Increasingly, data controllers are becoming frustrated at the apparently endless reach of Section 4 of the Data Protection Acts 1988 and 2003 (‘DPAs’) as a means for accessing company documentation and information. A typical fact pattern involves an aggrieved employee or customer seeking access to ‘all documentation relating to me, including but not limited to all emails, memoranda and other internal correspondence, a copy of all minutes of meetings between X and Y and a copy of all other records leading up to the decision to dismiss me/refuse me credit etc’.
When the data controller conducts its initial search, frequently the universe of potentially relevant documentation is vast. When the data controller then checks the exceptions to the right of access, it tends to be disappointed to see that they are very narrowly drafted. For example, there is an unusually narrow definition of legal privilege, and the exclusion for confidential information only applies if it constitutes an ‘expression of opinion’. The next phase of the process tends to involve the aggregation of all potentially relevant documentation into a single electronic file location, or into good oldfashioned ring binders. At this point, instead of a concise list of ‘personal data’ about the data subject, the data controller is faced with a vast array of documentation from a variety of sources, some of which contains personal data relating to the requester.
A case by case analysis of each document will often require an unacceptable diversion of resources, particularly given that the entire process is required to be completed within the 40 day window set down by section 4(1) of the DPAs. If data controllers look to the ‘disproportionate effort’ provision in section 4(9) of the DPAs, they tend ultimately to receive an unsympathetic hearing once the inevitable complaint from the disappointed data subject falls for adjudication by the Office of the Data Protection Commissioner.
A recent Advocate General decision (‘Decision’) in the Court of Justice of the European Union (‘CJEU’) may provide some light at the end of the tunnel for frustrated data controllers. While it remains to be seen if the decision will ultimately be followed by the Court itself, the majority of such decisions are. The case in question (Joined Cases C-141/12 and C-372/12) originates from a referral to the CJEU by the Raad van State in the Netherlands. The key point that fell to be determined by the Court was whether or not a document containing a legal analysis of a residency permit decision constituted personal data which is available for access by data subjects under Article 12 of the Directive 95/46/EC — the equivalent of section 4 of the DPAs.
This article first appeared in Vol 7, Issue 2 of the Data Protection Ireland Journal and is reproduced with the kind permission of PDP Journals.Download PDF