Proportionality, privilege and purpose

In an important decision for employers and other data controllers, the Court of Appeal has reviewed the requirements of the Data Protection Act 1998 (DPA) governing subject access requests (SARs).

The Court had to determine how far rules of proportionality could limit a data controller's obligations to search for personal data, the extent to which legal privilege exempted documents from being included in the response to a SAR, and whether the fact that the data subject might also be seeking documents in connection with litigation allowed the data controller to refuse to comply with the SAR.