How organisations handle subject access requests (SARs) is the subject that the UK Information Commissioner’s Office (ICO) receives the most complaints about in practice. At the same time, the complexity and volume of SARs is on the increase in the UK, thereby continuing to impose a considerable operational burden and cost on organisations. The adverse impact is particularly great when expansive SARs are made tactically by customers and employees in the context of a grievance, dispute or litigation to find out facts and/or put pressure on the organisation concerned.

This is not a new trend, however. Ever since the landmark case of Durant v FSA in 2003(1), the UK courts have been trying to strike a balance between the privacy rights of individuals and the legitimate wishes of data controllers to adopt a robust and proportionate response when faced with individuals, like Mr Durant, who abuse the right of access as a litigation weapon. In the Durant case, the Court of Appeal sought to reduce the operational burden imposed on controllers that receive SARs by narrowing the interpretation of the personal data concept at that time, emphasising that SARs are not a litigation tool for “fishing expeditions” and that the purpose of the right of access is generally to enable individuals to verify the lawfulness of the processing of their data.