Share
This article was co-authored by Sydnie Shaw, Trainee Solicitor.
In this joint article written by our Cyber and Data Risk & Professional Liability teams, we look at the increasing use of Data Subject Access Requests as a tool in ongoing litigation.
In a world where data has a central role in almost every dispute, Data Subject Access Requests (DSARs) have become strategic weapons in litigation. Although intended to allow individuals to protect themselves by accessing their personal information, thereby enhancing transparency, increasingly, we are seeing claimants use these as an alternative to requesting full disclosure. This duality creates meaningful risks, making DSARs a focal point in many contentious matters.
The strategic rationale
So, why are claimants opting for DSARs over an application for pre-action disclosure? For claimants and their solicitors, DSARs can allow early access to personal data held by a data controller. In the professional context, the data controller may be an organisation such as an LLP, or the professional themselves if the professional is operating as a sole trader. A DSAR is made pursuant to a statutory right of access to personal data, whereas pre-action disclosure has been a hotly contested issue for many years, and the court will only order such disclosure in very limited circumstances. For an application for pre-action disclosure to succeed, the claimant must convince the court that:
- Both the respondent and applicant are likely to be a party to proceedings
- The documents requested would fall within standard disclosure and
- Pre-Action disclosure may help dispose of the proceedings, assist resolution of the dispute without recourse to proceedings, or save costs.
Making a DSAR is therefore simpler than a pre-action disclosure application. However, claimants believe they are entitled to be provided with the professional’s full file. This is incorrect and is often the cause of conflict. Given the misunderstanding that claimants are entitled to the full file, as opposed to just the personal data, claimants continue to argue that the professional is withholding documents, when they have fully complied with the DSAR.
Where provided, however, the data might allow claimants to observe how decisions were made and identify potential mishandling of information. This early access can shape litigation strategy, offering visibility and leverage at a much earlier stage to disclosure.
From a professional’s perspective, responding to DSARs can defuse issues by demonstrating transparency. A well-managed DSAR response can narrow issues, reduce speculation, and potentially de-escalate disputes.
Understanding the Pitfalls
Despite DSARs being used as a tactical tool, it does not necessarily negate the validity of the request.
We frequently help defendants navigate DSARs with confidence, advising clients on the process, and assisting in their response where required. Our support can help defendants mitigate the operational strain and complexity of complying with DSARs, which can be a burdensome and a time-consuming task, particularly when being made as a step in a potential litigation.
It is therefore important to take a pragmatic approach and understand the differences between pre-action disclosure and DSARs – something that requires careful consideration. Although the processes are similar, their fundamental purposes differ significantly. Pre-action disclosure focuses on documents relevant to a dispute, and DSARs are limited to the requester’s personal data. Conflating the two processes can increase the compliance burden, drive up costs, and risk over-disclosure, for example, of privileged documents. It is helpful for us to get involved at an early stage, to avoid rising costs or complaints to the Information Commissioner’s Office.
DSARs sit at the crossroads of data protection and dispute resolution. If handled well, they can clarify issues in dispute. However, mishandled, they may create new problems.
If you or your insured client face a DSAR, please do reach out to the team, who are happy to assist.
Related item: The UK DUA Act’s Reform Pillars: Divergence from the EU GDPR - Data Subject Access Requests (DSARS)
Insurance and reinsurance
United Kingdom