The Use and Abuse of Subject Access Requests in Civil Litigation

Felix Levay & Connor Wright
Written by:

Oliver Edwards


An article by pupil barristers Felix Levay and Connor Wright.

The UK GDPR may have been intended to safeguard people’s privacy, but it has proved a useful tool for claimants seeking early disclosure by other means. In both Employment and Personal Injury claims, claimants – and potential claimants – often make a Subject Access Request (‘SAR’) to obtain documents for the purposes of litigation.

In this article, we look at how this practice has developed, and whether upcoming reforms may curtail it.

The Subject Access Request

The General Data Protection Regulation (‘GDPR’) was implemented in the UK by the Data Protection Act 2018. Post-Brexit, it has been retained as the UK GDPR. The GDPR, like its predecessor, the Data Protection Directive, sets out the rights of ‘data subjects’, i.e. individuals, and the obligations of those who collect and use their data.

Crucially, data subjects have a right to know whether a ‘data controller’, for example an employer, holds any of their ‘personal data’.

Personal data in this context simply means information that relates to an identified or identifiable individual; it is an expansive definition. It will generally extend to e-mails, minutes of meetings, etc, which directly concern or mention a data subject.

This often overlaps with the sort of documents that might be included in disclosure. As data subjects can make an SAR at any time and for no cost, it is an attractive option for would-be claimants.

Data controllers have one month to reply to an SAR, although this can be extended to 3 months for complex requests. There are limited exceptions to this obligation – for example, where providing the requested data would involve sharing the personal data of a third party who has not consented.

Generally, though, a data controller is only entitled to refuse – or alternatively charge for – an SAR where it is ‘manifestly unfounded or excessive’. These are both relatively high bars, as guidance from the Information Commissioner’s Office (ICO) makes clear.

An SAR will be manifestly unfounded where it is clear the data-subject has no intent to exercise their rights or is acting maliciously. The ICO give the example of a data-subject who offers to withdraw their request in exchange for a benefit.

Whether an SAR is ‘manifestly excessive’ requires more judgement. Case law has established that data controllers’ obligations concerning SARs are subject to the principles of ‘reasonableness’ and ‘proportionality’, and the most current ICO guidance takes this into account concerning the ‘manifestly excessive’ exemption; data controllers are permitted to consider the resources they have available.

SARs in Litigation

From the prospective claimant’s point of view, a key benefit of making an SAR is that there is no cost. A data subject cannot obtain precisely the same information they would in disclosure, but they will likely obtain much that is useful.

An SAR is also particularly useful if pre-action disclosure is sought from someone who is not anticipated to be a party to the claim. For example, a prospective claimant may wish to bring clinical negligence proceedings against a surgeon and need records from the private hospital from which the surgeon operates. In such a situation, an SAR could be a cheap alternative to seeking a Norwich Pharmacal order.

Use of SARs is particularly common in the Employment claims, as employers generally have the records a claimant will need.

Collateral Purposes

SARs are easy to make, but they can be extremely laborious to respond to. In the workplace, this may involve combing through a large number of e-mails and social media messages, as well as deciding which bits of third-party data need to be redacted.

Unsurprisingly, many data controllers have objected to claimants and potential claimants making SARs for the ‘collateral purpose’ of assisting them to prepare for litigation.

There is a line of cases dealing with this issue, which originally arose in relation to  the GDPR’s forerunner, the Data Protection Directive, as implemented by the Data Protection Act 1998. In Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74, the Court of Appeal concluded that an SAR was not invalid simply because it had been made ‘for the collateral purpose of assisting in litigation.’

However, in Ittihadieh v 5–11 Cheyne Gardens RTM Co Ltd [2018] QB 256 the Court held that, though not dispositive, the presence of a ‘collateral purpose’ might be taken into account by the Court when deciding whether to make an order that a data controller should provide the relevant data. More recently, in Lees v Lloyds Bank Plc [2020] EWHC 2249 (Ch), Master Marsh commented that had it been necessary to determine the issue, he would not have made such an order, specifically mentioning the collateral purpose behind the SAR as one of the relevant factors.

ICO guidance does not necessarily reflect this nuance. Certainly, current ICO guidance  to employers simply highlights that they cannot refuse an SAR on the grounds that data subject is bringing a claim against them in the Employment Tribunal.

Equally, disclosure orders or the lack thereof in ongoing litigation do not impact the underlying duties of data controllers. In 2021, the ICO published an enforcement notice against an employer who had refused an SAR on the grounds that there was an ongoing claim against it by the data subject and the Employment Tribunal had not yet made a disclosure order. In fact, the employer had misrepresented its communications with the Tribunal to the ICO, but the key point was, as the Tribunal stressed, it had ‘no jurisdiction to deal with matters relating to data protection requests’.

Consequences for non-compliance

If a data controller does not comply with its obligations concerning an SAR, a data subject has two options. One is to bring a claim to enforce their rights under s. 94 of the Data Protection Act 2018. Of course, this is neither as quick nor as cost-effective as an SAR. Furthermore, judges seem keen to discourage claims for enforcement, and it is unlikely in most cases to be a course of action that is proportionate to the underlying claim.

The other option under the UK GDPR is to make a complaint to the ICO. However, the ICO will not necessarily take regulatory action based on complaints from individuals. For reference, the ICO’s Q2 figures for 2024 show that over 99% of complaints resulted in either no further action or ‘informal action’ being taken. Curiously, the UK GDPR set out a regime that can be onerous for data controllers to comply with, but for which non-compliance can incur little in the way of penalties.

Generally, where there is non-compliance in civil cases, the standard options will be preferable to a s. 94 claim: pre-action disclosure, a Norwich Pharmacal Order, or disclosure against a non-party once the underlying claim has been brought.

Nonetheless, data controllers will generally want to comply with UK GDPR duties – especially larger data controllers. In this regard, it will be interesting to see the impact of the ICO’s recent publication of sanctions on popular social networking sites such as TikTok. We suggest that it can only encourage compliance, on account of an increased risk of reputational damage. Additionally, a sufficient number of individual complaints may influence the ICO regarding its investigations.

Is change coming?

In a 2021 government consultation on data protection, respondents highlighted the use of SARs ‘as a means of circumventing strict disclosure protocols, to gain access to information on prospective litigation’. Whether or not that is a fair characterization, the government has introduced legislation that is designed to ease the burden on data controllers.

The Data Protection and Digital Information Bill, currently in the House of Lords, is part of the government’s broader post-Brexit strategy for data regulation.

Clause 9 will amend the threshold for refusing an SAR from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. ‘Vexatious’ requests will include those that are ‘intended to cause distress’, ‘are not made in good faith’, or ‘are an abuse of process’.

Should the Bill pass unamended, it will remain to be seen how big of an impact it has on the use of SARs for collateral purposes like litigation. While it does not appear to fall within the stated aim of the Bill, it does seem that anticipated or ongoing litigation is context that could be taken into account when deciding whether the ‘vexatious’ threshold has been reached. Ultimately, it will be necessary to see what case law developments there are and whether the ICO updates its guidance.

For now, though, SARs remain a useful tool for prospective claimants.   

Written by Oliver Edwards