The Court of Appeal has today given judgment in the case of Dawson-Damer v Taylor Wessing LLP  EWCA Civ 74. The case involves the administration of a number of trust settlements governed by the law of the Bahamas, but makes a significant finding for UK data controllers. The essential facts are that some trust beneficiaries submitted subject access requests (SARs) seeking copies of all personal data held by the trust's legal advisers, Taylor Wessing LLP (TW). TW resisted the SARs on three grounds:
i. TW asserted that all documents held by them were subject to legal professional privilege, a fundamental rule of law that is designed to ensure that clients can discuss their affairs freely with their solicitors, safe in the knowledge that those discussions cannot be disclosed to third parties;
ii. TW sought to argue that its obligations were limited to making reasonable and proportionate searches only, but that the SARs would require disproportionate efforts; and
iii. TW claimed the purpose for which the SARs had been made was relevant. Since litigation was also ongoing in the Bahamas, and there was some evidence that the documents that might be disclosed by the SARs would be used in those proceedings, TW claimed that it would be an abuse of process to allow the SARs to be enforced in the UK.
The Court therefore had to determine how far rules of proportionality could limit a data controller's obligations to search for personal data, the extent to which legal privilege exempted documents from being included in the response to a SAR, and whether the fact that the data subject might also be seeking documents in connection with litigation allowed the data controller to refuse to comply with the SAR.
The DPA contains a specific exemption for personal data that is also subject to legal professional privilege. TW argued that the exemption applied not just to documents that were privileged under English law, but should also exempt documents that were restricted from being disclosed under analogous rules under Bahamas legislation governing trusts.
The Court reviewed the EU Directive underpinning the DPA, and concluded that the exemption should be narrowly construed, and limited only to documents privileged under English law.
The DPA contains a provision that has been the focus of much previous litigation. It states that a SAR must be complied with, "unless the supply of such a copy [of the information containing personal data] is not possible or would involve disproportionate effort." The Information Commissioner's Office (ICO), which is responsible for enforcing the DPA, has detailed guidance on SARs. It confirms that the ICO regards this provision as being strictly limited to how difficult it is to give the data subject a copy of their personal data. It does not, in the ICO's view, have any bearing on what a data controller must do to locate and search personal data.
In a decision that will be welcomed by employers, the Court disagreed with the ICO's view. Relying again on the EU Directive, and the fundamental rule of proportionality that underlies EU law, the Court held that "disproportionate effort" under the DPA relates to the entirety of the SAR process, and includes searching for personal data in the data controllers various files and electronic archives.
What is proportionate is, however, a fact-sensitive question. In this case, TW had not given any explanation of its efforts, so had not discharged its obligations.
In one of the early DPA cases, Durant v Financial Services Authority  FSR 573, the Court of Appeal's judgment included a comment that has generated a number of other claims. The comment, that the purpose of entitling an individual access to their personal data is not "to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties" has been interpreted by some as meaning that an employee, for example, who is embarking on litigation against their employer cannot subvert the usual rules of disclosure in Employment Tribunal or High Court proceedings by submitting a SAR. That view is not shared by the ICO.
In this case, the Court stressed that its supervisory role, under s.7(9) of the DPA, gave it a wide discretion to order a data controller to comply with a SAR. Starting from the position that the SAR regime embodied an important right in the modern world, and noting that SARs should normally be complied with unless there was a good reason not to do so, the Court held that the remark in Durant simply demonstrated that a person is not permitted to assert a particular item is personal data solely in order to obtain its disclosure and assist in litigation. It was not authority for a wider limitation on the right of a data subject to obtain their personal data. The DPA is purpose-blind, so while the fact that parallel litigation might be ongoing might be relevant to the exercise of the Court's discretion that did not mean that a SAR submitted to assist in litigation was an abuse of process or could be ignored.
The detailed clarifications in this decision are of benefit generally to data controllers, since they will help to reduce uncertainty and argument going forwards. The decision on the proportionality issue will be welcomed by employers, but employees will be relieved by the ruling on the purpose issue.
The data protection aspects of employment law remain a very live area of dispute. Employers should already be preparing for the advent of the EU General Data Protection Regulation, which comes into force in the UK in May 2018 (Brexit negotiations notwithstanding).