Insights Subject Access Requests: High Court clarifies when the identities of recipients of a data subject’s information can be withheld


The High Court has handed down judgment in a case which considers various provisions of the UK General Data Protection Regulation (“UK GDPR”) in the context of seeking subject access requests. The judgment confirms that there are circumstances in which a data controller may be permitted to withhold the identities of third parties who have been provided with a data subject’s personal data.

The case centred on a dispute between the claimant, Mr Harrison, a chief executive of a real estate investment company, and the first defendant, Mr Cameron, a landscape gardener who owned his own landscape gardening business (the second defendant, ACL) and was employed to work on Mr Harrison’s property. During the course of the work, Mr Harrison lost confidence in Mr Cameron and terminated their agreement. In turn, Mr Cameron claimed that Mr Harrison was behind with payments for work that had already been carried out. The relationship between the two soured significantly to the point that Mr Harrison began to threaten Mr Cameron.

At the suggestion of others, Mr Cameron recorded two telephone calls with Mr Harrison during which, in the words of Mrs Justice Steyn, Mr Harrison’s behaviour was “seriously and persistently menacing”. For example, Mr Harrison was heard to say “you try and take anything offsite, and you will have a visit from two of my friends from Manchester, you try and take any materials off this site and I will send some people to pay you a visit you will never forget, you and your family will never forget” and “I will see you in a couple of hours and then we will thrash it out, THRASH being the operative word”.

Mr Cameron felt distressed that Mr Harrison might act on his threats and so complied with his demands. He also shared the recordings with a number of family members and friends because, in his words, “I wished them to know that I had been threatened in case the Claimant made good on any of his threats of violence. I also wanted their advice and assistance about what I should do in this difficult situation. I did this for purely personal reasons and in a personal capacity as a father and husband, as well as for myself and my own personal safety. My concern was for my and my family’s safety”.

He later also shared the recordings with some of the employees of ACL. The recordings were then disseminated more widely, including to individuals involved in the sale of a shopping centre which Mr Harrison’s company were interested in buying. Whilst for the purpose of this case the judge was not required to determine how much the recordings may have influenced the seller’s decision to reject offers from Mr Harrison’s company, the evidence was that that “money was not necessarily the main motivating factor… if they were to sell their freehold interest they would want to make sure it was sold to a counterparty that would not tarnish their reputation in any way”.

Mr Harrison’s lawyers subsequently wrote to Mr Cameron’s lawyers saying that Mr Harrison “has become aware that your client has disclosed and/or sent copies of the Recordings to several third parties in the property industry” and sought disclosure of “the names of all the individuals to whom [he] has disclosed the Recordings”. In the absence of a satisfactory response, Mr Harrison’s lawyers submitted a DSAR requesting a copy of all of Mr Harrison’s personal data being processed by Mr Cameron and all of the following information:

  1. The purposes of the processing;
  2. The categories of personal data concerned;
  3. The recipients or categories of recipients to whom the personal data have been or will be disclosed; and
  4. Where such personal data were not collected from the Mr Harrison [sic], any available information as to their source.”

Mr Cameron refused to comply with this request, arguing that the UK GDPR and Data Protection Act 2018 (DPA 2018) did not apply to the processing of personal data in the course of purely personal or household activity (as set out in Art 2(2) of the UK GDPR). In response, Mr Harrison issued a claim for an order that Mr Cameron and ACL comply with the DSAR.

The High Court was confronted with three issues:

  1. Did Mr Cameron’s processing of Mr Harrison’s personal data fall outside the scope of the UK GDPR/DPA 2018 as his processing was “in the course of a purely personal or household activity“?
  2. If not, was Mr Cameron a data controller in his personal capacity?
  3. In relation to either Mr Cameron or ACL processing his personal data, was Mr Harrison entitled to know the identities of the recipients of the recordings, or could their identities be withheld?

Turning to the first issue, Mrs Justice Steyn held that when Mr Cameron recorded the calls, “that act of processing was plainly done by him in his capacity as a director of ACL. Mr Cameron was telephoning Mr Harrison about his decision, as a client of ACL, to terminate their contract”. As a result, the calls were business calls, recorded by Mr Cameron as director of ACL, and the recordings constituted personal data collected and held by ACL. Similarly, when Mr Cameron sent the recordings to ACL employees, “he did so as a director of ACL”. It was therefore not open to Mr Cameron to argue that he was acting in the course of a “purely [our emphasis] personal or household activity” for the purposes of the exemption at Article 2(2) UK GDPR.

As for the second issue, it was held that Mr Cameron was not a data controller in his personal capacity: irrespective of the fact that Mr Cameron “decided the means and purposes for which the personal data were to be processed”, he was acting in his capacity as a director of ACL when he recorded the calls and shared the recording. Mrs Justice Steyn was keen to point out, however, that “my conclusion is not based on an assumption that it automatically follows that if the exception is inapplicable then Mr Cameron must have been acting in his capacity as a director, but on an assessment of the facts. If a rogue employee or director acts in an unauthorised fashion, they may become a “controller”. However, that is not the case here.”

The final issue that fell to be determined was whether ACL, as controller, could withhold the identities of the recipients of the recordings. At first blush, Article 15(1)(c) of the UK GDPR would suggest that it couldn’t since it states that a data subject has the right to obtain from the controller “the recipients or categories of recipient to whom the personal data have been or will be disclosed”. Furthermore, Mrs Justice Steyn held that this should be interpreted in line with recent European jurisprudence (in the Austria Post case) to mean that a data subject is entitled to the actual identity of those recipients (rather than just the categories of recipients) unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive.

However, ACL argued that it was entitled to withhold the identities of the recipients, relying on the so-called ‘rights of others’ exemption under paragraph 16 of Schedule 2 to the DPA 2018. This provides that a controller is not obliged “to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information”. However, this provision does not apply if the other individual has consented to the disclosure, or if it is reasonable to disclose the information to the data subject without the consent of the other individual.

In short, it was Mr Cameron’s position was that he was not prepared to reveal the names of the recipients voluntarily largely because of fears of Mr Harrison approaching them, and he pointed to the actions of Mr Harrison embarking on a campaign of “setting his solicitors onto at least 23 employees of ACL, directing SARs to each of them individually”. If the identities were revealed, Mr Cameron argued, they could expect the same “aggressive, intrusive, and unwarranted” conduct. Applying the tests of paragraph 16 of Schedule 2 to the DPA 2018, Mr Cameron argued that the recipients did not consent to their identities being revealed, and that ACL, applying its discretion as data controller (which the judge accepted to be broad), had concluded that it would be unreasonable to disclose the identities of the recipients to Mr Harrison without their consent.

Mrs Justice Steyn agreed. She held that the DSAR regime “has a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her ‘personal data’ unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides”. In my judgment, in the context of this case, it was reasonable for the Defendants to give weight to their desire to protect family, friends and colleagues from hostile litigation going beyond the exercise of rights under the UK GDPR and the DPA 2018. In all the circumstances…I conclude that ACL’s assessment that it would not be reasonable to disclose the identities of any of the recipients to Mr Harrison fell well within its margin of discretion as the controller when responding to the ACL SAR. Accordingly, the rights of others exemption applies, and so ACL complied with Article 15 in their response to the ACL SAR”.

The judgment can be read here.