A woman is injured falling down on a bus in Dublin; CCTV images record the event. If the woman applies for subject access, does she get the images? That was the question before the Irish Court, as the bus company refused access because the woman might be seeking compensation.
Why should this interest UK readers; well because Counsel for the Dublin Bus Company trotted out the Court of Appeal decision in Durant (which of course is the equivalent of waiving a red flag at any passing data protection bull).
In Durant, the Court of Appeal introduced a new subject access exemption. Auld LJ stated that the right of access in the 1998 Act is not available to the data subject "to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties".
In Durant, the third party in questions was Barclays Bank, and clearly Auld LJ was concerned that Mr. Durant was trying to re-open a litigious dispute with the Bank which had been determined in favour of the Barclays some eight years earlier.
However, Auld LJ then added for good measure that Durant’s claim “is a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further investigation, an exercise, moreover, seemingly unrestricted by consideration of relevance”.
And it is this paragraph that gave rise to the legal argument that Dublin Bus was running. The woman, who was known to be considering a compensation claim, was usurping the right of access as a substitute for the Irish Civil Procedure Rules, which would allow for an orderly exchange of evidence if there were a claim. It followed that she should not gain access to the personal data.
All I can say is that there is nothing in either the 1995 Directive or in the 1998 Act which would justify any comment that the right of access has to be considered in terms of the data subject's reasons for exercising it. Additionally, Subject Access is a right only tempered by an exemption; there is no subject access exemption in the Act for “contemplated legal proceedings” and hence this argument has to fail (even though it clearly appears in Durant).
The Irish Judge agreed and that particular argument was lost.
The next argument proffered by Counsel for the bus company was that the personal data was subject to “legal professional privilege”. However, the bus company had shown the CCTV footage to the data subject prior to the access request and any threatened litigation. This meant that the claim for legal professional privilege had to fail. For the life of me I cannot understand why this argument ever saw the light of day; it’s a “we are clutching at straws” position, so I think it best to move quickly on.
However, the Irish Court made some obiter remarks that agreed with Durant over judicial discretion with respect of Subject Access. The judge agreed that section 7(9) of the UK’s Data Protection Act allowed the Court discretion as whether to require a data controller to provide a data subject with personal data. Discretion, I should add, that allows the UK Courts to make up subject access exemptions as they go along.
This “discretion” argument was first proffered by Auld LJ in Durant; it is one of the major reasons why I think the Data Protection Act 1998 does not implement the Directive 95/46/EC. So it is important to explain why.
Why judicial discretion is a defective implementation
Section 7(9), at first reading, allows the Court wide discretion. However, that reading omits reference to the “guaranteed” right of access required to be implemented by the 1995 Directive. So, in summary, we have identified the divergence: the UK have implemented “discretion” whilst the Directive wants a “guarantee” implemented.
Article 22 of the 1995 Directive requires that "…Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question" (my emphasis). This means that the data subject can have access to the courts to enforce the guarantee where the data controller has withheld access. By contrast, the discretion in section 7(9) allows for the non-enforcement of subject access!
Article 12 obliges Member States to "guarantee every data subject the right to obtain from the controller….- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source". Recital 55 states that "if a controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy" (my emphasis).
There is no room for equivocation here: "must" and "guarantees" are strong unconditional words; there are no qualifying words such as “may” or "to guarantee as far is as is reasonably practicable".
However, this “guarantee” is moderated by Article 13 which permits Member States to adopt legislative measures "to restrict the scope of the obligations and rights" in narrow circumstances. This is the basis for the exemptions from the right of access and apply if "such a restriction constitutes a necessary measures" to safeguard a list of items (e.g. national security; the prevention, investigation, detection and prosecution of criminal offences, and possibly relevant here, in "the protection of the data subject or of the rights and freedoms of others".
In other words, exemptions from the right of access must be couched in terms of the exemptions in this Article 13 list; any discretion in section 7(9) is limited to adding exemptions in the circumstances described by Article 13.
Instead of a limited discretion, the UK Government has legislated for a Court to have "general and untrammelled powers" (to use Auld LJ’s expression) to negate the guaranteed right of access.
And that is one of the reasons why I think the UK Data Protection Act 1998 is a deficient implementation of the Data Protection Directive. It does not implement the right of access properly.
You can download the Dublin Bus case here: Download Dublin Bus Judgment
The case reference is Durant v Financial Services Authority  EWCA Civ 1746. However, if you want a 100 page analysis of the Durant decision, email us with your request.
Update and courses
This October/November, we have data protection courses in Leeds, London and Edinburgh and an FOI course in London: full details on the Amberhawk website. Update is next week in London – places still available