The rules around a person’s right to access data relating to them in contentious cases varies between Ireland and the UK, Mason Hayes & Curran Lawyers explains.
The UK High Court recently examined the circumstances in which an individual can make a subject access request (SAR) for their personal data under the UK Data Protection Act 1998 (DPA).
This arose due to the case of ‘Kololo v Commissioner of Police for the Metropolis’. Ali Babitu Kololo, sentenced to death for a serious crime in Kenya, submitted a SAR to the Metropolitan Police Service (the MPS), which assisted with the investigation.
The High Court, exercising its discretion under the DPA, ordered the MPS to comply with the SAR made on behalf of Kololo. The case highlighted a somewhat marked difference between the Irish and English approaches to SARs.
History behind the case
Kololo was found guilty of robbery with violence and kidnapping British nationals and was sentenced to death by a Kenyan court.
As part of a challenge to his conviction, lawyers for Kololo submitted a SAR to the MPS.
This mechanism allows an individual to request any information relating to them held by the person or organisation controlling the data. The MPS refused to grant Kololo’s request on the basis that it constituted an abuse of process. It argued that the SAR was an improper attempt to circumvent certain UK laws that enabled overseas courts or prosecuting authorities to request the assistance of UK authorities in obtaining evidence — the Crime (International Co-Operation) Act 2003 (CICA).
Under the DPA, UK courts have discretion as to whether to order compliance with SARs.
The court indicated this statutory discretion was “general and untrammelled”. However, it accepted that its exercise of this discretion should be proportionate and should give effect to the principles behind the DPA. Kololo’s primary reason for making the SAR was to determine whether there were inaccuracies in the data retained by the MPS.
‘Under the DPA, UK courts have discretion as to whether to order compliance with SARs’
The court noted that Kololo would, therefore, want to correct any inaccuracies discovered in the hope that it might assist with his case.
What were the court’s findings?
The court rejected the argument that the SAR was an abuse of process, finding that there was nothing to indicate that CICA should be the exclusive route to obtaining evidence.
Looking to the purpose behind the SAR — to determine whether the data held was accurate — the court ordered the MPS to comply with the SAR.
This was influenced by the fact that Kololo had been sentenced to death. Furthermore, the existence of parallel proceedings in Kenya, for which the verified or corrected data was sought, did not of itself amount to a reason to refuse the SAR.
The Irish situation
The English courts’ focus on the purpose behind a SAR is markedly different from that adopted by the Irish courts. The Irish High Court, in ‘Dublin Bus v Data Protection Commissioner’, confirmed that an individual does not have to explain their reasons for making a SAR. The Irish court emphasised that, under Irish law, a SAR was not a matter of discretion but rather a statutory right, which is subject to limited exemptions.
The Dublin Bus case came before the Irish High Court after the Data Protection Commissioner (DPC) ordered Dublin Bus to provide CCTV footage to Margaret McGarr in the context of her personal injuries claim.
In contrast to the Kololo case, in Ireland an individual usually applies to the DPC to enforce a SAR. If the DPC feels there has been non-compliance, she can issue an ‘enforcement notice’ compelling compliance. The business that receives that enforcement notice can appeal that notice before the courts but, unlike the UK, there is no equivalent discretion under Irish law for a court to decide whether to compel compliance with the SAR.
In Ireland, a SAR generally must be complied with, unless a statutory exemption can be made out.
What does this mean?
Both cases highlight the possibility of using a SAR to obtain personal data for evidence in a court case. The common theme is that if an individual submits a SAR in order to scrutinise evidence either before or after a case, the request will generally be regarded as a lawful exercise of data protection access rights. The cases do highlight the difference in regulatory models between the UK and Ireland. While the English courts have discretion under the DPA to order compliance with a SAR, the Irish courts do not have such discretion. In Ireland, a SAR must be complied with unless one of the limited statutory exemptions can be made out.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Main image via Shutterstock