20 March 2020
What constitutes a “relevant filing system” for the purposes of section 1(1) of the Data Protection Act 1998? While this may sound like a rather esoteric question, it is in fact highly relevant for data controllers faced with subject access requests.
The Data Protection Act 2018 and the General Data Protection Regulation apply to personal data processed wholly or partly by automated means and to processing by other means where the data forms part of a filing system or is intended to form part of a filing system.
The Court of Appeal first considered this question in Durant v Financial Services Authority  EWCA Civ 1746, where it found that a “relevant filing system” was limited to a system:-
- in which the files forming part of it are structured or referenced in such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it is held within the system and, if so, in which file or files it is held; and
- which has, as part of its own structure of referencing mechanism, a sufficiently sophisticated and detailed means of readily indicate whether and wherein an individual file or files specific criteria or information about the applicant can be readily located.
Seventeen years later, the Court of Appeal has overturned Durant in the judgment issued in Dawson-Damer v Taylor Wessing LLP  EWCA Civ 352.
The Court of Appeal now considers that a data controller, in assessing whether it has a “relevant filing system”, should ask:-
- First, are the files it controls a “structured set of personal data”?
- Secondly, are the data accessible according to specific criteria?
- Thirdly, are those criteria “related to individuals”?
- Fourthly, do the specific criteria enable the data to be easily (or “readily” as the 1998 Act puts it) retrieved?
In Dawson-Damer the claimant was seeking to recover personal data contained within 35 manual solicitor’s files. In answering the fourth question above, the Court of Appeal applied the “temp test” of the Information Commissioner. Where a data controller employs a temporary administrative assistant (a ‘temp’) you need to ask whether the assistant would be able to extract specific information about an individual from the data controller’s manual/digital records without any particular knowledge of the data controller’s type of work or the documents. The ‘temp test’ assumes that the temp in question is reasonably competent, requiring only a short induction, explanation and/or operating manual on the particular filing system in question for them to be able to use it.
In Dawson-Damer the Court of Appeal considered that the fact that solicitors had been required to review the 35 paper files individually for relevant material there was a clear indication that the structure of the data controller’s filing system in this situation did not enable ready access to the data. As the data was not easily accessible, the Court of Appeal decided that the 35 files were not a relevant filing system within the meaning of the 1998 Act. While this particular case was still assessed with reference to the 1998 Act, the decision will also apply to GDPR and 2018 Act cases.
The decision will impact on organisations dealing with subject access requests, particularly in the nature and extent of searches that a data controller may require to undertake to respond to any request. If a data controller asks a solicitor to respond to a subject access request on their behalf that will not, by itself, mean that the data is not easily accessible. Whether the data is easily accessible for the data controller remains an objective matter for the court to consider.
Contacts David Gray, Senior Solicitor firstname.lastname@example.org T: 0131 222 2939