A significant Judgment was recently issued in the High Court case of Harrison v Cameron & Others [2024], which considered whether a data subject of a Data Subject Access Request (DSAR) under the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018 (DPA) was entitled to know the identity of recipients of their personal data. This decision will now be legally binding unless the decision is successfully appealed and is therefore relevant to employers who often deal with employee DSARs.
Background
Under Article 15(1) of the UK GDPR, a data subject has the right to obtain from a data controller “the recipients or categories of recipient” to whom personal data have been or will be disclosed. In this case, Mr Harrison brought a claim against ACL (a landscape gardening business) and Mr Cameron (Owner and Director of ACL) (the Defendants) after they refused to comply with his DSAR, in which he requested the identities of the recipients to whom his personal data was sent.
Mr Harrison hired the Defendants to work on his property but later terminated their agreement, as he wasn’t satisfied with the services provided. The Defendants claimed that Mr Harrison owed them payments for work already completed and, in response, Mr Harrison threatened Mr Cameron over the phone. Mr Cameron covertly recorded these conversations, which he shared with some family members, friends and colleagues. These recordings subsequently made their way to some of Mr Harrison’s peers and business competitors and, according to Mr Harrison, allegedly affected his business. When Mr Harrison found this out he submitted a DSAR to the Defendants requesting, amongst other things, the identities of all the individuals to whom his personal data (including the recordings) were sent to. The Defendants refused to comply with the request on the basis that:
- The exemption under Article 2(2) of the UK GDPR applied as the Defendants processed the data in the course of purely “personal or household activity”;
- Mr Cameron was not a data controller in his personal capacity; and
- In any event, the Defendants could rely on the ‘rights of others’ exemption under paragraph 16 of Schedule 2 to the DPA as they did not have the recipients’ consent and it would be unreasonable to disclose their information given the circumstances.
High Court Judgment
The High Court considered these three issues and found in relation to the first two that, as the recorded phone calls were business calls made by Mr Cameron as a director of ACL, where he enquired about the termination of the contract, which the Defendants then collected and held and subsequently shared with employees of ACL, it was not processed on a purely personal basis. Therefore, the exemption under Article 2(2) of the UK GDPR did not apply. However, the Judge did find that Mr Cameron was not a data controller in his personal capacity, as he was acting in his capacity as director. This was in accordance with existing case law in re Southern Pacific Loans Ltd and Ittihadieh v Cheyne Gardens which found that a director processing data in the course of their duties for their company was not a controller, their company was.
Regarding the final issue, the Defendants’ argued that they were not prepared to disclose the names of the recipients. The Defendants believed that disclosing the identities of the recipients would put them at significant risk of intimidation and harassment from Mr Harrison, and the recipients did not consent to their personal information being shared. The Judge agreed with this and concluded that it would not be reasonable to disclose the recipients’ names and on the facts of this case, the 'rights of others’ exemption applied. However, although the Defendants were entitled to withhold this information in these circumstances, the Judge emphasised that, if a data subject requests the identifies of the recipients and not the category of recipients, they were, in principle, entitled to this information, unless an exemption can be relied upon. This is important in the sense that many have interpreted Article 15(1)(c) of the UK GDPR as offering the data controller the option between providing information of the recipients, or the categories of recipients for the data, when the choice instead rested with the data subject.
Comment
The key takeaway for employers is that, as data controllers, when responding to a DSAR, the option of providing the identities of the recipients or the categories of recipients lies with the data subject and not the data controllers. In circumstances where employers are faced with requests from data subjects for disclosure of the recipients, whilst data subjects are in principle entitled to request this information, employers do have a level of discretion as data controllers to withhold this information under the ‘rights of others’ exemption, provided they satisfy the requirements needed to rely on this exemption.
If you require any further assistance or support, please contact a member of the Employment Team.
/Passle/6491ca5e863f054b458578e8/MediaLibrary/Images/2024-07-04-12-40-25-132-668698390c40366a2e7cf1d4.png)
/Passle/6491ca5e863f054b458578e8/MediaLibrary/Images/2024-06-28-13-41-15-998-667ebd7b684459b9689032f3.png)
/Passle/6491ca5e863f054b458578e8/SearchServiceImages/2024-06-19-15-45-35-067-6672fd1fa20a640e0c9a8d0a.jpg)
/Passle/6491ca5e863f054b458578e8/SearchServiceImages/2024-06-26-11-45-10-756-667bff465119fa18403eb59d.jpg)