In Mr H v Mr C & Others a significant judgment was recently issued in the High Court which considered whether a data subject of a Data Subject Access Request (DSAR) under the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018 (DPA) was entitled to know the identity of recipients of their personal data. This decision will now be legally binding unless the decision is successfully appealed and is therefore relevant to employers who often deal with employee DSARs.

In this case, Mr H brought a claim against ACL (a landscape gardening business) and Mr C (Owner and Director of ACL) (the Defendants) after they refused to comply with his DSAR, in which he requested the identities of the recipients to whom his personal data was sent.

Mr H hired the Defendants to work on his property but later terminated their agreement, as he wasn’t satisfied with the services provided. The Defendants claimed that Mr H owed them payments for work already completed and, in response, Mr H threatened Mr C over the phone. Mr C covertly recorded these conversations, which he shared with some family members, friends and colleagues. These recordings subsequently made their way to some of Mr H’s peers and business competitors and, according to Mr H, allegedly affected his business. When Mr H found this out, he submitted a DSAR to the Defendants requesting, amongst other things, the identities of all the individuals to whom his personal data (including the recordings) were sent to. The Defendants refused to comply with the request on the basis that:

• The exemption under Article 2(2) of the UK GDPR applied as the Defendants processed the data in the course of purely “personal or household activity”;
• Mr Cameron was not a data controller in his personal capacity; and
• In any event, the Defendants could rely on the ‘rights of others’ exemption under paragraph 16 of Schedule 2 to the DPA as they did not have the recipients’ consent and it would be unreasonable to disclose their information given the circumstances.

The High Court considered these three issues and found in relation to the first two that, as the recorded phone calls were business calls made by Mr C as a director of ACL, where he enquired about the termination of the contract, which the Defendants then collected and held and subsequently shared with employees of ACL, it was not processed on a purely personal basis.

However, the Judge did find that Mr C was not a data controller in his personal capacity, as he was acting in his capacity as director.

Regarding the final issue, the Defendants’ believed that disclosing the identities of the recipients would put them at significant risk of intimidation and harassment from Mr H, and the recipients did not consent to their personal information being shared. The Judge agreed with this and concluded that it would not be reasonable to disclose the recipients’ names and on the facts of this case, the ‘rights of others’ exemption applied. However, although the Defendants were entitled to withhold this information in these circumstances, the Judge emphasised that, if a data subject requests the identifies of the recipients and not the category of recipients, they were, in principle, entitled to this information, unless an exemption can be relied upon.

Source: Lexology