In Rudd v Bridle and J&S Bridle Limited, the High Court recently ruled in respect of the adequacy of information provided by organisations subject to a subject access request ("SAR"). SARs are being used more and more frequently - especially with the advent of GDPR - and although this ruling is on a SAR that predates GDPR, it does provide useful guidance that is equally valid in today's GDPR environment.
Graham Mitchell and Corinna Harris of Clyde & Co LLP neatly sum up the key merits of the case. From my perspective, three things stand out:
- The court affirmed that the identity of third parties alleged to have conspired with Dr. Rudd was considered part of Dr. Rudd's personal data as it "...is information that focuses on him [Dr. Rudd] and is biographically significant."
- The court confirmed the guidance provided by the ICO (https://ico.org.uk/media/2259722/subject-access-code-of-practice.pdf) that there is no obligation to disclose specific identities of people with whom personal data has been shared, but rather a description of the recipient.
- Data controllers must provide information in relation to the source of the individual's data, not just a description of the source.
As stated above, even though this predates GDPR, it does impact actions covered by GDPR. It also emphasizes both the breadth of a SAR and the nuances that must be considered when replying to one. Although there is much that can be done to address these challenges through the use of technology and machine learning. Therefore, with the right approach, SARs can still be managed effectively and efficiently.
But as summed up at the end of the article: "... employers will not welcome...this decision...".
Data controllers must provide any information available to them in relation to the source of the individual's data. The court said the individual must be provided with the actual identity of the source, not just a description or class of the source.