The Hidden Struggles of Accessing Personal Data: A Follow-Up on Law Firms Obstructing SARs

In my recent article, I shared my personal experience with the deliberate obstruction of a Subject Access Request (SAR) by a law firm representing an organisation I’d been in dispute with. What began as a straightforward request for my personal data turned into an arduous battle, revealing the unsettling reality that many individuals face when exercising their rights under GDPR.

Today, I want to delve deeper into the reasons why organisations, particularly when backed by legal counsel, seem to wilfully obstruct SARs and what this means for individuals seeking transparency and accountability in how their data is handled.

Why Do Organisations Obstruct SARs?

While GDPR mandates that organisations comply with SARs, many choose to obstruct or delay the process. There are several reasons for this:

1. Resource Constraints: Processing SARs can be resource-intensive. Organisations may not have systems in place to handle large or complex requests efficiently. Some may try to delay the process in the hope that the requester gives up, avoiding the work required to fulfil the request.
2. Fear of Legal Exposure: In many cases, organisations may be worried that the data being requested could expose them to legal liability or reveal internal misconduct. If disclosing the information could result in legal action, reputational damage, or financial loss, organisations may try to obscure or withhold it.
3. Lack of Understanding: Some organisations simply don’t fully understand their obligations under GDPR. This can lead to errors in how they handle SARs, such as delegating the responsibility to third parties without proper consent or agreements in place, as happened in my case.
4. Legal Counsel Tactics: When law firms are involved, there’s often a defensive strategy at play. Legal teams may intentionally delay or heavily redact information to protect their client from perceived risks. Misusing legal privilege is one way law firms can hide potentially damaging information under the guise of confidentiality between lawyer and client.

My Experience with Obstruction

I encountered several tactics during my SAR process that were clearly intended to delay or obscure the response:

1. Excessive Identity Verification: I was asked multiple times for proof of identity, even though the law firm in question already had my identification on file from previous dealings. It was obvious to me that this was simply a delay tactic. While it’s within their rights to verify identity, they already had sufficient information, which made their requests unnecessary and frustrating.
2. Delegation Without My Consent: One of the most concerning aspects of my experience was that the organisation I submitted my SAR to forwarded my request to a law firm that had previously represented the other side in a legal dispute against me. This delegation happened without my consent, and they failed to provide any notification or documentation, such as a Data Processing Agreement (DPA), which is legally required under GDPR when third parties are involved.
3. Stonewalling and Silence: When I sought clarification about the necessity of their identity requests and the law firm’s involvement, I was met with silence. This lack of communication left me feeling powerless and, quite frankly, infuriated. I had followed the legal process to the letter, and yet both the organisation and its solicitors seemed to be ignoring my legitimate requests entirely.

The ICO: Limited Powers, Limited Action

When I escalated the matter to the Information Commissioner’s Office (ICO), they did uphold my complaint, acknowledging that the organisation had breached GDPR. However, despite this finding, the ICO’s intervention didn’t lead to much practical change. The organisation and its law firm continued to handle my request in the same obstructive manner, with no real consequences for their non-compliance.

It’s disappointing, but not surprising, to see that organisations may be willing to take their chances when breaching GDPR. They know that the ICO is limited in its capacity to act decisively in every case. This imbalance creates a situation where the risk of non-compliance seems smaller than the potential damage that could arise from full disclosure.

Seeking Legal Redress: A Last Resort?

As my Subject Access Request (SAR) continues to be mishandled, I am now considering the possibility of pursuing a court order to compel the organisation to comply. It’s a frustrating situation, and I am weighing the decision carefully. Many individuals who have been in similar situations know that taking legal action is often a last resort due to the considerable costs and time involved.

What concerns me most is the likelihood that, by the time a court order is granted, the organisation may have conveniently "misplaced" or destroyed the very data I’m seeking. This is not just a hypothetical scenario—many others have faced this exact outcome. It’s a sad reflection of the lengths some organisations will go to in order to avoid accountability, making the fight for transparency even more difficult.

How Can You Protect Yourself?

Based on my experience, I want to offer some practical advice for those of you who find yourselves in a similar position. It can feel like an uphill battle, but there are steps you can take to strengthen your position:

1. Submit SARs to Both the Organisation and Their Legal Representatives: If you know a law firm is involved, it’s worth sending your SAR to both the organisation and the solicitors handling the case. This can help you identify inconsistencies in their responses, which may signal wrongdoing or attempts to obstruct the process.
2. Keep Detailed Records: Every email, letter, and phone call related to your SAR should be documented. If you need to escalate the issue, these records will be vital in showing the timeline of your request and the organisation’s (or law firm’s) failure to comply.
3. Be Clear with Deadlines: When submitting your SAR, be explicit about the deadlines the organisation must adhere to under GDPR. If they miss these deadlines, follow up promptly and keep the pressure on. Persistence is key in these situations.
4. Challenge Redactions: If you receive heavily redacted documents, don’t be afraid to push back and ask for specific justifications for each redaction. Legal privilege shouldn’t be used as a catch-all excuse, and organisations must be transparent about why certain information is being withheld.

A Call for Greater Accountability

What I’ve learned through this process is that the current system is failing individuals. The ICO, while essential in its role, often lacks the teeth to enforce GDPR in cases where organisations are being deliberately obstructive. Law firms, in particular, need to be held to a higher standard when they’re involved in the SAR process.

We need a system where individuals feel empowered to access their personal data without being stonewalled by organisations or their legal teams. The right to access our own information is a cornerstone of GDPR, and it’s time for regulators like the ICO to take a stronger stance against those who flout the rules.

Until then, we must continue to advocate for ourselves and each other. At Legal Lens, we are committed to supporting people facing these challenges and pushing for the kind of accountability and transparency that GDPR was designed to enforce.

Let’s keep fighting for our rights.

#GDPR #SARs #DataProtection #LegalObstruction #Transparency #Accountability #LegalLens