- 10 Finsbury Square, London EC2A1AF
- +44 (0) 20 7628 2000
Data Protection Act Update
The last month has seen a couple of new developments related to the Data Protection Act (“DPA”). Firstly, the Information Commissioner’s Office, which is the authority which upholds the DPA, published new guidance on responding to subject access requests. The purpose of the guidance is stated to be to assist organisations in dealing with requests from individuals for their data. Secondly, the last month also saw the court of appeal judgment in the case of Halliday v Creation Consumer Finance Limited in which compensation was awarded to an individual for distress caused by a breach of the DPA.
Subject Access Code of Practice
The DPA was enacted as use of email for business communication, both internal and external, was only just getting under way. The amount of data now stored on IT systems has grown exponentially and the task of collecting data on employees, collating it and sifting to ensure no data about another person is disclosed has become an extremely time consuming, costly and highly onerous exercise. The HRlaw team was hoping that the publication of the new guidance would be of assistance to employers in lessening this burden but unfortunately, it makes clear that the pleas of “disproportionate effort” and “unreasonable requests” are grounds which may only be relied upon by the employer to avoid processing the request only in very limited circumstances.
The DPA states that the personal data must be supplied in a permanent form (such as a print or copy) unless this would be impossible or require disproportionate effort. However, the guidance goes on to state that disproportionate effort may only be relied upon in the most exceptional of circumstances, and in order for the data controller to avoid being in breach of the DPA, it must comply with the request in some other way if at all possible. It suggests providing the information in electronic form. The guidance also suggests allowing the individual to attend the organisation’s offices to inspect the documents and arranging for copies to be made of any documents that the individual would like to take away. It emphasises seeking agreement with the individual on any such alternative means of complying with the subject access request. This does not necessarily take into account that many employees or former employees exploit the subject access request process as an aggressive negotiating technique, or to obtain early disclosure during tribunal litigation, and are often unwilling to be co-operative.
Importantly, the DPA does not enable employers to rely on the argument a request entails disproportionate effort in conducting the search or reviewing the documents.
The new guidance also confirms that a subject access request may be denied if it is a repeated request and the request is made at unreasonable intervals. For example, if the same or a similar request was made a month earlier, the guidance suggests that the individual should be asked if they agree to receive only any new information. Again, the guidance emphasises the rights of the individual and encourages seeking agreement with the individual.
When facing a situation where an individual refuses to reach a sensible agreement regarding the provision of data, the data controller will have to be pragmatic and the Halliday case referred to below is a helpful example of the limits on compensation for a breach of the DPA.
The judgment in Halliday v Creation Consumer Finance Limited is thought to be the first judgment on a claim for compensation for “distress” under the DPA. Whilst the background does not directly relate to an HR law issue, the case has significance when contending with HR issues related to the DPA, whether controlling or processing employee data or responding to subject access requests.
Halliday succeeded in an earlier claim against Creation Consumer Finance (“CCF”) for breaches of the DPA related to data provided under a credit agreement for payment of a television. CCF was ordered to delete all data related to Halliday. Halliday subsequently discovered that CCF had forwarded his data to a credit referencing agency which incorrectly showed that he owed £1,500. Halliday brought a new claim alleging further breaches of the DPA (which also succeeded) and a claim for compensation for “distress”.
The Court of Appeal rejected Halliday’s suggestion that compensation for breach of the DPA should be in line with the Vento bands for injury to feelings. The Court of Appeal also took into account the absence of contemporaneous evidence of injury or distress as a result of the breach (Halliday waited a month after discovery before protesting) when determining an appropriate sum of compensation.
Helpfully, the Court of Appeal said that as there was no malicious or fraudulent intent in breaching the DPA, and as the breach was an isolated episode, it was appropriate to award only £750 for distress. The sum awarded took into account the fact that Halliday would have experienced frustration, and that there should be a remedy for that, but without proof of damage to his reputation the court of appeal found that he should not be able secure a more substantial sum of damages.
Whilst the sum was only £750, the case is a helpful reminder that compensation is available to individuals for “distress” as a result of a contravention of the DPA. However, the case also confirms that the amount of compensation that should be awarded is not comparable with injury to feelings awards in discrimination claims and also confirms that substantial compensation should not be awarded for a minor breach of the DPA.