Introduction

The recent Sheriff Court case of Riley v Student Housing Company provides helpful clarification on data controller requirements in terms of GDPR regulations.

Background
The Pursuer was a former employee of the Defender. Another employee, Mr Adamson raised employment tribunal proceedings against the Defender. Mr Adamson made allegations that the Pursuer had verbally abused him during the course of his employment.

The tribunal decision in favour of Mr Adamson was widely reported in the media. The Sun newspaper personally named the Pursuer within their article writing the Pursuer made ‘vile jibes’ towards Mr Adamson.

The Pursuer brought a claim of damages (£75,000) against the Defender claiming it had breached its duty to process his personal data lawfully and fairly by disclosing his information for the purposes of the employment tribunal proceedings Mr Adamson had raised. The Sheriff put the case to debate to hear legal arguments on the use of the Pursuer’s personal data by the Defender with reference to UK GDPR and the Data Protection Act 2018.

Parties Position
The Pursuer argued the Defender had breached UK GDPR principles. These principles are known as the “listed GDPR provisions” which lie at the heart of the data protection regime. In particular the Pursuer said the Defender had breached GPDR regulations by failing to process his data in a fair and transparent manner, and disclosing it for a reason other than that for which it was collected without informing him.

The Defender argued that Paragraph 5(3) of Schedule 2 of the Data Protection Act 2018 provided that in certain circumstances data controllers are exempt from complying with the listed GDPR provisions. Paragraph 5(3) states the listed GDPR provisions do not apply to personal data where the disclosure of the data:

(a) is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

The Defender relied on the provision that the disclosure of the data had indeed been necessary in terms of legal proceedings.

The Pursuer argued the exemption would only apply if the Defender could not comply with all GDPR listed provisions. However, the Defender’s position it was not necessary for a data controller to show they were unable to comply with all GDPR listed provisions otherwise the exemption would futile.

Decision
The Court favoured the Defender’s submissions and dismissed the Pursuer’s claim.

The Court found that the duties of a data controller should not fetter their discretion to conduct legal proceedings.

Comments
• Data controllers do not have to show they have been unable to comply with all GDPR listed provisions in order to rely upon exemptions.
• The purpose of Paragraph 5(3) of Schedule 2 of the Data Protection Act 2018 is to ensure a data controllers discretion to conduct legal proceedings is not hindered.
• Provides a useful reminder to those bringing a claim of the level of detail expected by the Courts. The onus is on the Pursuer to prove their case and provide the necessary detail and evidence to support the sum sued.

We have an experienced team that are able to advise on all issues relating to data protection. Please contact our team here if you would like more information or advice.