• 3 min read

Alert: Interesting new DSAR case

circuit board and shield icon,Hardware security, computer data p

As our data protection guide series is currently on the topic of data subject access requests (DSARs) it is a happy coincidence that an important and rare High Court judgement was handed down on 7 June 2024 on the subject of DSARs in the case of Harrison v Cameron and ACL.

What happened?

This case came about due to a dispute between a landscape gardening company, ACL, which was operated by Mr Cameron and one of its customers, Mr Harrison, who worked in property investment. Mr Harrison and Mr Cameron spoke several times on the telephone after the dispute arose and Mr Cameron secretly recorded two of the calls. During the recorded calls Mr Harrison threatened Mr Cameron. Mr Cameron shared the recording of Mr Harrison threatening him with 12 people – and some of those people shared the recording (or transcripts of them) with others resulting in a total of 15 people receiving the recording. Mr Harrison claimed that the recordings ended up being shared with people in the property investment sector and caused the company for which he was Chief Executive to lose out on a lucrative deal. Mr Harrison subsequently sent various DSARs including one to Mr Cameron and one to ACL.

The judgment explains: “The central question in this claim is whether Mr Cameron and/or ACL were required, in response to Mr Harrison’s SARs to disclose to him the names of those 15 people to whom the Recordings (or transcripts) were disseminated; and whether the Court should order them to do so.”

What was decided and what are the takeaways from this case?

Whilst this case doesn’t discuss a unique area of data protection law it does confirm and clarify some interesting points relating to DSARs:

  1. The judge held that, on the facts, Mr Cameron was not acting in his personal capacity when he recorded the calls with Mr Harrison (so the processing was not “in the course of a purely personal or household activity” and therefore didn’t fall outside of the scope of UK data protection law); he was acting in his capacity as a director of ACL which was therefore the controller of the recordings not Mr Cameron. On this aspect the judgment confirms that: “If a rogue employee or director acts in an unauthorised fashion, they may become a “controller”. However, that is not the case here.”

  1. Although the wording of Article 15(1)(c) of the UK GDPR suggests a controller has an option as to the information it provides about recipients to whom personal data has been or will be disclosed, a data subject making a DSAR is entitled to be informed of the identities of the recipients of their personal data (and not just categories of recipients) if they request this information. In line with EU caselaw, this judgment confirms it is not sufficient just to inform the data subject in general terms of the categories of recipient (e.g. IT providers) if they request more specific information. Therefore it is important that controllers keep records of recipients of personal data in case a DSAR arises and this information needs to be provided in the response.

  1. There is a caveat to the requirement to provide details of the identities of recipients, which applied to this case, which is the “third party data” exemption (per Schedule 2, paragraph 16, of the UK Data Protection Act 2018). This exemption is relevant where a DSAR response would result in the disclosure of personal data relating to another individual. The exemption does not apply if the other individual has consented to the disclosure of their personal data (which in this case they didn’t), or if it is reasonable to disclose the information, without that consent. The judgment confirms: “The controller is the “primary decision-maker” in assessing whether it is reasonable or not. The controller has a “wide margin of discretion” under paragraph 16(2)(b), including as to the factors to treat as relevant to the balancing exercise (subject to paragraph 16(3)) and the weight to be given to each factor they treat as relevant.” In this case Mr Cameron / ACL felt that disclosing the recipients’ identities would put them at “significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation”. In the circumstances the judge agreed and held that “in the context of this case, it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation….I conclude that ACL’s assessment that it would not be reasonable to disclose the identities of any of the recipients to Mr Harrison fell well within its margin of discretion as the controller when responding to the ACL SAR. Accordingly, the rights of others exemption applies, and so ACL complied with Article 15 in their response to the ACL SAR”.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away

Make an enquiry