In the recent case, Lees v. Lloyds, the data subject, Mr Lees (the claimant) issued a claim against Lloyds Bank PLC for failing to provide an adequate response to various Data Subject Access Requests (DSARs) in breach of the Data Protection Act 2018 and General Data Protection Regulation (GDPR).
The decision
The Court has discretion whether or not to make an order in circumstances where there is a failure to provide a proper response to a Data Subject Access Request (DSAR).
In this case, the Court’s view was that the bank’s responses to the claimant’s DSARs were adequate and the claimant’s claim was dismissed.
The background
The claimant entered into buy-to-let mortgages for three properties with Lloyds Bank Plc (Lloyds). These properties subsequently became subject to orders for possession. In addition to the litigation in respect of the mortgages, the claimant submitted a number of DSARs to Lloyds between 2017 and 2019. Lloyds responded to each of the DSARs it received.
To summarise, the claimant alleged that Lloyds had failed to provide a copy of his personal data contrary to the GDPR and the Data Protection Act 2018 (DPA 2018). In fact, the three DSARs were made when the Data Protection Act 1998 (DPA 1998) was in force. The DPA 2018 only came into effect for most purposes on 25 May 2018 and otherwise from 23 July 2018. The GDPR provides data subjects with rights of access to personal data similar to those under the DPA 1998.
Court’s reasons for the decision
In reaching its decision, the Court considered the Court of Appeal case of Ittihadieh v 5–11 Cheyne Gardens RTM Co Ltd and others [2017] and specifically the factors which must be taken into account when striking the balance between the right of the data subject to have access to his personal data on the one hand, and the interests of the data controller on the other.
The Court considered that even if the bank had not responded adequately, there would have been good reasons for declining to exercise its discretion to make an order that the bank should respond to the DSARs. These reasons included:
- there had been numerous and repetitive DSARs which were abusive;
- the real purpose of the DSARs was to obtain documents rather than personal data;
- there had been a collateral purpose behind the requests, to obtain assistance in preventing the bank from bringing claims for possession; and
- the data sought would have been of no benefit to the claimant.
Is the High Court decision welcomed?
Whilst the GDPR makes allowances for data controllers to refuse to respond to DSARs that are “manifestly unfounded or excessive”, the current ICO guidance suggests that the bar to demonstrate this is high. In order to decide if a request is manifestly unfounded or excessive, a data controller must consider each request on a case-by-case basis and should not have a blanket policy in place. A data controller must be able to demonstrate why it considers the request is manifestly unfounded or excessive and, if asked, be able to explain its reasons to the Information Commissioner.
Further, it should be noted that the GDPR and the DPA 2018 do not require a data controller to take into account points 2 – 4 (above) when responding to a DSAR. In fact, the GDPR gives an individual the right to obtain a copy of their personal data as well as other supplementary information to help them understand how and why their data is being used and whether it is being used lawfully. DSARs must be complied with without undue delay and at the latest within one month of receipt of the request.
Whilst the High Court decision is welcomed, it is currently unclear whether the decision, in this case, takes precedence over the GDPR, DPA 2018 and/or ICO guidance.
Although responding to DSARs can be time-consuming and expensive and each case will turn on its own facts, data controllers should consider the rights of access of a data subject and should follow the ICO’s guidance when responding to DSARs in order to avoid exposing themselves to the risk of any penalties.
Do you require any more information regarding data protection?
If you have any queries about data protection issues and/or disputes or any issues relating to this topic, please get in touch and we will be happy to advise you.
Gateley Plc is authorised and regulated by the SRA (Solicitors' Regulation Authority). Please visit the SRA website for details of the professional conduct rules which Gateley Legal must comply with.