Data Subject Access Requests | High Court declines to issue order compelling compliance with multiple DSARs when used abusively or for an alternative purpose
Can the courts decline to order compliance with data subject access requests (DSARs) if they are used abusively or for a purpose other than acquiring personal data?
The key takeaway
If DSARs are used abusively, for example to obtain documents rather than personal
information or there is a collateral purpose, the courts may exercise their discretion and decline to make an order to compel the production of data or documents in response to DSARs.
Between 2010 and 2015 Lloyds Bank plc (Lloyds) granted the Claimant, Silas Lees, buy-to-let mortgages in respect of three separate properties. For each property, Lloyds was shown as the proprietor of the registered legal charges. Mr Lees believed that Lloyds had assigned the benefit of the legal charges over the properties as a part of the securitisation of a portfolio of loans, which meant that Lloyds would not be entitled to pursue possessions claims against him over the properties.
After possession claims were initiated by Lloyds in 2019, Mr Lees sent around 70 DSARs to Lloyds and other parties, specifically requesting details of their fiduciary capacity and whether Mr Lees’ loans had been sold onward as a part of securitisation. Many were sent even after Lloyds had responded to Mr Lees’ first DSAR confirming that the loans had not been sold onward. Lloyds also responded appropriately to each subsequent DSAR made by Mr Lees.
Mr Lees then issued Part 8 proceedings for, among other things, Lloyds’ failure to provide data following his DSARs contrary to both the Data Protection Act 2018 and GDPR. At the time of the DSARs, the legislation in-force for data protection was in fact the Data Protection Act 1998 (DPA 1998), which gives individuals certain rights to access personal data pertaining to them and to enforce compliance with requests if data controllers failed to do so.
In his decision Chief Master Marsh held that Lloyds had provided adequate and appropriate responses to Mr Lees’ DSARs and was not in breach of the DPA 1998.
But even if Mr Lees could have shown a failure to provide a proper response, the Court went on to consider the discretionary nature of the remedies
sought, noting that, following the Court of Appeal decision in Ittihadieh v 5–11 Cheyne Gardens RTM Co Ltd, the discretion was not “general and untrammelled”. The courts will take various factors into account when assessing whether to make an order to comply with a DSAR, which included in this case:
- the numerous and repetitive DSARs from Mr Lees, which was abusive
- the real purpose of the DSARs was to obtain documents rather than personal data
- the collateral purpose that lay behind the requests, namely that the documents sought would be used in another case involving Mr Lees and Lloyds. As noted in Ittihadieh, a collateral purpose of assisting in litigation is not an absolute answer to there being an obligation to answer a DSAR, but it is a relevant factor in the exercise of the court’s discretion
- the data sought was of no benefit to Mr Lees, when an adequate defence could have been levied through case law, and
- the claims for possession had been the
subject of final determinations in the County Court from which all available avenues of appeal have been exhausted.
Mr Lees’ claim was dismissed as it was without merit.
Why is this important?
In a significant decision for those processing personal data, the courts have demonstrated that they are willing to take a robust approach in respect of the tactical deployment of DSARs. Whilst DSARs can be used to assist with litigation, they should not be used in an abusive fashion or where they would serve no purpose.
Any practical tips?
This decision provides a helpful authority on which to rely when resisting DSARs which are unfounded, abusive or used for an inappropriate ulterior purpose, demonstrating that the courts will not force compliance for the sake of it, but will consider the purpose and effect of the DSARs. The mere fact that a DSAR is being used for litigation or for another purpose is not usually enough of itself to refuse to comply, but the context should be carefully reviewed. The ICO guidance also recognises that you can refuse to comply with a DSAR if it is manifestly unfounded or manifestly excessive.