The recent judgment in Rudd v Bridle and J&S Bridle concerned exemptions from the provision of information following a subject access request (SAR) being made.
Dr Rudd was a medical expert on exposure to asbestos. Mr Bridle meanwhile was a campaigner on asbestos issues who was sceptical of the claims made about exposure to asbestos. He considered Dr Rudd to be part of a conspiracy to assist asbestos claimants to recover damages, had attempted to have him struck off by the GMC and had described him in communications with people whom Mr Bridle declined to identify as a crook, discredited and as the main expert for the forces of evil, amongst other things.
Dr Rudd made a SAR request because he wanted to find out more about what Mr Bridle was doing. When the response was inadequate he sought a remedy before the court against both Mr Bridle and his company, J&S Bridle who it was indicated may well be the correct data processor. The case was defended on the basis that almost all the information requested under the SAR was exempt on the grounds of legal professional privilege, the journalism exemption or the regulatory proceedings exemption.
The judge found Mr Bridle to be an unreliable and unimpressive witness and found Dr Rudd's legal team to have failed to properly plead their case. The legal team was also criticised for seeking disclosure of documents. Learning point 1 from this case is that subject access rights are to data - that means information, not the disclosure of documents.
The court went into some detail relating to the exemptions Mr Bridle attempted to rely upon. A general point arising from that was the fact that a data controller's solicitor has reviewed material and advised it is covered by an exemption will not be treated as conclusive by the court. In this case the solicitor who concluded the regulatory and journalism exemptions applied had been relying on Mr Bridle who the court found to be an unreliable witness.
The judge took a general approach to the requirement to provide a description of the purposes of processing - it was enough to provide a description of the essence of what the controller is doing with the data, a document by document description was not necessary. The judge also rejected an argument that there was a requirement of intelligibility that obliged a controller to disclose not just personal data but additional information to put that data into context. That means that an extract from a paragraph, or even part of a sentence, may suffice.
Both these conclusions will be welcomed by those who receive SARs, as will the conclusion that the recipients of emails containing personal data about Dr Rudd need not be disclosed as they did not form part of his personal data, although a description should be given eg "solicitor" or "medical practitioner".
However, the judge took a different view when it came to disclosure of the identity of people alleged by Mr Bridle to be co-conspirators with Dr Rudd - in that case their specific identities should be disclosed. It would be a matter for the data controller to decide on a case by case basis if those individuals consent was needed before their names were disclosed. Similarly the judge found that data controllers must provide the actual identify of the source of data, not just a description of that source, although it wasn't clear on whether the name of the organisation responsible was sufficient or if the individual within that organisation required to be identified.
Although this case arose under the previous Data Protection Act, the judgement and the guidance it contains is relevant under the GDPR. For those handling SARs there are both positives and negatives to be taken from the judgment. Something that was clear though was the endorsement of the ICO Guidance documents on responding to a SAR which can be accessed here.