In an important decision impacting the way in which organisations deal with subject access requests, the Court of Appeal has ordered...

...a data controller to take further action in order to comply with a subject access request, overturning a High Court decision.

Legal Background

Under the Data Protection Act 1998 (DPA), individuals are entitled to request a copy of the personal data which an organisation holds about them. This right can be exercised by the individual making a subject access request (SAR). If a data controller fails to comply with such a request satisfactorily, the court may order compliance.

The DPA requires a copy of the information requested to be provided to the requester in a permanent form unless providing such a copy is not possible or would involve disproportionate effort. In addition, there are various exemptions that might apply in relation to whether personal data should be disclosed to the individual in response to their SAR, including whether the information is subject to legal professional privilege.

Facts

In the case of Dawson-Damer v Taylor Wessing LLP, a Bahamian trust company was a client of Taylor Wessing (TW), a firm of solicitors. As part of litigation, one of the beneficiaries of one of the trusts made a SAR to TW in connection with a trust dispute in the Bahamas.

TW did not comply with the SAR, saying that the data was covered by legal professional privilege and therefore exempt from disclosure as part of a SAR response. The requestor made an application to compel TW to comply with the SAR which was dismissed by the High Court.

Court of Appeal (CoA)

The CoA overturned the High Court's decision and ordered TW to comply with the SAR.

In making its decision the CoA considered three main issues:

  1. The CoA held that the legal privilege exception applied only to documents which carried legal professional privilege for the purposes of English law. The exemption from disclosure does not extend to privilege under any other system of law - in this case the law of the Bahamas.
  2. Commenting on what is meant by "disproportionate effort", the CoA said that this must involve more than an assertion that it is too difficult to search through voluminous papers. TW had failed to evidence that further compliance with the SAR would involve disproportionate effort. The CoA also held that disproportionate effort is not solely restricted to the effort it would take to supply copies, but can also "include difficulties in the process of complying with the request which might result in the supply of the document involving disproportionate effort".
  3. The High Court judge had been wrong to decline to enforce compliance with the SAR because the appellants intended to use the information in their Bahamian legal proceedings. There is no provision in the DPA that limits the purpose for which a data subject may request their data, or provides data controllers with the option of not providing data based solely on the requestor’s purpose.

Best Practice

This decision is important. Employees may make SARs when contemplating or commencing legal proceedings against their employer, and this case potentially limits an employer's ability to reject that request on the ground that the requested data might be used as part of legal proceedings or to further a dispute. Employers should carefully consider any SARs that they receive. As part of this, employers should consider whether any of the requested personal data might be exempt from disclosure and how those exemptions should be applied.