DSARs: Requesters entitled to identities of recipients of data

A recent High Court decision includes important legal points on data subject access requests (DSARs). By Jon Baines of Mishcon de Reya.

A very significant data protection subject access judgment was recently handed down in the High Court, in the case of Harrison v Cameron & Another(1). As a judgment of the High Court it has binding effect, and unless appealed, its findings must be followed.

It clarifies, or confirms, some key points for all those who make, respond to or advise on such requests, whether they are made under the UK GDPR(2) or – in the case of subject access requests to law enforcement authorities – under part 3 of the Data Protection Act 2018.

Key rulings were made in particular to the effect that:

  1. Requesters are entitled, in principle, to be informed of the identities of the recipients of their personal data (not just the categories of recipient).
  2. The subject access regime has a “specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her personal data unlawfully infringes privacy rights and, if so, to take such steps as the data protection law provides”.
  3. A director of a company, when acting as such, will not be a “controller”.

Continue Reading

UK Report subscribers, please login to access the full article


If you wish to subscribe, please see our subscription information.