In the recent case, Lees v. Lloyds, the data subject, Mr Lees (the claimant) issued a claim against Lloyds Bank PLC for failing to provide an adequate response to various Data Subject Access Requests (DSARs) in breach of the Data Protection Act 2018 and General Data Protection Regulation (GDPR).
The Court has discretion whether or not to make an order in circumstances where there is a failure to provide a proper response to a Data Subject Access Request (DSAR).
In this case, the Court’s view was that the bank’s responses to the claimant’s DSARs were adequate and the claimant’s claim was dismissed.
The claimant entered into buy-to-let mortgages for three properties with Lloyds Bank Plc (Lloyds). These properties subsequently became subject to orders for possession. In addition to the litigation in respect of the mortgages, the claimant submitted a number of DSARs to Lloyds between 2017 and 2019. Lloyds responded to each of the DSARs it received.
To summarise, the claimant alleged that Lloyds had failed to provide a copy of his personal data contrary to the GDPR and the Data Protection Act 2018 (DPA 2018). In fact, the three DSARs were made when the Data Protection Act 1998 (DPA 1998) was in force. The DPA 2018 only came into effect for most purposes on 25 May 2018 and otherwise from 23 July 2018. The GDPR provides data subjects with rights of access to personal data similar to those under the DPA 1998.
Is the High Court decision welcomed?
Whilst the GDPR makes allowances for data controllers to refuse to respond to DSARs that are “manifestly unfounded or excessive”, the current ICO guidance suggests that the bar to demonstrate this is high. In order to decide if a request is manifestly unfounded or excessive, a data controller must consider each request on a case-by-case basis and should not have a blanket policy in place. A data controller must be able to demonstrate why it considers the request is manifestly unfounded or excessive and, if asked, be able to explain its reasons to the Information Commissioner.
Further, it should be noted that the GDPR and the DPA 2018 do not require a data controller to take into account points 2 – 4 (above) when responding to a DSAR. In fact, the GDPR gives an individual the right to obtain a copy of their personal data as well as other supplementary information to help them understand how and why their data is being used and whether it is being used lawfully. DSARs must be complied with without undue delay and at the latest within one month of receipt of the request.
Whilst the High Court decision is welcomed, it is currently unclear whether the decision, in this case, takes precedence over the GDPR, DPA 2018 and/or ICO guidance.
Although responding to DSARs can be time-consuming and expensive and each case will turn on its own facts, data controllers should consider the rights of access of a data subject and should follow the ICO’s guidance when responding to DSARs in order to avoid exposing themselves to the risk of any penalties.