Holyoake v Candy and another  EWHC 52 (QB) saw the U.K. High Court look into the issue of compliance with a data subject access request (DSAR).
The parties in this case were already involved in high-value court proceedings. The claimant made a DSAR to the defendants requiring them to provide him with all data they held about him, seemingly with a view to obtaining early disclosure of information in those proceedings. The defendants provided a limited amount of information in response to this DSAR. The claimant made an application to the High Court for compliance with the DSAR. One of the main issues to be determined was whether adequate searches had been carried out, including whether the private email accounts of directors of the defendant company should have been searched.
The High Court found that the defendants had carried out reasonable and proportionate searches. In particular, it was noted that the searches had involved a review of over 17,000 documents and generated time charges in excess of £37,000. On the issue of whether the directors’ private email accounts should have been searched, the Court stated that while company directors who use personal email accounts for corporate business may owe the company a duty to allow access to that account to enable the company to comply with a DSAR, the company is not bound to request this without sufficient reason. There is also no general right for companies to check the position. In this case, the Court found that there was no evidence that the accounts were used for business purposes.
It should be noted that the Court of Appeal is currently considering the lawfulness of making DSARs for the purpose of obtaining early disclosure in litigation and we will report on this decision in due course.