Judicial guidance on data subject access requests

Whilst decided under pre-GDPR legislation, the decision still provides useful guidance for both data subjects and data controllers: Dr Robin Rudd v John Bridle, J&S Bridle Ltd [2019] EWHC 893 (QB).

Background

Dr Rudd is a medical practitioner who specialises in the science of asbestos exposure. He has given expert evidence for claimants in proceedings concerning asbestos-related diseases over a period of 35 years. Mr Bridle is an asbestos lobbyist who has spent his career working in the asbestos industry. Dr Rudd made data subject access requests (SARs) under s7 of the Data Protection Act 1998 (the DPA 1998), the UK’s pre GDPR legislation. These followed complaints by Mr Bridle about Dr Rudd to the General Medical Council (the GMC) and allegations that Dr Rudd was involved in a conspiracy to falsify the health risks associated with asbestos and asbestos products to claim compensation on behalf of patients. 

In the SARs, Dr Rudd sought information about Mr Bridle’s activities, including the identities of third parties who had been collaborating with him. Dr Rudd claimed Mr Bridle’s responses were inadequate, and brought a claim against him under s7(9) DPA 1998 seeking orders to compel the provision of further information. Mr Bridle asserted that Dr Rudd had received all the information to which he was entitled under the DPA 1998 and, in any event, that most of the personal data sought was exempt from SARs under the journalism, regulatory activity and/or legal professional privilege exemptions. Mr Bridle also argued that J&S Bridle Limited (an asbestos consultancy business controlled by him and his son) was the data controller, rather than him personally. Dr Rudd therefore added this company as a defendant to the proceedings.

Mr Bridle was the data controller

Warby J held that Mr Bridle (and not J&S Bridle Ltd) was the data controller. Mr Bridle controlled what was being done with the personal data and why. The company’s operations were commercial (providing asbestos consultancy and asbestos surveys), whilst the processing in question was part of Mr Bridle’s individual lobbying activities.

Mr Bridle could only rely on legal advice privilege

As the judge noted, it is clear law that a data controller need only conduct a reasonable and proportionate search for the applicant’s personal data when served with a SAR. However, it is less clear whether such latitude is afforded when determining whether the personal data retrieved from such a reasonable and proportionate search are subject to exemptions from the subject access provisions. The judge held that, of the exemptions relied upon, Mr Bridle could only justify the claim to legal advice privilege. He could not rely on the exemptions for journalism, regulatory activity or litigation privilege.

As regards the journalism and regulatory activity exemptions, the judge held that it cannot be sufficient simply to say that Mr Bridle’s solicitors had concluded that the material was covered by the exemptions. Indeed, his view was that the solicitor who concluded that these exemptions applied must have relied on Mr Bridle, whom he concluded was an unreliable witness. Therefore, the exercise conducted by Mr Bridle’s solicitors was flawed and mistaken.

As regards the regulatory exemption in particular, the judge noted that it may be that only the regulator (here, the GMC) can rely on the exemption. Whilst he inclined to this view, he did not consider it necessary to resolve the point. In any event, he found it hard to see how the exemption could be claimed over three years after the GMC had rejected Mr Bridle’s complaint. 

As regards the legal professional privilege exemption, the judge considered that evidence from solicitors that they have reviewed the documents and concluded that the exemption should apply should carry more weight than a similar claim in respect of the journalism and regulatory activities exemptions. However, the judge concluded that only the claim to legal advice privilege could be justified, and not to litigation privilege as no existing or contemplated litigation had been identified. 

The information provided by Mr Bridle was inadequate 

The judge noted that a data subject’s access rights are to information, not to disclosure of documents, and that a claim for documentary disclosure is almost always likely to be misconceived. He upheld Dr Rudd’s claim that the information provided by Mr Bridle was inadequate. In the judge’s view:

• there was no indication within the personal data disclosed about the nature or status of the person, firm or company to whom the relevant emails were sent;
• the identities of those who allegedly conspired, assisted or collaborated with Dr Rudd were part of his personal data because this information was focused on him and was biographically significant. This also applied to those who were identified as “victims” of Dr Rudd and those persons to whom the allegations of fraud had been made. However, the judge held that Dr Rudd was only entitled to a description of recipients of his personal data, not the names of the organisations or people;
• Mr Bridle had failed to provide disclosure of any sources of Dr Rudd’s personal data. A data controller is required to provide “any information available” as to the source of personal data, not just a general description. The judge considered that, on their own evidence, the defendants had information as to the sources of personal data they had been processing, which they had not disclosed. His view was that the identity of sources (not just a description of them) must be provided;
• Mr Bridle had failed to give Dr Rudd a description of the purposes for which his data had been processed. Taking into account the principle of proportionality, the judge concluded that the obligation to provide such a description was not on a document-by-document basis; and
• Mr Bridle was ordered to provide a further response. 

The judge ordered Mr Bridle to comply with s7 by providing significant further information to Dr Rudd. In doing so, the judge permitted Mr Bridle to omit all personal data in respect of which he asserted a claim to legal advice privilege, but not those which were formerly said to be protected by litigation privilege. The judge also ordered that the response must include:

• a description of actual or intended recipients (although not their individual identities);
• details of the person, firm or company (other than a recipient of the personal data) which had previously been redacted (ie those who had been communicating with Mr Bridle and Dr Rudd);
• any information available to Mr Bridle regarding the sources of the personal data; and
• a description of the purposes of processing the personal data (although not on a document by document basis).

Finally, the judge also dismissed Dr Rudd’s claim for damages because he had not provided evidence of harm or distress.

COMMENT

Whilst decided under the UK’s pre-GDPR legislation, the decision provides useful guidance on SARs which would also apply under the GDPR and the Data Protection Act 2018 (the UK’s legislation implementing the GDPR). Whilst each SAR should be considered on its own facts, the decision clarifies what information can be requested, including: (i) a general description of recipients of personal data and the purposes of processing; and (ii) any information available to the data controller as to sources of personal data, including identities. This guidance should be taken into account by data subjects and data controllers alike when considering SARs.

Further information

This case summary is part of the Allen & Overy Litigation and Dispute Resolution Review, a monthly publication.  If you wish to receive this publication, please contact Amy Edwards