GDPR, Data Protection Act 2018 and the Court’s Interpretation
Case Study by Richard Coulthard
This week I appeared before Bradford County Court in the matter which, to my knowledge, is one of the first cases to go before the Court in respect of the issue of GDPR compliance and in particular the question of what constitutes an ‘excessive or unfounded’ request under Article 12(5) of the General Data Protection Regulations and Section 53(3) of the Data Protection Act 2018. I represented the Applicant in the matter.
The background of the matter concerned an individual who was a patient at the Respondent GP surgery and required access to the individual’s medical records in respect of a complex legal matter relating to the Applicants employment.
The Applicant had made a request for disclosure of the medical records pursuant to Section 45 Data Protection Act 2018 and the Respondent had contended that the request was ‘excessive’ due to the nature of the matter which the request related to and the fact that the Applicant required access to the entirety of the medical records. The Respondent contended therefore that a fee of £20 was payable in respect of the copying costs. Matters were not resolved in correspondence and an application was made to Court for an order for non-party disclosure under CPR 31.17.
At the hearing, and by way of Skeleton Arguments, I submitted that:
- The Respondent had failed to comply with Section 45(1) and Section 45(3)(a) of the Data Protection Act 2018 by failing to disclose the information;
- The Respondent had failed to comply with their obligations under Section 45(5) setting out the reasons for non-compliance and the Applicant’s rights associated with this;
- The Respondent had failed to discharge the burden under Section 53(3) to prove that the request was ‘excessive or unfounded’ and that the evidential burden is on the Data Controller to prove this.
- The Respondent had failed to comply with the obligation under Article 12(5) of the General Data Protection Regulations to provide the records without charge.
- The Respondent ought to be liable for the damage, namely legal costs, arising from the application under Article 82(2).
The Defendant submitted that they had sought advice from the British Medical Association on this point and considered that due to the nature of the underlying legal action with which the records were required that the request was ‘excessive’.
The Court found in favour of the Applicant and confirmed that the onus is on the Data Controller to prove that the request was ‘excessive’. The Court stated that in order to comply with this they would expect the Data Controller to provide an explanation as to why the request was ‘excessive’ and if there was a genuine concern as to the extent of the disclosure to open up a dialogue with the Applicant to understand whether all of the records were required.
On costs, the Court accepted that there was a disparity between the general rule under CPR 31.17 that the Applicant should pay the Respondent’s costs and the provisions of GDPR in which the Applicant would be entitled to their costs.
The Court determined that the ordinary rule under CPR 31.17 should be disapplied and ordered the Respondent to pay the Applicants costs summarily assessed in the sum of £1,500.
The decision is a salient reminder that businesses need to fully understand their continuing obligations under the Data Protection Act 2018 and GDPR. Many businesses undertook substantial work to be compliant by the 25 May 2018 without necessarily understanding the need for continuing compliance thereafter.
What was also clear from the process is that there remains substantial misunderstanding as to what the obligations of a Data Controller are under GDPR. In this case, one of the Respondents submissions related to Article 5 and the question of Data Minimisation but my respectful submission to the Court was that Article 5 relates to the Data Controllers duty as to the extent of the data retained as opposed to the Data Controller obligation in response to a Subject Access Request.
In this case, non-compliance has proven to be costly for the Respondent when the cost of taking formal advice on developing compliant systems and process would have been a fraction of the cost of this particular application.
I have advised a number of businesses on GDPR compliance and I have also spoken to many businesses who remain oblivious as to the implications of GDPR. This is perhaps a salient reminder that GDPR compliance can cost businesses money even if they are not investigated by the ICO.
WHAT TO DO NEXT
For a FREE initial consultation – call our expert team on 0113 200 9787, or contact us online here to discuss how we can help you.
Meet The Head Of Department
Director and Solicitor
Call 0113 200 9787 to speak to one of our solicitors.
CONTACT US TODAY
Simply complete this short form and one of our experts will be in touch soon.
Your confidentiality is always assured and we aim to provide excellence in our client care.