Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

New guidance for businesses faced with data subject access requests

09 Jan 2004 United Kingdom 4 min read

In an important decision concerning the scope of the Data Protection Act 1998, the Court of Appeal has highlighted a number of factors to be taken into account by businesses faced with a Data Subject Access Request. The Court provided a narrow interpretation of the terms "personal data" and "relevant filing system" and in so doing explored the primary objective of data protection legislation.

In reviewing the case of Durant v Financial Services Authority [2003] EWCA Civ 1746, the Court of Appeal has addressed key issues under the Data Protection Act 1998 ("the Act") and provided guidelines on the extent to which a business must comply with a Data Subject Access Request.

Under section 7 of the Act, an individual is entitled to obtain a copy of all personal data held by a data controller. The Court dismissed the appeal of Mr Durant who pursuant to section 7 requested disclosure of various documents held by the FSA concerning a dispute between Mr Durant and Barclays Bank plc. The FSA had withheld these documents on the basis that they did not constitute "personal data" and were not organised within a "relevant filing system" for the purposes of the Act. The case discussed the following issues:

  • "Personal Data"

The purpose of section 7 is to allow an individual access to "personal data" to check that there has not been an unlawful invasion of privacy, not to provide automatic access to any information in which the individual may be named or involved. The mere mention of the individual in a document does not necessarily amount to personal data. To fall within the definition of "personal data" in section 1(1) of the Act and thus give rise to an obligation of disclosure under section 7, there must be an element of relevance or proximity to the data subject. Consideration should be given as to whether the information is biographical in a significant sense and whether the information has the individual as its focus. The information regarding Mr Durant was not personal data as although he was named, the court found that the information concerned a complaint involving him rather than information about Mr Durant personally.

  • "Relevant Filing System"

An individual only has the right to access his personal data held electronically or in manual files that are part of a relevant filing system. The file must be a set of information relating to an individual, structured by reference to an individual or by reference to criteria relating to individuals and structured in a way that specific information relating to a particular individual is readily accessible. The fact that the FSA's file was named "Mr Durant" did not bring the file within the definition as the filing system was structured by reference to date rather than to the individual. Manual files covered by the Act should have similar accessibility as a computerised system and emphasis was put on the speed in which data relating to the person can be located; if a lengthy manual search is required to locate the data then this type of file is not within "a relevant filing system".

The case provides a useful clarification of data protection law at a time where the number of Data Subject Access Requests is on the increase and is of great importance to businesses that regularly face such requests. The narrow interpretation of personal data will ensure that an individual who requests access to data in future will only be guaranteed disclosure of information which is necessary in order to protect their privacy and will prevent individuals from abusing the Act in order to obtain access to information for other purposes.

The Information Commissioner has recognised the significance of this judgment by publishing comments in which it is acknowledged that guidance issued by the Information Commissioner's Office will need to be reviewed.

For further information, please contact John Armstrong by telephone on +44 (0) 20 7367 2701 or by e-mail at john.armstrong@cms-cmck.com , or Emma Burnett by telephone on +44 (0) 20 7367 3565 or by e-mail at emma.burnett@cms-cmck.com

More insights
Banking & Finance Financial Services Professionals Pension Professionals Financial Institutions Accountants & Actuaries Defendant Personal Injury Consumer Products Manufacturing Food & Drink Retail Energy & Climate Change Oil & Gas Power Projects Mining and Minerals Water Healthcare Healthcare, Social Care and Life Sciences Life Sciences & Healthcare Hospitality, Travel & Leisure Infrastructure & Projects Cyber Insurance Brokers Solicitors Surveyors Technology Reinsurance Warranty & Indemnity Liability Other Classes Fine Art, Specie and Jewellers' Block Trade Credit and Political Risk Practice Title Indemnity Aviation Construction & Energy Construction CAR/EAR Energy Property Directors’ & Officers’ Liability Marine Professional Negligence Construction PI Insurance Education Private Equity Real Estate Construction & Engineering TMT - Technology, Media & Telecommunications Data Protection & Freedom of Information

Explore more

Expert Guide International

CMS Expert Guide for taking security in England and Wales

25 min read
Event United Kingdom

Cross-Border Financial Services 2026 webinar series

05 May 2026
Publication United Kingdom

Security Action for Europe: legal architecture, implementation and private capital’s opening

23 Mar 2026 5 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.