As part of our series on subject access requests, in this article we explore the recent High Court case of Harrison v Cameron and ACL (Harrison v Cameron), which considers whether the identities of internal recipients of data must be disclosed in response to a subject access request (SAR). We also investigate the balancing exercise that data controllers must undergo when determining how to comply with a SAR, where the personal data of third parties is mixed in with that of the data subject.
This can often be a point of contention between the data controller and data subject. For example, in many cases a data subject will be seeking unredacted copies of the data controller's internal correspondence. However, a controller may be unwilling to provide this, fearing the disclosure of such documents would infringe the privacy rights of any third parties (including their employees) who are referred to within, or party to, the correspondence. This can be a challenging area of law to navigate.
Fortunately, the Harrison v Cameron case provides some useful clarification on this important aspect of the SAR regime. It has narrowed the scope of personal data that can be excluded from a SAR, but at the same time has clarified that data controllers have wide discretion when correctly applying certain exemptions.
The case concerned a dispute between Mr Harrison, a real estate investor, who had contracted with the Mr Cameron’s landscaping company, ACL, to carry out landscaping works on his garden. Mr Harrison terminated the contract prior to completion of the works and Mr Cameron then requested payment for the materials and services provided thus far. This resulted in a number of threatening phone calls from Mr Harrison, which Mr Cameron covertly recorded and then shared with colleagues, family members and friends. Mr Harrison found out that recordings had been circulated and alleged that they had reached key individuals within the property industry, resulting in losses to his business.
Mr Harrison subsequently submitted a SAR to ACL under Article 15 of the UK’s General Data Protection Regulation (UK GDPR), requesting the identities of all individuals in receipt of the recordings, on the basis that Article 15(1)(c) provided that a data subject shall have the right to information relating to ‘the recipients or categories of recipients to whom the personal data have been or will be disclosed’.
When considering whether Mr Harrison was entitled to this information, Steyn J cited the Court of Justice of the European Union’s (CJEU) interpretation of Article 15(1)(c) in the Austrian Post case, which emphasised that a requester is entitled to be informed of the actual identities of individual recipients of their personal data, not merely the categories of recipients.
Critically, the court in the Harrison v Cameron case also held that the term ‘recipients’ includes the employees of the data controller. This is notable deviation from the earlier CJEU case of J.M. v Pankki, in which the court concluded that a controller's employees were not recipients for the purposes of Article 15 1 (c).
Following the Harrison v Cameron case, it would appear the identities of such individuals must be disclosed, so far as this information pertains to the requester's personal data, unless:
Information Commissioner’s Office’s guidance on third party data
The Information Commissioner’s Office (ICO) offers advice to data controllers responding to SARs which involve the personal data of third parties. In such cases, the ICO encourages data controllers to first consider if they can comply with the SAR without disclosing the third-party information.
If such compliance is not possible, then the ICO states that the controller does not have to comply with the SAR unless the third-party consents to the disclosure of their information, or it’s reasonable to comply with the SAR without the consent of the third-party in question. This guidance is based on the ‘rights of others’ exemption contained within paragraph 16 of Schedule 2 to the Data Protection Act (DPA) 2018 and Article 15(4) of UK GDPR. It is a different starting point to the requirement to provide details of recipients of personal data.
In the present case, Mr Cameron and ACL refused to disclose the identities of the recipients of the recordings on a number of grounds, including on reliance of the ‘rights of others’ exemption. They argued that that the recipients of the recordings had not consented to disclosure of their identities. It was also argued that it was not reasonable to disclose the information to Mr Harrison without this consent.
However, the court held that, in determining whether disclosure was reasonable or not, Mr Cameron was obliged to carry out a balancing exercise between the competing interests of the requester and the objector, having regard to all the relevant circumstances, as set out in paragraph 16(3) of Schedule 2 to the DPA 2018. .
The court ultimately found that ACL had discharged its obligations under Article 15 of UK GDPR when responding to the SAR, and that Mr Cameron was entitled to rely on the ‘rights of others’ exemption when refusing to disclose the identities of the recipients.
Significantly, Steyn J held that data controllers are the primary decision-makers in assessing whether or not it’s reasonable to disclose third party data and have ‘a wide margin of discretion’ to decide what is reasonable within the context. In these circumstances, Steyn J found it was reasonable for Mr Cameron to take into account that disclosing the identities of the individuals ‘would put them at significant risk of being the object of intimidating, harassing and hostile legal correspondence and litigation’ from Mr Harrison. This is an important development and reinforces that data controllers have ultimate responsibility for the personal data that they hold.
Interestingly, this case suggests that the context in which a SAR is submitted may be a consideration in determining whether it is reasonable to apply the ‘rights of others’ exemption.
Steyn J cited the decision in the X v Transcription Agency LLP & Anor case, where it was held that the SAR regime has a ‘specific and limited purpose’, which is to ‘enable a person to check whether a data controller’s processing of their personal data unlawfully infringes their privacy rights’. In the Harrison case the court considered it was reasonable for the defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation, which would go beyond the exercise of the data subject's rights under the UK GDPR.
This case will be a helpful point of reference for any controllers seeking to understand their obligations in response to a SAR and want to enable a data subject to exercise their rights without infringing the rights and freedoms of third parties.
If you have any questions about how to apply the decision in the Harrison v Cameron case when responding to SAR, please do not hesitate to get in contact with our data protection team.
