Given the avalanche of 'let’s stay in touch' and 'we have updated our terms and conditions' emails that were sent in April and May this year, one could be forgiven for thinking that the GDPR was solely a marketing issue. Surely, now that we have obtained our clients' consents to contact them (or trimmed our mailing lists accordingly) we can all return to life as usual?
The GDPR will have a significant impact on the private client industry, not least because advisers and clients will routinely be dealing with extremely sensitive and personal information. The GDPR sets out strict rules as to how and when that data can be used, who it can be passed on to and when it must be disclosed to the individual to whom it relates.
Having been drafted with the likes of Facebook and Google in mind, applying the GDPR in the very different world of trusts and estates will often feel like hammering distinctly square pegs into conspicuously round holes. Nevertheless, we must do what we can.
One particular issue, which this article seeks to address, is the concern that the new legislation no longer contains an express exemption permitting the processing of “special categories” of personal data (such as information about a person’s health and sexual orientation) in the context of providing legal advice.
Given the subject matter it should not be too surprising that this article is unashamedly targeted at the legal profession. We intend to follow up with further publications for trustees, personal representatives and other interested parties in due course.
A reminder of the protections afforded to special category data
By way of background, the GDPR draws a distinction between:
- 'Regular' personal data such as a person’s name, address and phone number (the GDPR does not use the term 'regular' but it is helpful in this context).
- 'Special categories of personal data', which include, but are not limited to, information about a person’s racial or ethnic origin, political views, religious beliefs, health and sexual orientation.
The processing of regular personal data is allowed whenever one or more 'lawful basis' applies. We expect that private client lawyers will generally be processing such data on the grounds that it is necessary for either the performance of their contract with their client or the pursuit of their legitimate interests as a legal service provider.
In contrast, special categories of personal data may only be processed if both:
- one of the standard 'lawful bases' applies
- the processing falls within the scope of one of a limited number of specific exemptions.
Many of the exemptions are irrelevant in the context of providing legal advice. Those that merit consideration here are:
- The consent exemption: the data subject has given their prior, explicit and informed consent.
- The legal claims exemption: the processing is necessary for the “establishment, exercise or defence of legal claims”.
- The substantial public interest exemption: the processing is necessary for reasons of substantial public interest, on the basis of either EU or Member State law.
The loss of the express 'legal advice' exemption
It is of course common for private client lawyers to receive special category data in relation to both clients and third parties.
For example, when preparing a Will, a testator may describe their children’s relationships (including information about their sexual orientation) and any medical conditions that family members might have (i.e. health information).
However, the exemptions which allow special category data to be processed under the GDPR no longer include an express 'legal advice exemption' in the form that appeared in the Data Protection Act 1998 (DPA 1998). That exemption used to permit the processing of sensitive personal data if it was:
- 'necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
- necessary for the purpose of obtaining legal advice, or
- otherwise necessary for the purposes of establishing, exercising or defending legal rights.'
When the DPA 1998 was replaced by the DPA 2018 in May, the legal advice exemption was only carried over in the context of processing information related to criminal convictions. It is no longer listed as an exemption applicable to the processing of special category data.
This change could have had significant repercussions.
In the absence of a clear legal advice exemption, some practitioners have looked to the substantial public interest exemption instead. Unfortunately, the argument that the provision of legal advice must be in the public interest runs into immediate difficulty (at least in UK law) in the form of section 10(3) DPA 2018. This provides that the 'substantial public interest' test is only satisfied if one of the conditions set out in the exhaustive list in Part 2 of Schedule 1 to that Act is met. None of those conditions helps in this context.
Then there is the consent exemption. This raises its own difficulties. Whilst it may be possible to obtain consent from a client (although even then the strict criteria can invalidate a consent surprisingly easily), obtaining consent from a third party will often conflict with the lawyer’s duty of confidentiality or be impractical for any number of reasons.
Assuming that the substantial public interest exemption and the consent exemption are unavailable, the exact scope of the legal claims exemption set out in the GDPR is critical. This is the direct replacement for the previous legal advice exemption and permits special category data to be processed where it is necessary for the 'establishment, exercise or defence of legal claims'. The concern is that the term 'legal claims', if given its ordinary meaning, is narrower than 'legal advice' and in particular might only extend to contentious matters.
Saved by the Lords?
Fortunately there is comfort to be found in the House of Lords’ discussion of the Data Protection Bill.
During the committee stages on 13 November 2017, Baroness Hamwee raised this specific point and flagged her concerns about the scope of the term 'legal claims'. She also put forward an amendment which would have confirmed that the legal advice exemption continued to apply to the processing of special category data.
Lord Ashton of Hyde, the Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport, responded for the Government and made the following points:
- The government 'strongly agree about the importance of ensuring that data protection law does not accidentally undermine the proper conduct of legal proceedings'.
- The legal advice exemption that the government had provided for in relation to information relating to criminal convictions was intended to 'replicat[e] in relation to criminal convictions data the processing condition for the special categories of personal data contained in article 9(2)(f).' (Article 9(2)(f) being the legal claims exemption).
- Although the wording of the legal advice exemption was different to the wording of legal claims exemption, the intention was not to expand upon or change the scope of the latter, it was simply 'to anglicise' it.
- Baroness Hamwee’s proposed amendment was therefore unnecessary.
The government’s view was therefore that the legal advice exemption was simply the anglicised translation of the phrase 'the establishment, exercise or defence of legal claims' used in the legal claims exemption. In other words, the term 'legal claims' should be read to include 'legal advice'.
This should offer significant comfort to legal advisers who process special category data in the course of advising on non-contentious matters. Certainly it should form the basis of a sensible reporting position if the issue is raised by clients or third parties before further guidance is made available.
However, the lack of an express legal advice exemption in the DPA 2018 and the somewhat ambiguous wording of Article 9(2)(f) leave enough uncertainty that clear guidance on the point would be welcome. We are aware that STEP’s Data Protection Working Group is in the process of raising this issue, alongside others, with the ICO for clarification.
Recording your reasoning
One final word of warning: since May 2018 data controllers (such as law firms) have been obliged to proactively consider the personal data that they hold and record why and how their processing is lawful. This is a marked change from the old regime under which data controllers generally only had to justify processing retrospectively if and when challenged.
Simply coming within the scope of the legal claims exemption is therefore not enough to be GDPR compliant. Practitioners must also take care to ensure that their reliance on that exemption is adequately recorded.