subject access request

Rudd v Bridle – the who and what of subject access requests under GDPR

John MacKenziePosted by

The case of Rudd v Bridle is an interesting example of data protection law in the UK, and specifically subject access requests, being used in the context of litigation. We have already considered our legal relationship to that third-party controlled personal data, and also fundamental privacy rights. Now we look at the scope of personal data.

In this case the claimant was a doctor who specialised in the science of exposure to asbestos, including chrysotile, or “white asbestos”, and the causal connections between such exposure and the development of mesothelioma, lung cancer and other diseases. He had given expert evidence in many cases in the United Kingdom in which claimants have sought damages for mesothelioma, lung cancer, asbestosis and pleural disease allegedly caused by exposure to asbestos, as well as in other claims for compensation for respiratory disease.

The allegation was that the defendants had made complaints to the General Medical Council, and to Michael Gove MP the then Justice Secretary. The complaints were, in general terms, that the Claimant was involved in a “conspiracy” with various claimant law firms in which he provides false evidence about the risks associated with exposure to chrysotile asbestos.

Subject access request

Mr Rudd sent a subject access request to certain entities seeking “the information about Dr Rudd that he is entitled to under the Data Protection Act. In particular … information containing his personal data which relates to his work in acting as an expert in cases brought by individuals seeking compensation for mesothelioma.

The judgement of the court covered a range of issues, one of which was the extent of the search that a data controller needs to carry out. The court said:

“71. It is indeed clear law, at least domestically, that a data controller on which a SAR is served is only required to conduct a reasonable and proportionate search for the applicant’s personal data. This principle, first identified by Judge Hickinbottom (as he then was) in Ezsias v Welsh Ministers (unreported, 23 November 2007) at [97], is authoritatively confirmed in the passages cited from Ittihadieh. One consequence is that compliance “does not necessarily mean that every item of personal data relating to an individual will be retrieved”: Ittihadieh [103] (Lewison LJ).”

The meaning of personal data

For present purposes, the interesting issue is the extent of the concept of personal data. The court said:

“99. Where the data controller is processing personal data relating to an individual, therefore, the data subject has (subject to the provisions identified in s 7(1) ) a collection of information rights. These include a right to be given a description of the personal data, and (in intelligible form) the information constituting those data. But the provisions go beyond that, requiring the data controller to provide descriptions of the purposes of the processing and of the recipients or classes or recipients. The data subject is also entitled to have an intelligible account of what the data controller knows about the source of the personal data. These are rights to the provision of information which is not, or not necessarily, comprised in the personal data themselves: Ittihadieh [94], Gaines-Cooper v Revenue and Customs Commissioners [2017] EWHC 868 (Ch) [50] (HHJ Jarman QC, sitting as a Deputy Judge of the High Court).”

On Dr Rudd’s own case, the main aim of the claim under s 7 was to secure disclosure of the identities of persons, then unknown, who are suspected of conspiring with the defendants to commit unlawful acts calculated to cause significant harm to Dr Rudd’s professional reputation and impede the development of his career. What he was trying to deal with was the communication of derogatory statements about him, which were said to be false and dishonest. The question was: does the identity of those people fall within the scope of personal data? The case for Dr Rudd was that he was “entitled to know the names of the people with whom the defendants were corresponding“. The response was that the identities of third parties are wholly outside the scope of the subject access rights. The names of recipients of emails are never part of the Claimant’s personal data; that information does not “relate to” the Claimant.

Biographically significant data

The judge concluded that:

“116. … the identities of those who, within the personal data disclosed, are alleged to have conspired with or assisted or collaborated with Dr Rudd in the alleged fraud qualify as part of his personal data. So do the identities of those whom he is alleged to have helped to attack others, and those referred to as “victims of Rudd” (see another extract in the Third Schedule). It is integral to the information about him that is contained in the data that he has conspired with one or more identified or identifiable natural or legal persons, or attacked some identifiable person, or that such a person is his “victim”. That is information that focuses on him and is biographically significant. The same is true of those who, within the personal data, are identified as persons to whom allegations of fraud have been made. Within the documents there is personal data to the effect that “I have made an accusation to the GMC that Dr Rudd is guilty of fraud”. That is all information which relates to Dr Rudd. But applying the criteria in Durant and the ICO Code the identities of those to whom these personal data have been communicated are not personal data relating to Dr Rudd. It is not information relating to him. It is perfectly easy to understand what is being written about Dr Rudd in the extracts provided, without knowing to whom it is being written.”

The judge applied the broad test of “is the data about the data subject”? If it is, then it will qualify as personal data, and must be included in the subject access request.

For those holding data, this means that the exercise of disclosing data in response to a subject access request gets a little more complicated. Care must be taken to consider not just obvious personal data like email addresses, but other more biographically significant data. If the information is “about” or relates to the data subject, then it will have to be disclosed in an intelligible form.

Litigation and data protection

For anyone involved in a dispute, particularly concerning reputation and defamation, the rights under the Data Protection Act can provide a useful tool to recover information and evidence to support a claim.

We have considerable experience in dealing with subject access requests. Please get in touch to have a discussion about how we can assist.

Share our insights

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.