Weightmans recently dealt with two ‘SAR claims’ on behalf of different local authorities.
The statutory data protection regime has openness and transparency at its core. A key component of this is that people (data subjects) have the right to access their personal data. Organisations, and local authorities in particular, are accustomed to dealing with subject access requests (SARs) and the challenges that accompany them. These challenges will vary, from difficulties complying with the one-month response period, to assessing what information should be included and even the appropriate format of the response.
More recently, and in keeping with the trend of statutory data protection rights giving rise to litigation, ‘failures’ on the part of organisations to comply with the deadline for SAR responses have given rise to claims for compensation.
Weightmans recently dealt with two ‘SAR claims’ on behalf of different local authorities. In both cases, the litigants in person sought compensation for distress on the basis that (i) the SARs had been responded to out of time; and (ii) they had not been provided with the information requested. The SARs included requests for information about the local authorities’ standing to raise council tax and the way unpaid council tax debts had been enforced. Both claimants sought compensation in the arbitrary sum of £7,500.
The defendants made successful applications to strike out the claims on the bases that, firstly, the substance of the requests went beyond personal data and therefore fell outside the remit of a legitimate SAR and secondly, the response delay of just a couple of days in each case meant that the claims did not cross the threshold of seriousness to ground a claim for damages.
In addition, the claimants were ordered to pay the defendants’ costs. The claimants’ argument that costs should not be awarded because the claims would ultimately be allocated to the small claims track was rejected as the application was heard before the claims had been allocated.
Data controllers should always endeavour to reply to legitimate SARs within the requisite timescale. Where further time is needed, or if issues need to be clarified, communication is key, and regard should be had for the ICO’s guidance on these issues. However, these county court decisions are a helpful reminder that mere breaches of the statutory data protection regime will not necessarily ground a claim for damages. As was the case in Rolfe v Veale Wasbrough Vizards LLP [2021] QB (see our update here), claims that do not reach a threshold of seriousness (and are therefore de minimis) may be susceptible to strike out and carry adverse costs consequences for the claimant.
For more information on the services we offer relating to data, information governance, cyber liability and GDPR, contact our data protection and GDPR solicitors.
