settled claim and the subsequent claims. She alleged that in various respects the University had treated her less favourably than she would have been treated had she not initiated them.
The claims all arose from the refusal by Dr Deer’s doctoral supervisor, Professor Walford, to provide her with a reference. Dr Deer had been his student from 1996 to 2000, some eight years before she approached him for the reference for a Fellowship for which she wished to apply. He refused to provide one giving reasons why he would not, and he advised her not to pursue the post. Dr Deer lodged an internal grievance complaining about his conduct. At the same time she instituted a claim before the employment tribunal (claim 1) against both Professor Walford and the University. She alleged that Professor Walford had declined to provide the reference because he was influenced by his knowledge of the settled claim and the University was vicariously liable for this act of victimisation.
Whilst the internal grievance was still in progress, Dr Deer issued a second claim (claim 2) on 1 June 2009, this time against the University alone. This alleged that the University had colluded with Professor Walford who, it was said, had been the University's agent when declining the reference. On 30 July 2009 Dr Deer was told that her grievance had not been upheld. She appealed that finding and her grievance appeal was rejected on 16 December 2009. Meanwhile, on 29 October 2009 she had issued claim 3 in which she alleged that the University had dealt with her grievance in a discriminatory way, victimising her because she had made claims against them. There were various allegations to the effect that the investigation had been defective in particular respects and that certain avenues had not been properly explored. On 15 March 2010 she issued claim 4, a similar claim to claim 3 but this time in respect of the grievance appeal. Again she alleged that she had been treated less favourably in the way in which the appeal had been conducted than she would have been had she not made the previous claims.
On 27 July 2010 Dr Deer made the first of the two SARs under section 7 of the DPA with which this appeal is concerned. The SAR, accompanied by the appropriate fee, requested personal data held electronically and in any other relevant filing system within the following categories:
All data relating to and any communication concerning the agreement to provide Dr Deer with a reference and the drafting of that reference;
All data concerning the provision of references for her;
Since 18 June 2008 all instructions and information regarding Dr Deer given to academics in the department of education or to any of her former colleagues in SKOPE or any other members of the University;
All relevant data contained in e-mails and other electronic documents authored by and sent to Professor Walford on 1 and 2 December 2008 concerning Dr Deer;
All data relating to the request sent by Morgan Cole LLP to Nabarro LLP on 4 December 2008 for the agreed reference from Professor Mayhew to be altered and all documents relating to the eventual supply of a reference to Merton College including the reference itself;
All data relating to the Sex Discrimination Act Questionnaire sent to Professor Walford and the handling of the responses (this was amplified in certain respects);
All data created by or on behalf of the University as a result of Professor Walford’s refusal to provide a reference and her grievances relating to that and other matters including opinions about her and intentions towards her;
The SAR said that for the avoidance of doubt these categories included any records of facts which might have harmed Professor Walford’s case and any of the University’s cases which had not been disclosed to her; data relating to the “e-mail dossier” presented for the purpose of the grievance appeal; and all paper documents including manuscript notes;
Data relating to Dr Deer in e-mails or electronic documents sent to or received from or created by a number of named individuals between specified dates, using the search terms “Cécile”, “Deer” and “Walford.”
The SAR also asked that, once Dr Deer’s personal data had been identified, information constituting that data be provided in accordance with Information Commissioner Office (ICO) Guidelines, and that information be supplied identifying the source of the data and recipients to whom the data was or may have been disclosed. Finally, in respect of personal data which the University decided to withhold, a request was made, again in accordance with ICO guidelines, for details to be provided of the searches conducted, a description of the data withheld and the reasons for withholding the data.
In its reply of 25 October 2010 the University said that Dr Deer was making improper use of the DPA 1998 on the basis that she was at the time involved in litigation with the University in the Employment Tribunal. It was alleged that she was seeking to use the DPA 1998 as a proxy for obtaining disclosure for the purposes of the ET litigation and that the Court of Appeal in the case of Durant v Financial Services Authority had made it clear that this was improper. The University therefore declined to provide access to any data which it considered was linked to the ongoing litigation which, it stated would be the subject of a disclosure process in the ET. It nevertheless provided some other information insofar as it considered it reasonable to do so and insofar as it considered this data “detached” from the ongoing litigation.
In respect of the nine specific categories of data for which Dr Deer had requested access, access to information in categories 2, 3, 4, 6, 7, 8 and 9 was refused “on an application of the Durant principles.” Further, in respect of categories 1 and 5, access was refused on the basis that the information was contained in communications which were subject to legal professional privilege. However, on 25 October 2010 and 18 November 2010 the University disclosed certain information to Dr Deer.
The University’s stance led to claim 5 on 24 January 2011, in which Dr Deer alleged that the real reason, or at least a reason, for refusing to provide or at least undertake to preserve the material was that she had pursued the previous claims. In addition it led to a second SAR which Dr Deer made on 17 July 2012 identical terms to the previous request of 27 July 2010. This is the second SAR with which this appeal is concerned. In the meantime the University had disclosed Dr Deer’s personnel file to her.
On 14 February 2013 Dr Deer issued a Part 8 claim form alleging that the University had failed to respond to her SARs in accordance with the requirements of the DPA.
On 5 September 2013 the University disclosed to Dr Deer some information that had been withheld from her solely on the basis of the Durant argument (i.e. that the request was an abuse of the right of subject access), while continuing to withhold information where it claimed that there was some other reason for doing so. Although the University said that it had carried out an adequate search, Dr Deer disputed that assertion.
Following an abortive part heard hearing an application in the Part 8 claim came on for hearing before Recorder Hancock QC who handed down judgment on 4 March 2014. He made an order requiring the University to carry out searches of its servers for data contained in emails or electronic documents sent to or received from 22 named individuals between specified dates. It also required the University to search the servers used by five departments and faculties. The University carried out further searches for Dr Deer’s personal data, and as a result it made further disclosures to her on 17 April 2014. In the course of carrying out those searches the University reviewed over 500,000 e-mails and other documents at a cost of some £116,116.
I do not understand it to be in dispute that the way in which the University went about complying with Recorder Hancock’s order was accurately summarised in its skeleton argument, which I reproduce.
In relation to the documents sent to or received from the 22 named individuals, the University located the relevant mailboxes and exported their contents (between the date ranges specified in the Order) to Unified plc (a data processor to which Simmons & Simmons, the University’s solicitors, outsources the processing of electronic data). Unified then processed the data so that it was in a form suitable to be uploaded into the Relativity software package (which is used by Simmons & Simmons for document analysis). In total Unified received from the University 227,272 emails or documents found in mailboxes, and these were supplied to Simmons & Simmons for uploading into Relativity and subsequent review. In relation to the documents held on the servers used by the five departments and faculties, the University itself searched the relevant departmental and faculty servers, using the search terms “cécile” and “deer” disjunctively, with no restriction on the date range. This search produced a very large volume of data apparently responsive to the search terms, in particular from the servers holding data for the Departments of Education and Economics. Some steps were taken to eliminate material that, for various reasons, did not require further review. The remaining material was processed by Unified and supplied to Simmons for uploading into Relativity and subsequent review. Simmons & Simmons then reviewed the material that had been supplied to them, using Relativity.
In total, Simmons & Simmons received 508,161 emails and other documents. Of these, when Simmons & Simmons searched for the isolated words “cécile” and “deer” (disjunctively, and on a case insensitive basis), 8,281 documents were responsive to that search. Following review of these documents by Simmons & Simmons:
3,415 documents were identified as irrelevant;
3,582 documents were identified as legally privileged and placed in bundles for review by the court pursuant to section 15(2) of the DPA (“the Target Bundles”);
733 were identified as having some reference to Dr Deer, but as not representing her personal data: these were also included in the Target Bundles;
242 were identified as being sent to or received from Dr Deer (the “to/from documents”);
74 were identified as outside the scope of the SARs by reason of their date; and
235 were identified as containing Dr Deer’s personal data and as being disclosable.
Following the elimination of duplicate documents, the number of to/from documents reduced from 242 to 211, and the number of other disclosable documents containing Dr Deer’s personal data reduced from 235 to 63. Of these 63 documents, 30 had previously been disclosed and 33 had not.
The claim came back before the court on 28 and 29 April 2014 when HHJ Harris QC heard argument about whether the University had complied with its obligations under the DPA. The judge heard submissions about the concept of personal data, and examined certain documents that referred in some way to Dr Deer but that were said by the University not to constitute her personal data. In the course of the hearing the judge rejected Dr Deer’s application that he should examine a bundle of documents that had been withheld on grounds of legal professional privilege. He considered that there was nothing to indicate that the University’s solicitors had taken a wrong approach to the question of legal professional privilege.
In his judgment of 11 July 2014 the judge concluded that: (i) none of the withheld material constituted Dr Deer’s personal data; and (ii) in any event, if there were any errors of taxonomy in his analysis, then in the exercise of his discretion he would not require the University to take any further steps in compliance, as this would serve no useful purpose.
In a further judgment that the judge gave on 23 February 2015 the judge made a declaration that the University ought to have disclosed the documents that Recorder Hancock QC’s order resulted in being disclosed, within a reasonable time of the first SAR and ordered the University to pay Dr Deer’s costs up to the date of the Recorder’s order.
The appeals
Mr Ittihadieh appeals against the order of HHJ Seymour QC. Dr Deer appeals against the order of HHJ Harris QC; and the University cross-appeals against the declaration that he made and his order for costs. The Information Commissioner (who is the regulator) has intervened in both appeals, because they raise points of wider significance. I propose to deal first in general terms with the legal points that arose in each of the appeals, before applying those which are relevant to the particular appeal to the facts.
The purpose of the Directive
The DPA was enacted to give effect to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It is common ground, therefore, that we should interpret the DPA conformably with the Directive: (Case C-106/89) Marleasing SA v La Comercial Internacional de Alimentación SA [1992] 1 CMLR 305.
The purpose underlying the Directive is set out in its recitals. Recital (2) states that data processing systems must “respect [natural persons’] fundamental rights and freedoms, notably the right to privacy.” The emphasis on the right to privacy is repeated in recitals (7), (9), (10), (11) and (68). The question of access to personal data is dealt with in the following recitals:
“(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances
(41) Whereas any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing …”
The European Court has also laid emphasis on privacy. In (Case C-553/07) College van burgemeester en wethouders van Rotterdam v Rijkeboer [2009] 3 CMLR 28 the court said at [46] that the purpose of the Directive was “to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data” and added at [47]:
“The importance of protecting privacy is highlighted in recitals 2 and 10 in the preamble to the Directive and emphasised in the case law of the Court [citing authority].”
In (Joined Cases C-141/12, C-372/12) YS v Minister voor Immigratie, Integratie en Asiel, Minister voor Immigratie, Integratie en Asiel v M [2015] 1 WLR 609 the court referred at [46] to the Directive’s “purpose of guaranteeing the protection of the applicant's right to privacy with regard to the processing of data relating to him”.
The substantive provisions of the Directive
Article 1(1) of the Directive states:
“In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”
It will be seen, therefore, that a key concept is “personal data”. Article 2 (a) of the Directive defines that expression as follows:
“'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Article 3 provides that the Directive does not apply to the processing of personal data “by a natural person in the course of a purely personal or household activity.” This provision reflects recital (12) which says that:
“…there should be excluded the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses.”
Article 12 lays down the right of access. It provides, so far as material:
“Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source, …
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data…”
Article 13 enables member states to create exemptions and restrictions on (among other things) the right of access under article 12. It provides, so far as material:
“Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when such a restriction constitutes a necessary measures to safeguard
…
(g) the protection of the data subject or of the rights and freedoms of others.”
Article 22 requires member states to provide for a judicial remedy for any breach of the rights guaranteed by the national law applicable to the processing in question.
The Data Protection Act
The definition of “personal data” in the Directive is reflected in section 1 (1) of the DPA which provides:
“personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
A “data controller” is also defined by section 1 (1) of the DPA as follows:
“… a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.”
In turn section 1 (1) gives a wide definition to “processing”. It includes “recording or holding” information; and also “consultation or use” of information.
A “data subject” is an identifiable natural person who is the subject of personal data: section 1 (1). Section 7 of the DPA, reflecting article 12 of the Directive, gives a data subject a right of access to personal data:
“(1) Subject to the following provisions of this section and to sections 8, 9 and 9A, an individual is entitled–
(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b) if that is the case, to be given by the data controller a description of—
(i) the personal data of which that individual is the data subject,
(ii) the purposes for which they are being or are to be processed, and
(iii) the recipients or classes of recipients to whom they are or may be disclosed,
(c) to have communicated to him in an intelligible form—
(i) the information constituting any personal data of which that individual is the data subject, and
(ii) any information available to the data controller as to the source of those data, and
(d) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.”
A request made under section 7 (1) is a subject access request or SAR. Section 7 (2) provides that a person is not obliged to comply with a SAR unless he has “received a request in writing” and “such fee (not exceeding the prescribed maximum) as he may require.” Except where the request is made to a credit reference agency or the request concerns an educational record or health record, the maximum fee which may be required by a data controller is £10: The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000, reg. 3.
Section 7 goes on to provide:
“(4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—
(a) the other individual has consented to the disclosure of the information to the person making the request, or
(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
(6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—
(a) any duty of confidentiality owed to the other individual,
(b) any steps taken by the data controller with a view to seeking the consent of the other individual,
(c) whether the other individual is capable of giving consent, and
(d) any express refusal of consent by the other individual.”
Section 7 (9) provides:
“(9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.”
Section 8 contains provisions supplementary to section 7. Section 8 (2) provides:
“The obligation imposed by section 7(1)(c)(i) must be complied with by supplying the data subject with a copy of the information in permanent form unless
(a) the supply of such a copy is not possible or would involve disproportionate effort, or
(b) the data subject agrees otherwise …”
Where there is a dispute under section 7 (9) about a data subject’s entitlement to information, the court may require the information to be produced to it without disclosure to the data subject, pending the court’s decision: DPA section 15 (2).
Section 17 prohibits a data controller from processing personal data unless he is registered with the Information Commissioner. Contravention of section 17 is a criminal offence: section 21.
Part IV of the DPA concerns exemptions. Section 27 (5) provides:
“Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.”
The “subject information provisions” include section 7. Section 36 of the DPA, reflecting article 3 of the Directive, provides:
“Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.”
There are further relevant exemptions in Schedule 7. Paragraph 5 of that Schedule provides:
“Personal data processed for the purposes of management forecasting or management planning to assist the data controller in the conduct of any business or other activity are exempt from the subject information provisions in any case to the extent to which the application of those provisions would be likely to prejudice the conduct of that business or other activity.”
Paragraph 10 states:
“Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege … could be maintained in legal proceedings.”
The exemptions in paragraphs 5 and 10 do not have express counterparts in the Directive, but recitals (41), (42), (43) and (44) give member states wide powers to create exemptions and so, as mentioned, does article 13.
Section 13 (1) entitles an individual to compensation for any damage suffered as a result of any contravention by a data controller of any of the requirements of the DPA. Section 13 (2), as drafted, entitles an individual to compensation for distress, but only if he has also suffered damage. However, in Vidal-Hall v Google Inc [2015] EWCA Civ 311, [2015] 3 WLR 409 this court held that section 13 (2) should be disapplied because it conflicted with the rights guaranteed by the Charter of Fundamental Rights of the European Union. It follows that an individual is entitled to compensation for distress he suffers as a result of any contravention of the DPA, whether or not he also suffers damage.
Personal data
Mr Pitt-Payne QC, for the University, submitted that the definition of “personal data” consists of two limbs:
Whether the data in question “relate to” a living individual and
Whether the individual is identifiable from those data.
This is inherent in the form of the definition in the DPA. I agree, and the point is, in my judgment, even clearer in the definition of “personal data” in the Directive, where the definition is clearly split between two clauses.
Since the DPA is intended to give effect to the Directive, it is convenient to begin with the EU jurisprudence. The expression “personal data” “undoubtedly covers the name of a person in conjunction with his telephone details or information about his working conditions or hobbies” as well as information that a person has been injured and is on half time; (Case C-101/01) Criminal Proceedings against Lindqvist [2004] QB 1014; or his name and address: (Case C-553/07) Rotterdam v Rijkeboer. The same is true of the name, date of birth, nationality, gender, ethnicity, religion and language, relating to a natural person, who is identified by name, although it does not apply to legal analysis: (Joined Cases C-141/12, C-372/12) YS v Minister voor Immigratie. A person’s name and salary also amounts to “personal data”: (C-465/00) Rechnungshof v Ősterreichischer Rundfunk [2003] 3 CMLR 10. An image of a person recorded by a camera is also his personal data: (Case C-212/13) Ryneš v Úřad pro ochranu osobních údajů [2015] 1 WLR 2607 at [22]. Mr Pitt-Payne submitted, and again I agree, that these cases are concerned with the “identifiability” limb of the definition.
The question what amounts to “personal data” has also been considered in a number of domestic cases. The first of significance is Durant v Financial Services Authority [2003] EWCA Civ 1746, [2004] FSR 28. Following unsuccessful litigation against Barclays Bank Mr Durant made a complaint to the FSA. That too was unsuccessful. He then made a SAR with which the FSA partially complied. However, the FSA refused to reveal information in four categories of file, some of which contained references to Mr Durant. The leading judgment was that of Auld LJ. He considered that the question of the scope of the definition of “personal data” turned on the meaning of the phrase “relate to” in the phrase “data which relate to a living individual”: see [24]. Thus Auld LJ was not concerned with the question whether Mr Durant could be identified from the data. If his name was mentioned, clearly he could be. What was at issue was whether the data “related to” him. At [27] he referred to the purpose of section 7 as being to enable a data subject to check whether the data controller’s processing of his personal data unlawfully infringes his privacy. It was not “an automatic key to any information … in which he may be named or involved.” He also pointed out the focus of the DPA on ready accessibility of information. He concluded at [28]:
“Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity.”
Mummery LJ simply agreed with Auld LJ and Buxton LJ began his concurring judgment by saying that he, too, agreed with Auld LJ. In my judgment the view expressed by Auld LJ corresponds closely with the view expressed by Advocate General Sharpston in YS v Minister voor Immigratie at [55]:
“I am not convinced that the phrase “any information relating to an identified or identifiable natural person” in Directive 95/46 should be read so widely as to cover all of the communicable content in which factual elements relating to a data subject are embedded.”
Edem v The Information Commissioner [2014] EWCA Civ 92 was another case of a complaint to the FSA. Mr Edem complained that the FSA had inadequately regulated a financial institution. He wanted to know the names of the officials who had dealt with his complaint. He applied for this information under the Freedom of Information Act 2000. The FSA refused to disclose the names on the ground that the names were the “personal data” of the officials in question within the meaning of the definition in the DPA (which was imported into the Freedom of Information Act). At [13] Moses LJ said that there was ample authority that “a person's name, in conjunction with job-related information, is their personal data.” Moses LJ then turned to the question why the FTT had reached a contrary conclusion. They had applied the two “notions” which Auld LJ had described in Durant at [28], but Moses LJ held that they were wrong to do so, adding: “There is no reason to do so. The information in this case was plainly concerned with those three individuals.” He also approved the following statement in the Information Commissioner’s Guidance:
“It is important to remember that it is not always necessary to consider ‘biographical significance’ to determine whether data is personal data. In many cases data may be personal data simply because its content is such that it is ‘obviously about’ an individual. Alternatively, data may be personal data because it is clearly ‘linked to’ an individual because it is about his activities and is processed for the purpose of determining or influencing the way in which that person is treated. You need to consider ‘biographical significance’ only where information is not ‘obviously about’ an individual or clearly ‘linked to’ him.”
Beatson and Underhill LJJ agreed. I do not see any conflict between these two cases. What Mr Edem wanted was a specific piece of information, namely the names of the officials who dealt with his case. The question was whether the three officials were identifiable from these data. Plainly they were. What Mr Durant wanted was any document in which he was mentioned. His error was the submission that the contents of any document in which he was mentioned were, without more, his personal data. It is the context in which these two requests were made that explains the difference in outcome between the two cases (although I observe that in both cases disclosure was refused). I agree with both Mr Pitt-Payne and Mr Milford, for the Information Commissioner, that the fact that in Durant Mr Durant was asking for information about himself, and that in Edem Mr Edem was asking for information about third parties is irrelevant to the definition of “personal data”. HHJ Harris QC was wrong to think otherwise.
In addition to the categories of data which I have thus far considered, it seems to me that a person’s whereabouts on a particular day or at a particular time may also amount to that person’s personal data. Those data may be highly relevant, for example in calculating sick pay or holiday pay, or in the investigation of crime.
That said, it is necessary to consider whether the interpretation of “personal data” in any given case would serve the purpose of the Directive. Thus in YS vMinister voor Immigratie the court justified its conclusion that legal analysis was not “personal data” by saying at [46]:
“… extending the right of access of the applicant for a residence permit to that legal analysis would not in fact serve the Directive's purpose of guaranteeing the protection of the applicant's right to privacy with regard to the processing of data relating to him, but would serve the purpose of guaranteeing him a right of access to administrative documents, which is not however covered by Directive 95/46.”
There is one further point to be made at this stage. Information is not disqualified from being “personal data” merely because it has been supplied to the data controller by the data subject. On the contrary, one would expect that much of the data processed by a data controller will have been supplied by the data subject himself, for instance in an application form. One of the subject access rights is a right to know to whom personal data have been disclosed, and this may be of considerable importance in a case in which the personal data have been supplied by the data subject himself.
Who is a data controller?
A data controller is a person who makes decisions about how and why personal data are processed. It is clear from the terms of section 7 (1) (a) that the data controller is responsible for persons who process data on his behalf. Thus it follows that a person who processes data as agent for a data controller is not himself a data controller in respect of those data. Even where decisions about data are taken by natural persons, they will not themselves be data controllers if those decisions are made as agents of a company of which they are directors: Re Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (Ch); [2014] Ch 426 at [19].
On the other hand, if they are processing personal data on their own behalves they will be data controllers as regards that processing and those data. The question may then arise whether they are entitled to one or more exemptions under the DPA.
The exemption for personal and household processing
The court touched on this question in Lindqvist, which concerned information posted on the internet about parishioners in Sweden. The court said:
“[47] That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.”
On the facts of that case the court’s observations are of limited help on this question. The scope of the exemption arose again in Ryneš v Úřad. Mr Ryneš had installed a video surveillance camera outside his house which recorded activities in the public road. His reason for doing so was that his home had been attacked, and in the event the video images did capture images of two vandals. Advocate General Jääskinen said at [51] that “household activities” could take place outside the home. However, he pointed out at [53] that the exception applied only if the link between the data and household activities was “an exclusive one”. In essence the court accepted his analysis, but importantly they added at [32] that correspondence was a purely personal or household activity “even if they incidentally concern or may concern the private life of other persons”. The court thus decided that the fact that the video surveillance captured images of people in the public road went beyond the boundaries of the exception.
Mr Coppel QC, for Mr Ittihadieh, argued that the exception applied only to matters which went on inside the data controller’s own household and did not apply to his interaction with the wider world. Thus to the extent that a resident in a block of flats communicates with his neighbours about matters of mutual concern or interest about the state or administration of the block, any personal data processed in that communication falls outside the scope of the exception.
In my judgment this is too narrow a view of the scope of the exclusion. First, Mr Coppel’s interpretation would, for example, mean that if an individual e-mailed a friend asking for a recommendation for a plumber to carry out work at home any recommendation would contain personal data of both the plumber and also the friend (whose opinion would itself be personal data). Second, this interpretation is narrower that that adopted by the court in Ryneš. Third,a requirement on an individual to provide personal data relating to his household affairs under a SAR is itself an intrusion into that person’s privacy. In Lindqvist the court said:
“[87] … it is for the authorities and courts of the member states not only to interpret their national law in a manner consistent with Directive 95/46 but also to make sure they do not rely on an interpretation of it which would be in conflict with the fundamental rights protected by the Community legal order or with the other general principles of Community law, such as inter alia the principle of proportionality…
[89] It is for the referring court to take account, in accordance with the principle of proportionality, of all the circumstances of the case before it, in particular the duration of the breach of the rules implementing Directive 95/46 and the importance, for the persons concerned, of the protection of the data disclosed.”
It follows, in my judgment, that in construing the scope of the personal and household exemption, the balance must be struck between two competing entitlements to privacy: that of the data subject and that of the individual data controller. This in turn informs the scope of the personal and household exemption. It is not necessary to attempt to draw the line. But wherever the line is drawn I consider that activities relating to the management of a private block of flats in which the putative data controller resides (including the processing of his neighbour’s personal data in so far as they concern matters arising from or relating to the management of that block) fall within the scope of the exemption because they directly concern his private life and also directly concern his household.
In addition, as Mr Hopkins pointed out on behalf of the RTM company and the other respondents, if an individual cannot rely on this exclusion he is prohibited from processing any personal data without registering with the Information Commissioner and, if he fails to do so, he is guilty of a criminal offence. We must be cautious about criminalising what, for many people, are their ordinary activities.
The form of a SAR
The DPA does not lay down any prescribed form for making a SAR. Section 7 (2) provides that a data controller is not obliged to supply any information under section 7 (1) unless:
“he has received
(a) a request in writing, and
(b) … such fee (not exceeding the prescribed maximum) as he may require.”
It is rightly common ground that neither payment of a fee nor an inquiry of the data controller about what fee (if any) he might require is a pre-condition of the making of a valid SAR, and that to the extent that HHJ Seymour QC thought otherwise he was wrong. It is up to the data controller to require a fee if he chooses to do so. The only pre-condition, then, is that the data controller must have “received … a request in writing.” As a matter of ordinary English, at least in this context, a “request” is a communication which asks someone to do something. In this context, “writing” includes electronic transmission: DPA section 64 (2). So a SAR may be made by e-mail or even via social media sites such as Facebook or Twitter.
A written communication must be interpreted by reference to the usual principles that the court applies in interpreting any written communication; and it must be read fairly and as a whole. Since a “request” may be made informally (albeit in writing) exacting standards of precision would be inappropriate: compare Independent Parliamentary Standards Authority v Information Commissioner [2015] EWCA Civ 388, [2015] 1 WLR 2879 at [56]. However, in order for a written communication to fall within the statutory description of a “request” it must, in my judgment, make it clear that the recipient of the request is being called upon to comply with the statutory duty under section 7 (1) in his capacity as data controller.
Whether a written communication does this is, in my judgment, a question of interpretation; and questions of interpretation of written documents are classified in English law as being themselves questions of law. I would not accept the analogy with Moyna v Secretary of State for Work and Pensions [2003] UKHL 44, [2003] 1 WLR 1929 (which concerned an appeal from a specialist tribunal) that this court, on appeal from a decision of the High Court, should not form its own view. Typically, an appeal from a specialist tribunal is limited to an appeal on a question of law: but an appeal from a decision of the High Court is not so limited. There is no legitimate comparison between the two.
The purpose of the SAR
The underlying purpose of the right of access to personal data is for the data subject to check the accuracy of the data and to see that they are being processed lawfully. The first place where this point is made is in recital (41) which I have quoted. In Rotterdam v Rijkeboer the court said at [49]:
“That right to privacy means that the data subject may be certain that his personal data are processed in a correct and lawful manner, that is to say, in particular, that the basic data regarding him are accurate and that they are disclosed to authorised recipients. As is stated in recital 41 in the preamble to the Directive, in order to carry out the necessary checks, the data subject must have a right of access to the data relating to him which are being processed.”
The court repeated this in YS vMinister voor Immigratie at [44]. Auld LJ made a similar point in Durant at [27]. In the same case Buxton LJ said at [79]:
“The guiding principle is that the Act, following Directive 95/46, gives rights to data subjects in order to protect their privacy. That is made plain in recitals (2), (7) and (11) to the Directive, and in particular by recital (10)…”
In Johnson v Medical Defence Union [2007] EWCA Civ 282, (2007) 96 BMLR 99 at [1] he said that the protection of privacy was the “central mission” of the Directive; and at [16] that it was not easy to extract any other purpose from it.
It is, however, true that as the Information Commissioner submits, the right of access under section 7 of the DPA is not subject to any express purpose or motive test. Nor is a data subject required to state any purpose when making a SAR.
It has been suggested, based on Durant, that the making of a SAR for a collateral purpose such as to obtain documents for the purposes of litigation entitles the data controller to refuse to comply with the request. An alternative way of putting the point is that it is disproportionate to require him to do so in such circumstances. I do not consider that this is a valid objection. First, the target of a SAR is not documents; it is information. I return to this point below. Second, in principle the mere fact that a person has collateral purposes will not invalidate a SAR, or relieve the data controller from his obligations in relation to it, if that person also wishes to achieve one or more of the purposes of the Directive: compare Iesini v Westrip Holdings Ltd [2009] EWHC 2526 (Ch), [2011] 1 BCLC 498 at [119] to [121]. Third, there is now a considerable body of domestic case law which recognises that it is no objection to a SAR that it is made in connection with actual or contemplated litigation: Ezsias v Welsh Ministers [2007] EWHC B15 (QB), [2007] All ER (D) 65 (Dec) at [51]; Dunn v Durham CC [2012] EWCA Civ 1654, [2013] 2 All ER 213 at [16]; Kololo v Commissioner of Police of the Metropolis [2015] EWHC 600 (QB), [2015] 1 WLR 3702 at [35] to [36]; Zaw Lin v Commissioner of Police of the Metropolis [2015] EWHC 2484 (QB) at [114]; Guriev v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB) at [72].
Fourth, section 27 (5) of the DPA provides that apart from exemptions contained in the DPA itself, the subject information provisions prevail over any other enactment or rule of law.
Fifth, there is a sufficient safety net in the form of the EU doctrine of “abuse of rights”. This is a principle of interpretation of EU legislation which applies across the board: for example to commercial activities, the common agricultural policy, marriages of convenience, VAT planning and so on. The topic is the subject of a comprehensive discussion by Advocate General Poiares Maduro in (Joined Cases C-255/02 and C-223/03) Halifax plc v Customs and Excise Commissioners [2006] Ch 397 at [62] to [71], and by the Supreme Court in HMRC v Pendragon plc [2015] UKSC 37, [2015] 1 WLR 2838. This court expressed a similar view in Dawson-Damer at [109] by reference to the domestic principle of abuse of process. I do not think that there is much difference between the two approaches in this context.
Finally, the point is now put beyond doubt by the recent decision of this court in Dawson-Damer at [108].
In some cases, it has been said that the supply of information does not tell the data subject anything he or she did not already know. In many cases that would miss the point. To take a simple example: everyone knows their own name and date of birth. A data subject may well make a SAR, not for the purpose of discovering his name or date of birth, but for the purpose of checking whether the data controller has correctly recorded them. A data subject will know his own address, and may make a SAR in order to discover to whom the data controller has disclosed those data. Likewise a data subject may ask for information about a particular meeting that he or she attended, not for the purpose of finding out what happened at the meeting (which is already known), but for the purpose of checking the accuracy of any personal data recorded in a note of the meeting. It is thus not necessarily an answer to a SAR to say that the data subject already knows what happened at the meeting. However, the case is different where the only relevant personal data are contained in a particular document (or documents) and that document has (or those documents have) been provided to the data subject. In a case in which the document or documents have already been provided otherwise than under a previous SAR the fact that they have already been provided may go to the exercise of the court’s discretion under section 7 (9). Moreover where the focus of a SAR is (as is often the case) a request for copies of documents rather than personal data, the fact that the data subject was either the author or recipient of the document in question would also be highly relevant to the exercise of discretion.
Form of response to a SAR
The first requirement in section 7 is for the data controller to say “whether” personal data of which the requester is the data subject “are being processed” by or on behalf of the data controller. In principle, that question can be answered “Yes” or “No”. The remaining duties apply only if that question is answered “Yes”. In the present case the fact that those remaining duties depend on an affirmative answer to the question is of significance in understanding the SAR that Mr Ittihadieh made.
The obligation under section 7 (1) (b) is not an obligation to supply personal data: it is an obligation to provide a description of the personal data. The description might, for example, say that the data controller has processed the data subject’s name and address, date of birth, wage record, educational qualifications and so on.
The obligation under section 7 (1) (c) includes an obligation to communicate in intelligible form “the information constituting any personal data of which the individual is the data subject”. This goes further than section 7 (1) (b) which requires a description of the personal data. It is an obligation to supply the information itself. Even so, it is not an obligation to supply documents: Dunn v Durham CC [2012] EWCA Civ 1654, [2013] 2 All ER 213 at [16]. It is of critical importance to distinguish between the two. Although it may be more convenient and cheaper in some cases for a data controller to supply copy documents, there is no legal obligation to do so. It is very easy, however, to slip from dealing with personal data into dealing with electronically generated or stored documents in which personal data are recorded. It seems from many of the reported cases (as well as these two appeals) that individuals who make SARs are, in truth, looking for copy documents. They are in my judgment aiming at the wrong target. This ties in with the definition of “personal data”. Accepting as I do that a person’s name is his personal data, it does not follow that every piece of information in a document in which his name appears is his personal information. In such a case it would, in my judgment, be enough for the data controller to inform the data subject that, for instance, his name is consistently recorded as “Charles Pooter” and his address as “The Laurels, Brickfield Terrace, Holloway” in a specified number of documents between particular dates. There would be no obligation to disclose the documents themselves. This is, I think, borne out by article 12 of the Directive which requires the data controller to inform the data subject of the “categories of data concerned”.
On the other hand, the mere supply of copy documents may not be enough to comply with all the requirements of section 7 (1). For example it may not be apparent from copy documents to whom the personal data have been disclosed (see section 7 (1) (b) (iii)); or the source of the personal data in question (see section 7 (1) (c) (ii)).
Proportionality of search
Although neither article 12 of the Directive nor section 7 of the DPA contain any express obligation on the data controller to search for personal data in response to a SAR, it is common ground that such an obligation must necessarily be implied. In Dawson-Damer at [71] to [79] this court concluded that the obligation to search derived from section 8 (2); but since section 8 applies only for the purpose of compliance with section 7 (1) (c) (i), if section 7 does not apply, section 8 cannot either. I cannot help thinking, however, that both the Directive and the DPA have, as an underlying assumption, the assumption that personal data can be sufficiently retrieved and made ready for disclosure to the data subject at the touch of a few buttons. Experience shows that this assumption is fundamentally unsound.
There are nevertheless indications in the Directive that the EU legislature did not intend to impose excessive burdens on data controllers. First, there is the description in the recitals of the kinds of systems to which the Directive applies:
“(15) Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question
(27) … whereas, nonetheless, as regards manual processing, this Directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data…”
Second, in considering the scope of a member state to lay down time limits for the retention of personal data, the court in Rotterdam v Rijkeboer applied the principle of proportionality: see [60] to [66]. Likewise in Lindqvist the court applied the principle of proportionality to a conflict between privacy on the one hand and freedom of expression on the other. In (Case C-582/14) Breyer v Bundesrepublik Deutschland at [46] in considering whether an individual was likely to be capable of being identified from particular data, the court held that this meant capable without disproportionate effort.
Third, as Mr Milford correctly pointed out, the principle of proportionality is a general principle of EU law: (Joined Cases C-27/00 and C-122/00) R (Omega Air Ltd) v Secretary of State for the Environment Transport and the Regions [2002] ECR I-2569 at [62]; and the court treated it as such in Lindqvist.
Fourth, in Ezsias v Welsh Ministers at [93] Judge Hickinbottom held that on receipt of a SAR, a data controller must take reasonable and proportionate steps to identify and disclose the data he is bound to disclose. In my judgment he was right. He also considered at [94] that some context for deciding whether a search is reasonable and proportionate was given by the amount of the fee payable (£10 in most cases) and by a public authority’s ability to refuse to comply with a SAR where the costs of doing so would exceed £600. However, the fee of £10 payable in the general run of cases is in my view derisory; and I think that it would be very dangerous to give it any significant weight in deciding whether a search has been reasonable and proportionate.
As mentioned, section 8 (2) of the DPA entitles a data controller not to supply a copy of the information in in permanent form if to do so would involve disproportionate effort. However, there is no express provision of the DPA which relieves a data controller from the obligation to supply the information required by section 7 (1) on the ground that it would be disproportionate to do so. In my judgment, while the principle of proportionality cannot justify a blanket refusal to comply with a SAR, it does limit the scope of the efforts that a data controller must take in response. That was also the conclusion of this court in Dawson-Damer at [76] and [77].
In this connection, it is pertinent to point out that in the case of a wide-ranging SAR, a simple search of a computerised system (for instance a server, or a personal e-mail account) by reference to the surname or forename of the data subject is highly likely to reveal a mass of material, particularly if the search terms are used disjunctively. If the data subject has a common name, say “Smith” or “Patel,” the search may retrieve data which have nothing to do with the data subject at all. It may then be necessary to refine the search, or it may be necessary for a human being to review the material to decide whether the named individual is indeed the data subject. Even where the retrieved data do mention the data subject, much of that material is likely to contain personal data of individuals other than the data subject. Under section 7 (4) of the DPA the data controller is not entitled to disclose those data without the consent of that other individual, unless it is reasonable in all the circumstance to disclose it without that consent. It follows that the mere retrieval of the personal data of the data subject is only the first stage in compliance with the SAR. Moreover, whether it is reasonable to disclose information about another individual is an evaluative judgment which must, as it seems to me in the current state of technology, be carried out by a human being rather than by a computer.
Where documents are covered by legal professional privilege the combined effect of sections 27 (2) and Schedule 7 paragraph 10 of the DPA means that the “subject information provisions” do not apply. Those provisions include section 7. Since an implied obligation to search arises only by reason of section 7 as amplified by section 8 (2), it follows, in my judgment, that there is no obligation to search for material covered by legal professional privilege in proceedings within the UK. This is consistent with the conclusion of this court in Dawson-Damer at [45] that the legal professional privilege exception relieves the data controller from what would otherwise be his obligation to comply with the SAR. Plainly, this only applies to the extent that personal data are covered by legal professional privilege. If some personal data are covered by legal professional privilege and others are not, the data controller will have to carry out a proportionate search to separate the two: Dawson-Damer at [83]. In addition data may be exempt under one or more of the other exemptions in Schedule 7 to the Act; and once again the question whether they are is a matter of evaluative judgment which must be carried out by a human being.
There is one further point to be made under this head. Because the implied obligation to search is limited to a reasonable and proportionate search (or as Mr Milford put it, it is not an obligation to leave no stone unturned), the result of such a search does not necessarily mean that every item of personal data relating to an individual will be retrieved as a result of such a search. There may be things lurking beneath another stone which has not been turned over. Accordingly the mere fact that a further and more extensive search reveals further personal data relating to that individual does not entail the proposition that the first search was inadequate.
Discretion
In Durant at [74] Auld LJ considered, obiter, the scope of the discretion under section 7 (9) of the DPA. He described it as “general and untrammelled.” Although he said that this view was supported by Lindqvist at [83] and [88] it seems to me that the court in those paragraphs was dealing with a different question. Since the decision in Durant on the ambit of the discretion was obiter we are not bound by it.
I am bound to say that I have difficulty with the notion that a discretion conferred upon the court by legislation is “general and untrammelled”. A discretion conferred upon the court by legislation is conferred upon the court for a purpose. When the court is called upon to exercise that discretion it must do so in furtherance of the purpose for which it is conferred. The discretion under section 7 (9) only arises if the court is satisfied that the data controller has failed to comply with his obligations under section 7. So the starting point for the exercise of the discretion is that there has been a breach of duty. That precedent fact must, in my judgment, have a significant bearing on the way in which the court exercises its discretion. I would, therefore, respectfully disagree with Auld LJ’s obiter observations. In my judgment the tentative approach of Cranston J in Roberts v Nottinghamshire Healthcare NHS Trust [2008] EWHC 1934 (QB), [2009] PTSR 415 at [13] and the observations of Green J in Zaw Lin v Commissioner of Police for the Metropolis [2015] EWHC 2484 (QB) at [98] encapsulate the better approach. As Green J put it:
“If Parliament had intended to confer such a broad residual discretion on the court then, in my view, it would have used far more specific language in section 7(9) than in fact it did. In any event I do not understand the observations in the authorities referred to above to suggest that if I find that the MPS has erred that I should simply make up and then apply whatever test I see fit. If I find an error on the part of the MPS such that I must form my own view then I should do in accordance with the principles set out in the DPA 1998 and taking account of the relevant background principles in the Directive and the Convention. My discretion is unfettered by the decision that has gone before, and which I find unlawful, but I cannot depart from Parliament's intent.”
Likewise in Guriev v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB) Warby J said at [61]:
“…the discretion to enforce will ordinarily be exercised in favour of a claimant who has made a valid SAR, in the absence of a good reason not to. That seems right to me. It would be consistent with a recognition that what is at stake is a fundamental right.”
However, that said, in exercising its discretion the court must have regard to the general principle of proportionality which runs through EU law. The court made this clear in Lindqvist at [88]:
“Whilst it is true that the protection of private life requires the application of effective sanctions against people processing personal data in ways inconsistent with Directive 95/46, such sanctions must always respect the principle of proportionality. That is so a fortiori since the scope of Directive 95/46 is very wide and the obligations of those who process personal data are many and significant.”
At [90] the court added that it was for courts responsible for applying the national legislation implementing the Directive to “ensure a fair balance” between the rights and interests in question. There is, therefore, a balance to be struck between the prima facie right of the data subject to have access to his personal data on the one hand, and the interests of the data controller on the other.
In striking that balance there are many factors that the court may take into account. What follows is not intended to be prescriptive: it is merely a description of some of the relevant factors. In this connection it is pertinent to recall the observations of Millett LJ, albeit in a very different context, in Jaggard v Sawyer [1995] 1 WLR 269, 288:
“Reported cases are merely illustrations of circumstances in which particular judges have exercised their discretion… Since they are all cases on the exercise of a discretion, none of them is a binding authority on how the discretion should be exercised. The most that any of them can demonstrate is that in similar circumstances it would not be wrong to exercise the discretion in the same way. But it does not follow that it would be wrong to exercise it differently.”
One relevant factor is whether there is a more appropriate route to obtaining the requested information, such as by disclosure in legal proceedings: Ezsias at [102]; DB v The General Medical Council [2016] EWHC 2331 (QB) at [77]. A second is the nature and gravity of the breach. If it is trivial that may be a good reason for refusing to exercise the discretion in favour of the data subject: R (Catt) v ACPO [2015] UKSC 9, [2015] AC 1065 at [13] (compare R (Champion) v North Norfolk DC [2015] UKSC 52, [2015] 1 WLR 3710 at [54] “the court retains a discretion to refuse relief if the applicant has been able in practice to enjoy the rights conferred by European legislation, and there has been no substantial prejudice”). Another is the reason for having made the SAR. While the absence of a stated reason does not in itself invalidate the SAR, the absence of a legitimate reason has a bearing on the exercise of the court’s discretion (DB v The General Medical Council at [59]) even though a collateral purpose of assisting in litigation is not an absolute bar: Dawson-Damer at [112]. If the application is an abuse of rights, for example where litigation is pursued merely to impose a burden on the data controller, that would be a relevant factor. Likewise where the application is procedurally abusive (as, for example, where it has failed before). Whether the real quest is for documents rather than personal data is also relevant. If the personal data are of no real value to the data subject, that too may be a good reason for refusing to exercise the discretion in his favour: Zaw Lin at [125]. Dawson-Damer at [77] confirms that the “potential benefit” to the data subject is relevant to the question whether a proportionate search has been carried out and, by parity of reasoning, the same must be true of the court’s exercise of its discretion. If the data subject has already received the data or the document in which they are contained otherwise than under a previous SAR, that too may be a reason for refusing to exercise the discretion in his favour. On the other hand, where it is clear that the data subject legitimately wishes to check the accuracy of his personal data that will be a good reason for exercising the discretion in his favour: Kololo at [35]. If there are no material factors other than a SAR in valid form and a breach of the data controller’s obligation to conduct a proportionate search, then the discretion will ordinarily be exercised in favour of the data subject: Dawson-Damer at [114].
The effect of Mr Ittihadieh’s SAR
Mr Coppel QC argued that Mr Ittihadieh’s SAR was not simply a SAR made to the RTM company but it was also a SAR addressed to the individual directors and to the company secretary personally. He emphasised the fact that the SAR was not only addressed to “The Directors” of the RTM company but also stated in terms that it was “sent to” the directors and company secretary, whose names were given in the heading to the letter. He submitted that the judge had adopted too stringent a test in posing the question whether the SAR was “directed to” the individuals. The only questions were (i) was the document a SAR and (ii) if so, did the individuals receive it?
I do not consider that this is the right approach. The question, to my mind, is whether the SAR asked the individuals to do something as data controllers. As Mr Hopkins rightly submitted a SAR made to the RTM company would necessarily require the company to provide information about personal data processed on its behalf; and that would include information processed by its directors and company secretary when acting on behalf of the company.
The SAR was contained in a careful and professionally written letter. The relevant part began by stating that the RTM company was holding personal information about Mr Ittihadieh. It did not assert that anyone else was holding such information. It continued by asking “whether the RTM Company or anyone acting on its behalf is processing personal data (including emails) about our client”. This is the question posed by section 7 (1) (a); and it was clearly asked of the RTM company alone. Any further duty under section 7 would arise only if the RTM company answered that question affirmatively. I agree with Mr Hopkins that the inclusion of “anyone acting on its behalf” simply reflects the responsibility of the RTM company as data controller. The next sentence in the SAR begins “for the avoidance of doubt”. It is clearly not a separate SAR: it merely explains the scope of the SAR made to the RTM company. This is borne out by the reference to the £10 fee which the writer expects will be forwarded “to you”. The “you” must mean the RTM company as the entity in whose favour the cheque was drawn. It must equally follow that the request that “you” confirm whether or not data were being processed was addressed equally to the RTM company alone.
Mr Coppel relied in particular on the statement in the SAR that:
“we expect this to include personal data processed by [the named respondents] personally acting in their capacity as directors or company secretary of the RTM Company or otherwise in the RTM Company’s business.”
The argument was that this request covered three types of processing: (a) personally; (b) in their capacity as directors; and (c) otherwise in the RTM company’s business. To my mind this is a very strained reading of that sentence in the context of what both preceded it and followed it in the SAR. What I think the reasonable reader would have understood by this sentence is that the RTM company was being asked to include in its response data personally processed by the named respondents either in their capacity as directors or otherwise in the course of the RTM company’s business. In other words the sentence should be read as if there had been a comma after the word “personally”. As McCombe LJ suggested in argument “personally” is an adverb qualifying “processed”. It was common ground that any data processed by the named respondents in their capacity as directors of the RTM company were data for which the RTM company (rather than the named respondents) was the data controller. Despite Mr Coppel’s valiant attempts I am still mystified about the distinction he sought to draw between data processed by the named respondents as directors and data processed by them “otherwise in the course of the RTM Company’s business.” If the named respondents processed personal data in the course of the RTM’s business, it seems to me that the RTM company, rather than the named respondents, would be the relevant data controller.
Mr Coppel also relied on subsequent correspondence. He pointed out, correctly, that Stitt & Co referred to “our clients.” However it is common legal usage to refer to a corporate client in the plural, so this point goes nowhere. When Stitt & Co complained about the effort involved it is noticeable that the complaint was that it would involve “the RTM Company” in unnecessary expense. No complaint was made on behalf of the individuals. Mr Coppel also pointed to the fact that the letter containing the SAR made allegations of discrimination against the directors personally. So it did, but that goes only to show that the writer was well able to distinguish between claims made against the RTM company on the one hand, and the directors on the other. None of this, in my judgment, alters the scope of the SAR.
Accordingly, in my judgment Mr Ittihadieh did not make a SAR to the named respondents (other than the RTM company) and HHJ Seymour QC was therefore right to dismiss the claim against them.
The Alireza file: procedural irregularity
The essential complaint under this head is that HHJ Seymour QC reached final conclusions on the extent to which the Alireza file was exempt from disclosure by reason of section 36 of the DPA on the basis of his lunchtime reading and without the benefit of oral submissions from Mr Coppel.
It is of course well-settled that fairness requires that a party has an opportunity to put his case and that a judge is duty bound to listen to oral submissions (even where he has had the benefit of a written skeleton argument) before reaching a final conclusion: Labrouche v Frey: Practice Note [2012] EWCA Civ 881, [2012] 1 WLR 3160; Re S-W (Children) [2015] EWCA Civ 27, [2015] 1 WLR 4099. That principle does not, however, prevent a judge from reaching provisional views or conclusions provided that he gives the party who would be disadvantaged by that conclusion a fair opportunity to change the judge’s mind. Lord Neuberger MR put it thus in Labrouche v Frey at [23]:
“… the judge could (i) begin by saying that, having read the papers, his provisional view was that the application should be rejected on one of the many grounds raised by the respondent, (ii) then give the applicant a fair opportunity to disabuse him of this view through oral argument, and (iii) if the judge was unpersuaded by that argument, end the hearing by giving judgment for the respondent on the ground in question.”
At [41] he added:
“… if, before coming into court, a judge has formed a preliminary view on some or all the points at issue, there is nothing wrong with his expressing that view to the parties, provided that he makes it clear that it is only a provisional view and that he will give, and then does give, them (or at least the party he is provisionally against) the opportunity to try and dissuade him from his view.”
The discussion of section 36 began at page 61 of the transcript of the hearing before HHJ Seymour QC. Mr Coppel referred to guidance given by the Information Commissioner and also to a passage from Cranston J’s judgment in Roberts. Mr Hopkins explained briefly what his clients’ position was. This part of the transcript occupies some seven pages. Mr Coppel then invited the judge to look at the disputed documents, in the exercise of the court’s power under section 15 (2) of the DPA. He then said to the judge:
“Your Lordship sees the arguments we make, your Lordship brings an independent determination to give the assurance that it has been done properly.”
Mr Hopkins then invited the judge to read part of his skeleton argument, which the judge did. The judge then asked whether he should accept the invitation to read the disputed material; and Mr Coppel replied that he should “definitely accept it.” He added:
“Your Lordship looks at the material and decides for himself.”
The judge’s understanding of what he was being asked to do was this:
“I am being asked to consider the Alireza file over lunch and express views on that once I have done so.”
The judge read the material over the lunch adjournment. When he came back into court for the afternoon session he said that it was appropriate “to say something about the conclusions which I have reached having read that file.” He then set out his conclusions over the next few pages of the transcript. Mr Coppel protested that he had not addressed the judge on two of the issues, to which the judge replied:
“I was not seeking to foreclose you, I simply thought that it would be helpful to you and Mr Hopkins, as I said I would look at the Alireza file over the short adjournment for me to say that I had done so and those were the conclusions to which I had come.”
Mr Coppel again complained about the word “conclusions”; but the judge made it clear at page 89 of the transcript that he had given his explanation:
“… in sufficient detail for you to be able to make submissions about it so that I could receive any submissions that you want to make.”
Mr Coppel then proceeded to make submissions. He was followed by Mr Hopkins, and Mr Coppel replied.
This is not a case in which the judge refused to hear argument. Not only was there a short statement of the parties’ respective positions before he carried out his reading, he also entertained submissions from both parties after he had carried out that task. It was perhaps unfortunate that in explaining where he had reached the judge did not insert the adjective “provisional” before “conclusions”; but it is clear from later parts of the transcript that he said what he did for the very purpose of enabling Mr Coppel to make such submissions as he thought fit. I do not consider that the judge’s conduct amounted to a procedural irregularity which has caused injustice.
The exemption and the judge’s discretion
At [38] HHJ Seymour QC held that the “overwhelming probability” was that all the documents he had reviewed fell within the exemption for processing for personal and household affairs. He also held at [38] and [40] that it would be “wholly disproportionate” to require a search for the purpose of proving whether there were any data that fell outside that exemption or to conduct a further search to find more documents than the 400 that had already been produced. The exercise of his discretion was firmly based on proportionality, which is undoubtedly a relevant consideration. In my judgment he was entitled to reach that conclusion. The judge also said at [44] that there were indications that Mr Ittihadieh had been using the proceedings “to bully” the respondents. That would have been another valid reason for refusing to exercise his discretion in Mr Ittihadieh’s favour.
Transfer to county court
The final matter of which Mr Ittihadieh complains is that HHJ Seymour QC exercised his case management power under section 41 of the County Courts Act 1984 to transfer what was left of the claim to the county court. After the judge’s decision on the other points, what was left was Mr Ittihadieh’s claim for compensation, both by way of damages and distress. The judge took the view that it was unlikely that Mr Ittihadieh would succeed in making a substantial recovery under either head; and thought that the case could best be dealt with in the county court.
I found it difficult to understand this ground of appeal. Mr Coppel accepted that the county court had both the jurisdiction and the competence to deal with Mr Ittihadieh’s money claim. He did not suggest that there was any substantive reason why the claim should not proceed in the county court. What he objected to was the judge’s view that Mr Ittihadieh was unlikely to recover very much. But that was not something the judge decided. There is no issue estoppel between the parties. The appeal, as Mr Coppel accepted, is an appeal against the judge’s order, not against his reasons. I can see nothing wrong with the decision to transfer the case to the county court. It will be for the county court to decide how much compensation (if any) should be awarded to Mr Ittihadieh.
Result of Mr Ittihadieh’s appeal
I would therefore dismiss Mr Ittihadieh’s appeal.
Dr Deer’s SAR
At first blush Dr Deer’s SAR was very wide-ranging, and in some respects appeared to go beyond what she was entitled to under the DPA. In many cases, for example, the request was a request for documents rather than a request for personal data. Thus item 1 asked for “any communication concerning the agreement to provide me with a reference”. Item 5 asked for “all documents relating to the eventual supply of a reference to Merton College including the reference itself”. Item 6 asked for “notes and minutes of any meetings, telephone conversations etc” relating to a sex discrimination questionnaire. Item 8 asked for “any records of facts that might have harmed Professor Walford’s case/ any of the University’s cases which have not been disclosed to me”. Item 8 also asked for “all paper documents including all manuscript notes.” Item 9 asked for data contained in the e-mail account of any employee of Nabarro LLP who were the University’s solicitors.
The apparent width of the request was, however, tempered by the statement in the SAR:
“Once you have identified personal data within the scope of this request please provide a copy of the information constituting personal data…”
Oxford University’s initial response to the SAR
As I have said, the University’s initial response to the SAR was that it was an improper attempt to use the DPA as a proxy for disclosure for the purposes of the ET proceedings, relying on Durant. It refused access to data on seven of the nine grounds on the same basis. For reasons I have explained this was not a good ground for refusing to comply with the SAR. The University maintained this stance between October 2010 and September 2013. In September 2013 the University disclosed to Dr Deer information that had been withheld from her in reliance on Durant. Although Mr Williams QC, for Dr Deer, said that the University had abandoned reliance on Durant, Mr Pitt-Payne submitted, correctly in my view, that it had not. However, that does not in my judgment improve the University’s position: on the contrary it makes it worse.
I should, perhaps, add that if the University’s stance had been on the basis that what Dr Deer was seeking (at least in part) was not personal data, but copy documents, there would have been merit in that stance. But that was not the line that the University took.
In addition to the point based on the purpose of the SAR, the University, again relying on Durant, also said in response to the SAR that information contained in the documents referred to in the SAR was not necessarily “personal data” merely because it mentioned her. It explained the two “notions” to which Auld LJ had drawn attention in Durant; and said that the University had been guided by those notions in responding to the SAR. Next the University pointed out that Dr Deer had no right to access “mixed personal data.” It said, too, that much of the information that Dr Deer had requested was exempt from disclosure because it was covered by legal professional privilege. Lastly it said that it was mindful of its obligation to carry out a reasonable and proportionate search in response to the SAR. I deal further with the University’s response to individual items in the SAR below.
Oxford University’s searches
The searches that the University carried out in response to the SAR are described in the first witness statement of Ms Emma Rampton, who is Deputy University Secretary. She says in paragraph 73 of that statement that the University did not carry out a search for information falling within items 1 to 3 and 5 to 8 of the SAR; but did carry out a search for information within items 4 and 9. Items 1 and 2 related to the provision of a reference for Dr Deer, as did item 5. Item 3 related to her potential re-employment by the University. Items 6 related to sex discrimination questionnaires. Items 7 and 8 related to Professor Walford’s refusal to write a reference for her. The items where the University did carry out a search were item 4 (all relevant data contained in e-mails authored by and sent to Professor Walford on two particular days) and item 9 (data in the e-mails or electronic documents of 21 named individuals within various specified time frames).
Unless it is clear from a SAR that carrying out a requested search will not yield any personal data, or it is clear that any personal data retrieved by such a search will be exempt from disclosure, I do not think that in principle a data controller complies with a duty to carry out a reasonable and proportionate search by not carrying out any search at all. Yet that is what happened in the case of seven out of the nine categories of search that Dr Deer requested. Can that be justified on the facts?
The University’s response to the individual items (leaving aside reliance on collateral purpose on the basis of Durant) was as follows:
Item 1. This related to an agreement as part of a confidential mediation in which both sides were represented by lawyers. Communications about the agreement to provide the reference and the drafting of the reference were covered by legal professional privilege.
Item 2. This was too wide ranging to be answered (on the assumption that the University was obliged to answer it) and the University would have asked for further information under section 7 (3) of the DPA to enable it to locate the information requested.
Item 3. This was too wide ranging to be answered (on the assumption that the University was obliged to answer it) and the University would have asked for further information under section 7 (3) of the DPA to enable it to locate the information requested.
Item 4. Dr Deer had already received this information.
Item 5. Dr Deer had already received communications between solicitors, and the remainder of this item was covered by legal professional privilege.
Item 6. Dr Deer had already received copies of the responses to the questionnaire. Professor Walford’s communications with the University’s legal department about the response were covered by legal professional privilege. Some of the requested material was not contained in any document.
Item 7. Dr Deer had already received a file of documents, including meeting notes, relating to the investigation of her grievance. The remaining relevant documents had been disclosed to her in the course of the ET proceedings.
Item 9. The University gave an explanation of what steps it had taken and the results of those steps. In essence what the University had done was to ask the individuals whose e-mail accounts were specified themselves to search their accounts for relevant personal data. It had not conducted a central search itself.
Dr Deer took issue with the University’s position on legal professional privilege. However, a challenge to the University’s position on legal professional privilege was not pursued before Recorder Hancock QC, or HHJ Harris QC or before us. For the reasons I have given I would hold that the University was not obliged to search for items covered by legal professional privilege.
In those cases where the University had said that it had already provided relevant documents to Dr Deer, her response was threefold. First, she said that in some cases she had not been provided with the documents. Second, she said that without further copies of the documents she could not verify the University’s assertion. Third, she said that under the DPA there was no exemption in relation to information that has already been supplied (unless it had been supplied under a previous SAR).
In response to the first and second points the University supplied further copies of the material. In response to the third the University’s position was that no practical purpose would be served by disclosing to Dr Deer information that she already had.
As far as item 9 was concerned Dr Deer complained that the University had left it to others to conduct the search and had not carried out a central search of its own servers to locate relevant e-mails. The University’s response to that was that it had given e-mail account holders proper instructions and that asking them to search their own e-mail accounts was reasonable and proportionate.
Although in her response to the University’s complaint that some requests were too wide ranging Dr Deer said that she had refined them, in fact all she did was to repeat the original requests.
Two further matters call for brief mention. First, Dr Deer made a complaint to the Information Commissioner. It is important to note, however, the limited nature of the complaint which was restricted to the University’s reliance on Durant for its position that a collateral purpose meant that it was not obliged to answer the SAR. Second, as mentioned, Dr Deer served a second SAR which largely repeated the requests made in the first SAR.
Recorder Hancock QC’s judgment
It is important to be clear about the nature of the Recorder’s judgment and the questions that he was asked to decide. As he put it at the outset of his judgment, Dr Deer was asking for an interim order requiring the University:
“… to conduct various searches in order to satisfy itself and in due course the Court that all personal data that is in the possession of the [University] has been located.”
It was in that context that he went on to consider Dr Deer’s application. Having referred to Durant and Edem he said at [14]:
“The question for present purposes is whether the information that I am asked to order the [University] to search for is capable of being personal data.” (Emphasis added)
He was not asked to consider whether it was, or whether it was exempt from the duty to search and disclose. He went through the various items and decided that they included information that was capable of being personal data. At [16] he said that the real question was proportionality. At [18] to [21] he considered two cases and the Information Commissioner’s guidance on what amounted to a proper search. At [21] he said:
“… I regard the guidance from the Information Commissioner as to what amounts to a proportionate search as of very great importance in determining whether the steps taken to date by the [University] are adequate.”
In fact the Recorder did not in terms make a finding of fact that the steps taken by the University were inadequate; but nevertheless he ordered the University to carry out further searches, described in a schedule to his order, that he regarded as themselves being proportionate. He summarised the objections raised by Ms Rampton and concluded at [24] (4):
“In all the circumstances, it does not seem to me to be disproportionate for this search of the specified email accounts to be carried out. The search should extend to the central server and to the faculty server and should extend to archived materials, but not to back up materials … and not to deleted material.”
Paragraph 1 of the schedule to his order required the University to search, using specified search terms, the University’s central server and the servers of four departments or faculties for “all data” relating to Dr Deer sent to or received by 22 named individuals between specified dates. In effect this was item 9 of Dr Deer’s SAR. Paragraph 2 required a further search on the servers of five departments or faculties, using the same search terms but without limit of time. The University was given liberty to apply to vary paragraph 2 of the order (but not paragraph 1).
I have already described the process and the cost of complying with that order. The University did not apply to vary paragraph 2 of the order.
Judge Harris QC’s first judgment
The bundle of documents that HHJ Harris was asked to review consisted of 64 pages. He referred to both Durant and Edem. His overall conclusion was that none of the documents in the bundle contained “personal data”. Since both Mr Williams and the Information Commissioner attack his reasoning it is necessary to delve a little deeper.
At [18] he said that documents of which Dr Deer was the author raised no question of privacy at all. As he put it:
“This is documentation she composed and sent to the University, and sent to the University staff. She knows what she wrote and why, and to whom she sent it and she would not have expected it to have been destroyed.”
I do not consider that these factors mean that the documents contain no “personal data”. If the documents do contain personal data the data subject is entitled to know (as a minimum) for what purpose the personal data have been processed, and the persons to whom they have been disclosed. It is important to stress, however that the fact that the document contains personal data does not mean that the whole of the document is personal data. Moreover, the considerations mentioned by the judge may well be good reasons for declining to order disclosure of the document itself.
The next category of document that the judge considered at [19] was documents relating to the University’s internal processes and how Dr Deer’s complaints were to be handled. I agree with the judge that these documents do not contain any of Dr Deer’s personal data.
The judge went on to hold at [20] that Dr Deer was not entitled to drafts of correspondence or reports of which she had had the final version. Put like that it seems to me that the judge was not answering the right question. The question is not whether Dr Deer was entitled to documents: that is never the question under the DPA. What Dr Deer was entitled to was information about personal data contained in the drafts. If she had already had the final version and the personal data did not differ from the personal data contained in the draft, then I agree that she would not have been entitled to any further information. Otherwise, she would prima facie have been entitled to the personal data contained in the draft. I did not understand Mr Williams to suggest that the drafts in question contained any of Dr Deer’s personal data which either differed from or were not contained in the final version of the document. I agree with the judge, therefore, that Dr Deer was not entitled to any data contained in the draft.
I agree with the judge at [21] that an e-mail asking whether Dr Deer might make further complaints contains none of her personal data.
At [22] the judge said, correctly in my view, that documents relating to the University’s budget do not contain Dr Deer’s personal data with the exception of an e-mail of 16 June 2008 which does contain personal data consisting of Dr Deer’s date of birth and the length of her service.
One of the documents contains a list of staff members in the Department of Economics and their evaluation in terms of merit awards. Dr Deer’s name features in that list, together with grade, her salary, and evaluation. That is in my judgment clearly her personal data (although the evaluation may also be the personal data of the evaluator if he or she can be identified). In so far as the judge held that this document did not qualify as personal data because it was not “focussed upon her” I consider that he applied the wrong test. First, the question is not whether the document is focussed on the data subject; the question is whether it contains the data subject’s personal data. If it does, then those data not the whole document fall within section 7 of the DPA. The same is true of the description of Dr Deer’s research interests (apparently written by her) which is contained in a description of research interests of all the members of the faculty of Economics in a job description of the Professor of Political Economy. The judge dealt with this at [23]. Clearly the whole of the document is not Dr Deer’s personal data; but the description of her research interests is. The fact that she appears to have written it herself does not change that, not least because she may wish to check that her research interests have been accurately recorded. In my judgment Dr Deer was entitled in principle to the personal data about her recorded in those two documents, but not to the documents themselves. The same applies, in my judgment, to a list of Dr Deer’s publications with which the judge dealt at [26].
I agree with the judge at [24] that e-mails dealing with Dr Deer’s complaint that she had not been selected for the women’s football team do not contain her personal data.
At [25] the judge dealt with notes of a meeting that Dr Deer had attended. He pointed out that Dr Deer had already had disclosure of the notes (indeed, the note itself says that it was to be circulated). He said (correctly) that she was not entitled to the document itself, but went on to say that she “knows what took place at the meeting.” That would not, however, prevent data from being personal data. It seems to me, however, that apart from her presence at the meeting, the only snippet of Dr Deer’s personal data recorded in that document is the statement that she had a D Phil and the date on which she had completed it.
At [26] the judge referred to an e-mail headed “from today’s press clippings” and commented that it had already been disclosed.
At [28] the judge referred to e-mails scheduling a meeting, which she herself had sent and received. Although I agree with the judge that data contained in these e-mails had “nothing to do with her privacy,” data about her teaching commitments does seem to me to be her personal data.
It will be clear from what I have said so far that in my judgment HHJ Harris QC took too narrow a view of the scope of “personal data” for the purposes of the DPA. There are personal data of Dr Deer recorded in some of the documents in the Target Bundle. But I do not think that Mr Pitt-Payne was wide of the mark when he submitted that they amounted to a “few snippets” of personal data. However, at [29] the judge also said that if he had made any errors of taxonomy he would exercise his discretion not to order further disclosure on the ground that “it would serve no useful purpose;” adding that:
“Dr Deer appears for some reason to have engaged in low level attritional warfare against the University which is not appropriate and which should go no further.”
Dr Deer argues that HHJ Harris wrongly exercised his discretion. Although I consider that he did make some errors of taxonomy, he was in my judgment entitled to take the view that further disclosure would serve no useful purpose. He was also entitled to take into account Dr Deer’s relentless pursuit of disclosure not merely of personal data but also of documents. Finally the judge was also entitled to take into account the lack of proportionality in Dr Deer’s SARs. Whether another judge would have reached the same conclusion is neither here nor there: the discretion was HHJ Harris’ to exercise. In my judgment the exercise of his discretion was within the permissible range.
I would dismiss Dr Deer’s appeal.
HHJ Harris’ costs judgment
HHJ Harris QC gave a second judgment dealing with costs and the form of order on 23 February 2015. Having referred to CPR Part 44, and the purpose of the DPA, the judge said at [11]:
“She was not acting out of concern for her privacy, but in an attempt to discover useful material for her basic complaint that she was not being given the references she was entitled to, at least initially.”
Having referred to the history of the litigation the judge summarised the position at [20]. He said that as a result of the proceedings Dr Deer had obtained data to which she was prima facie entitled, and which the University had not provided before the litigation. But it was difficult to avoid the conclusion that she had pursued the litigation either with a desire to bolster her unsuccessful ET litigation or simply to harass the University; that she did not appear to have discovered any very significant material; and that the cost of the litigation and disclosure was “astonishing”.
At [21] the judge referred to the application before Recorder Hancock QC; and said that the search that he had ordered did reveal some 274 documents. He recorded the submission on Dr Deer’s behalf that the search that the Recorder had ordered ought to have been carried out in the summer of 2010. The judge held, however, that Dr Deer had won the application before the Recorder; and was therefore prima facie entitled to the costs of it. He returned to this theme at [23], pointing out that he would not conclude that the Recorder (whose decision had not been appealed) was wrong; and said at [25] that Dr Deer’s pursuit of disclosure was “in the event justified to the extent in which she succeeded before the Recorder.”
However, he made a deduction of 25 per cent from her costs because of his assessment of her motive in pursuing the litigation which he had described at [20], repeated at [22] and summarised at [25] as “essentially antagonistic”. He said that although she might have had a statutory right to the material he did not accept that motive was irrelevant. As he said at [22]:
“it would be odd that [motive] could not be taken into account when deciding costs questions.”
The judge concluded at [26] by saying that “in the light of the Recorder’s conclusion” Dr Deer was entitled to a declaration that the University ought to have disclosed what the Recorder ordered it to disclose, and to that extent was in breach of its obligations under the DPA.
In the result the judge made a declaration that the University ought to have disclosed the documents that were in fact disclosed under the Recorder’s order. He also ordered the University to pay 75 per cent of Dr Deer’s costs up to and including the hearing before the Recorder; and Dr Deer to pay the University’s costs following the hearing.
The declaration
The University argues that the judge should not have made the declaration. The searches carried out by the University before the start of the litigation were enough to comply with its obligations under the DPA; and the Recorder did not decide otherwise. All he was doing was making an interim order to ensure that all available material was placed before the court. He was not deciding the final rights and wrongs of the case. Nor did HH Judge Harris QC; he wrongly assumed that the Recorder had done so. In addition, the Recorder had not in fact ordered the University to disclose anything. The limit of his order was that the University was required to carry out a further search.
In my judgment this is too narrow a reading of the Recorder’s judgment. Although it is true that he did not expressly say that the searches that the University had carried out had been inadequate, he directed himself that the Information Commissioner’s guidance was important in determining whether the University’s steps to date had been adequate. The irresistible inference is that if he had decided that they had been adequate, he would not have ordered the University to carry out further searches. In addition, Dr Deer herself had raised the question of a search on central servers long before the litigation had started. In my judgment it is implicit in the Recorder’s order that he decided that the University’s steps to date had not been adequate. As HHJ Harris QC pointed out there has been no appeal against the Recorder’s decision.
In those circumstances, I consider that HHJ Harris QC was entitled to make the declaration that he did.
Costs
Dr Deer argues that since motive is irrelevant to the making of a valid SAR, it is equally irrelevant to an exercise of discretion about costs. She also argues that the judge was not entitled to make the findings about motive that he did, because she had given written evidence about her motives, upon which she had not been cross-examined. The judge ought not, therefore, to have made any deduction from her costs on that account.
CPR Part 44.2 (4) (a) requires the court to take into account a party’s conduct in deciding what order to make about costs. If the court considers that what has been achieved by the litigation is out of all proportion to the costs of achieving it then in my judgment the court may reflect that in an order for costs. In my judgment Mr Pitt-Payne is entitled to rely on the decision of this court in Jameel v Dow Jones & Co Inc [2005] EWCA Civ 75, [2005] QB 946. In that case Lord Phillips MR said at [54]:
“It is no longer the role of the court simply to provide a level playing-field and to referee whatever game the parties choose to play upon it. The court is concerned to ensure that judicial and court resources are appropriately and proportionately used in accordance with the requirements of justice.”
In an extreme case, such as Jameel itself, this approach may lead to a claim being struck out in advance of trial on the ground that, as Lord Phillips put it:
“The cost of the exercise will have been out of all proportion to what has been achieved. The game will not merely not have been worth the candle, it will not have been worth the wick.”
In my judgment, having regard to the view that the judge took about the value of what Dr Deer had achieved as a result of the litigation, balanced against the costs involved, he was entitled to make the deduction from costs that he did. I also consider that despite Dr Deer’s evidence of motive, he was entitled to form the view of her overall conduct that he did, and to take that into account in making his order for costs.
The University argues that the judge did not go far enough. It says that a 25 per cent deduction is inadequate; and that having regard to the fruits of the litigation, the judge ought to have ordered Dr Deer to pay the University’s costs. The difficulty with that submission is that the starting point is that the unsuccessful party bears the successful party’s costs; and as HHJ Harris QC rightly held, Dr Deer did succeed before the Recorder. It would be a very strong thing to order the successful party to pay the unsuccessful party’s costs; and I do not consider that the judge can be criticised for not doing so. How much of a deduction to make from Dr Deer’s costs was essentially a matter for the exercise of his discretion; and it must also not be forgotten that he ordered Dr Deer to pay the University’s costs following the hearing before the Recorder. In my judgment his costs order was within the ambit of the wide discretion given to him by the CPR.
That leaves the cost of compliance with the Recorder’s order which the University also argues that Dr Deer should pay. Essentially the point is that, with the benefit of hindsight, it can be seen that the fruits of the search are disproportionate to the costs of carrying it out. I do not consider that this is a valid point. Underlying the Recorder’s decision was his determination that the University had not complied with its obligation under the DPA to carry out a reasonable and proportionate search. If the University had complied with its obligations (before any litigation) its maximum recovery from Dr Deer would have been the paltry sum of £10. I cannot see that the intervention of litigation should make any difference.
Result of Dr Deer’s appeal and the University’s cross-appeal
I would dismiss Dr Deer’s appeal both against HHJ Harris’ decision to refuse to exercise his discretion in her favour and also against the costs order. I would dismiss the University’s cross-appeal.
Lord Justice Lloyd-Jones:
I agree.
Lord Justice McCombe:
I also agree.