The UK Court of Appeal has ruled that the motive of a data subject in making a data access request is not relevant and has clarified the limitations on the legal privilege exemption under UK law. The issue arose in proceedings concerning a 'subject access request' ("SAR") by beneficiaries of several Bahamian trusts to the law firm acting for the trustee of some of the trusts.
Subject Access Request
The UK Data Protection Act, 1998 (the "DPA") allows a data subject to submit a SAR to a data controller in order to obtain a copy of their personal data held by that data controller. The process is the same as that in Ireland, where a SAR is known as a Data Access Request. A minimal fee is payable and a data controller must comply with a SAR within 40 days of receipt. There are certain limited exemptions to compliance with a SAR.
In this case (Dawson-Damer and Others v Taylor Wessing LLP), beneficiaries of several Bahamian trusts, submitted a SAR to the law firm acting for the trustees. The SAR was submitted in the context of legal proceedings regarding the operation of the trusts. The law firm refused to comply with the SAR on the basis that the data requested was legally privileged. Legal professional privilege is one of the limited exemptions to the requirement to comply with a SAR under the UK DPA (and the equivalent Irish Acts).
The beneficiaries challenged this refusal claiming that the only privilege on which the law firm could rely was litigation privilege and requested an Order directing TW to comply with the SAR. Of note in this case is the fact that under Bahamian trust law, a trustee cannot be compelled to disclose a variety of trust documents and the Bahamian courts cannot order any such disclosure.
Granting the order enforcing compliance with the SAR, the Court of Appeal held that:
- The exception relating to legal professional privilege applies only to documents which are privileged as a matter of English law. There is no express exemption within the UK DPA for documents which cannot be disclosed under trust law principles and the act should not be interpreted in a "purposive" fashion in order to prevent a by-passing of those principles. Unless privilege could be established, or another exemption identified under the DPA, documents not available under trust law principles would become available under the SAR.
- The law firm failed to demonstrate that compliance with the SAR would require 'disproportionate effort' on its part. S.8(2) of the UK DPA (equivalent to Irish S.4(9)) allows a party not to supply the requested information in such circumstances.
- In this instance, TW had not produced evidence to show what, if any, searches it had carried out to separate non-privileged personal data from privileged, or to work out a plan of action and had therefore not discharged the onus on it to demonstrate that any effort to supply the relevant information would in fact be disproportionate.
- Finally, the COA held that the High Court was wrong to refuse to enforce the SAR because the appellants intended to use the information obtained to try and gain a tactical advantage in their Bahamian proceedings. The fact that there was a collateral purpose (obtaining a litigious advantage) is not sufficient for a refusal.
The COA distinguished its view from an earlier decision in Durant v Financial Services Authority (2004) in which it was held that a data subject's right to obtain information under S.7 of the DPA was not "to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties". The COA held that the Court in Durant had been concerned with the definition of personal data, rather than the purpose behind the request. A person could not claim that something was personal data in order to assist him in gaining discovery or in litigation or complaints against third parties.
Position under Irish Law
The position under Irish law and the potential implications for data controllers who are also facing litigation will be explored further in next month's briefing.