Holyoake v Candy- Sweet news for data controllers dealing with SARs

Published on: 09/02/2017

#Data Protection

In a notable judgement, the High Court refused an application to order compliance with a subject access request (SAR) on the basis that searches had been reasonable and proportionate and legal professional privilege was properly claimed.

The claimant, in this case, challenged the adequacy of the data controllers’ searches and, in particular, felt that the searches were flawed as the company directors’ involved had not been asked to search their private email accounts.

The Judge felt that such a search would be an “intrusion requiring justification”. Whilst he accepted that a director who used a private email account for work may owe the company a duty to allow access to this, the company was not bound to ask for access unless there was a “sufficient reason to do so”.

The claimant also argued that Legal Professional Privilege could not be relied on as there was a suspicion that some of the underlying activities were tainted by criminal conduct. However the Judge confirmed that there would need to be strong prima facie evidence of wrong doing to justify an inspection of privileged documents not just a speculative case.

This decision is useful as it restates the position arising from previous case law that searches need only be “reasonable and proportionate” and gives further guidance on the searching of private email accounts. However, the court’s view is difficult to reconcile with that of the ICO which has stated that the ‘disproportionate effort’ exemption found in the Data Protection Act relates to the production of a copy of the data and not the search itself.

Disclaimer

This information is for guidance purposes only and should not be regarded as a substitute for taking professional and legal advice. Please refer to the full General Notices on our website.