HomeInsightsHigh Court declines to order compliance with subject access requests made under s 7 Data Protection Act 1998

Article by

The claimant, Mr Holyoake, and the defendant, Mr Candy, met at Reading University in the 1990s when they became friends. In 2011, in order to fund the purchase of a property in London, Mr Holyoake entered into a loan agreement with the second defendant, CPC Group Ltd, a property company connected to Mr Candy’s brother Christian, in relation to an unsecured loan of £12 million advanced by CPC to Mr Holyoake personally. At the same time certain declarations of trust were made by Mr Holyoake.

Subsequently, it was alleged against Mr Holyoake that one of the declarations of trust contained a false statement; that he was thereby in breach of warranties given under the loan agreement; and that net asset statements provided by him pursuant to the loan agreement were not compliant with the requirements of that agreement.

Mr Holyoake and Hotblack sued Mr Candy, his brother Christian Candy, CPC and three other directors of CPC in the High Court for unlawful means conspiracy, extortion, fraudulent misrepresentation and a variety of other causes of action.

Mr Holyoake also made various subject access requests (SARs) to Mr Candy and to CPC in relation to their dealings and communications. Some of the SARs related to investigations and surveillance that Mr Holyoake alleged had been undertaken by third parties on behalf of Mr Candy and CPC.

Mr Candy and CPC declined to comply with the SARs claiming that Mr Holyoake’s sole reason for making them was to seek early disclosure of evidence in relation to the High Court proceedings. They also said that it would be disproportionate to carry out the extensive searches requested, and that substantial amounts of information would need to be withheld pursuant to the exemption for third party personal data. Mr Holyoake responded by issuing this claim.

Following disclosure in the High Court proceedings, Mr Holyoake narrowed the SARs to just the alleged investigations and surveillance issues. The defendants responded by saying that they were exempt from having to comply by virtue of the Legal Professional Privilege exemption as the data within the scope of the narrowed SARs was litigation privileged.

The court had to consider:

  • whether the defendants had carried out adequate searches in response to the narrowed SARs; and
  • the validity of Mr Candy’s reliance on the legal professional privilege exemption (the LPP Issue).

On the search issue, Mr Justice Warby observed that a data controller’s duty “… is not a duty to find all personal data”, and that a data controller’s implied obligation to carry out a search is “limited to what is reasonable and proportionate” (Ezsias v Welsh Ministers [2007] All ER (D) 65).

Mr Holyoake criticised the searches undertaken saying that relevant individuals had not been asked to search their private email accounts for information. Warby J said that the court had to ask itself whether searching a director’s private email account was a requirement of a reasonable and proportionate search by a corporate data controller. Here, there was no evidence that any of the relevant individuals had at any stage used personal email accounts to communicate about Mr Holyoake on behalf of CPC, or at all. Therefore, he could not find any breach of duty by the defendants. Warby J found that the searches undertaken were reasonable and proportionate and compliant with the defendants’ obligations under s 7 of the DPA.

On the LPP issue, Warby J considered the iniquity principle, i.e. that legal professional privilege cannot be used as a basis for withholding material that is evidence of iniquity. Warby J found that for the principle to apply there must be prima facie evidence of “fraud, or wrongdoing of comparable gravity”. He rejected the argument that the scope of the issue was any wider than fraud or criminal conduct. He also rejected the contention that the principle applied where the legally privileged material might disclose any breach of any fundamental rights, such as privacy rights. Warby J was not persuaded that this “quite radical extension of the iniquity principle” was required either by the Human Rights Act 1998 or the EU Charter of Fundamental Rights.

Warby J also had to consider whether the court should inspect the relevant data under s 15(2) of the DPA in order to test the validity of Mr Candy’s reliance on the LPP exemption. Warby J noted that the established approach of the court in this context is to undertake inspection only as a last resort. As Mr Justice Beatson said in West London Pipeline and Storage Limited v Total UK Ltd [2008] EWHC 1729 (Comm), “Inspection should be a last resort … It should not be undertaken unless there is credible evidence that those claiming privilege have either misunderstood their duty or are not to be trusted with the decision making or there is no reasonably practical alternative”. None of these conditions was satisfied in this case, Warby J said.

In conclusion, Warby J found that the defendants’ searches were reasonable and proportionate and that the LPP exemption had been properly claimed. It was also not necessary or appropriate to inspect the data for which the LPP exemption was claimed. The claim was therefore dismissed. (Mark Alan Holyoake v Nicholas Anthony Christopher Candy [2017] EWHC 52 (QB) (24 January 2017) — to read the judgment in full, click here).