Rudd v Bridle – The Who And What Of Subject Access Requests Under GDPR

Author:Mr John MacKenzie
Profession:Shepherd and Wedderburn LLP

The case of Rudd v Bridle is an interesting example of data protection law in the UK, and specifically subject access requests, being used in the context of litigation. We have already considered our legal relationship to that third-party controlled personal data, and also fundamental privacy rights. Now we look at the scope of personal data.

In this case the claimant was a doctor who specialised in the science of exposure to asbestos, including chrysotile, or “white asbestos”, and the causal connections between such exposure and the development of mesothelioma, lung cancer and other diseases. He had given expert evidence in many cases in the United Kingdom in which claimants have sought damages for mesothelioma, lung cancer, asbestosis and pleural disease allegedly caused by exposure to asbestos, as well as in other claims for compensation for respiratory disease.

The allegation was that the defendants had made complaints to the General Medical Council, and to Michael Gove MP the then Justice Secretary. The complaints were, in general terms, that the Claimant was involved in a “conspiracy” with various claimant law firms in which he provides false evidence about the risks associated with exposure to chrysotile asbestos.

Subject access request

Mr Rudd sent a subject access request to certain entities seeking “the information about Dr Rudd that he is entitled to under the Data Protection Act. In particular ... information containing his personal data which relates to his work in acting as an expert in cases brought by individuals seeking compensation for mesothelioma.”

The judgement of the court covered a range of issues, one of which was the extent of the search that a data controller needs to carry out. The court said:

“71. It is indeed clear law, at least domestically, that a data controller on which a SAR is served is only required to conduct a reasonable and proportionate search for the applicant's personal data. This principle, first identified by Judge Hickinbottom (as he then was) in Ezsias v Welsh Ministers (unreported, 23 November 2007) at [97], is authoritatively confirmed in the passages cited from Ittihadieh. One consequence is that compliance “does not necessarily mean that every item of personal data relating to an individual will be retrieved”: Ittihadieh [103] (Lewison LJ).”

The meaning of personal data

For present purposes, the interesting issue is the extent of the concept of personal data. The court said:

99. Where the...

To continue reading