LEES V. LLOYDS
COURT DISMISSES REPETITIVE DATA SUBJECT ACCESS REQUESTS
Legal News | 21/07/21
In the case, Lees v. Lloyds, the data subject, Mr Lees (the claimant) issued a claim against Lloyds Bank Plc (Lloyds) for failing to provide an adequate response to various Data Subject Access Requests (DSARs) in breach of the Data Protection Act 2018 (DPA 1998) and General Data Protection Regulation (GDPR).
The Court decides whether to make an order in circumstances where there is a failure to provide a proper response to a Data Subject Access Request (DSAR).
In this case, the Court’s view was that the bank’s responses to the claimant’s DSARs were adequate and the claimant’s claim was dismissed.
The claimant entered into buy-to-let mortgages for three properties with Lloyds, which subsequently became subject to orders for possession. In addition to the litigation in respect of the mortgages, the claimant submitted several DSARs to Lloyds between 2017 and 2019. Lloyds responded to each DSAR received.
In summary, the claimant alleged that Lloyds had failed to provide a copy of his personal data contrary to GDPR and the Data Protection Act 2018 (DPA 2018). In fact, the three DSARs were made when the DPA 1998 was in force. The DPA 2018 only came into effect for most purposes on 25 May 2018 and otherwise from 23 July 2018. GDPR provides data subjects with rights of access to personal data like those under the DPA 1998.
COURT’S REASONS FOR THE DECISION
In reaching its decision, the Court considered the Court of Appeal case of Ittihadieh v 5–11 Cheyne Gardens RTM Co Ltd and others  and specifically the factors which must be taken into account when striking the balance between the right of the data subject to have access to his personal data on the one hand, and the interests of the data controller on the other.
The Court considered that even if the bank had not responded adequately, there would have been good reasons for declining to exercise its discretion to make an order that the bank should respond to the DSARs. These reasons included:
1. numerous and repetitive DSARs which were abusive;
2. the real purpose of the DSARs was to obtain documents rather than personal data;
3. there was a collateral purpose behind the requests, to obtain assistance in preventing the bank from bringing claims for possession; and
4. the data sought was of no benefit to the claimant.
IS THE HIGH COURT DECISION WELCOMED?
Whilst GDPR makes allowances for data controllers to refuse to respond to DSARs that are “manifestly unfounded or excessive”, the current ICO guidance suggests that the bar to demonstrate this is high. To decide if a request is manifestly unfounded or excessive, a data controller must consider each request on a case-by-case basis and shouldn’t have a blanket policy in place. A data controller must demonstrate why it considers the request is manifestly unfounded or excessive and, if asked, be able to explain its reasons to the Information Commissioner.
Furthermore, it should be noted that GDPR and the DPA 2018 don’t require a data controller to consider points 2 – 4 (above) when responding to a DSAR. In fact, GDPR gives an individual the right to obtain a copy of their personal data as well as other supplementary information to help them understand how and why their data is being used and whether it is being used lawfully. DSARs must be complied with without undue delay and at the latest within one month of receipt of the request.
Whilst the High Court decision is welcomed, it’s unclear whether the decision, in this case, takes precedence over GDPR, DPA 2018 and/or ICO guidance.
Although responding to DSARs can be time-consuming and expensive, each case will use its own facts. Data controllers should consider the rights of access of a data subject and should follow the ICO’s guidance when responding to DSARs to avoid exposing themselves to penalties.