In the latest decision on data protection, the Court of Appeal ordered a law firm to comply with a data subject access request, even though the intention was to use the data in connection with litigation.
An individual has the right to access data held about them and to check it is being processed lawfully. To do this, an individual may make a Data Subject Access Request (or DSAR) to ask:
(i) whether data is being processed about them, for a description of the data, the purposes for which it is being processed and to whom it may be disclosed; and
(ii) for a copy of that personal data (which should be supplied in permanent form unless that is not possible or would involve disproportionate effort).
When faced with a DSAR, an initial search should be conducted and an assessment should be made to determine which of the resulting data constitutes the individual's personal data. The search for personal data must be reasonable and proportionate but may be limited, if the effort to find and supply the document outweighs the benefit to the employee; and the purpose for which an individual is requesting personal data is not relevant (i.e. the effort would be disproportionate).
There is no obligation to comply with a DSAR in relation to personal data that is subject to legal professional privilege. Such data would include confidential communications between lawyers and their clients for the purpose of (i) seeking or giving legal advice or (ii) being used in litigation. Legally privileged documents do not need to be shown to a third party or the court.
In the current case, Mrs Dawson-Damer is a beneficiary of a Bahamian trust and has been involved in an ongoing court case in the Bahamas against the trustee of the trust. She and her two children submitted DSARs to the trustees' lawyers seeking personal data relating to them that was held by the law firm. The law firm said that the personal data it held was covered by legal professional privilege and therefore exempted from disclosure. The law firm included within this exemption the documents that its client, the trustee, could refuse to disclose to the beneficiaries under Bahamian trust law. There was no clear evidence to show whether the law firm had undertaken any searches which would allow them to claim privilege in relation to all the documents and since there was a wide range of documents, it was possible that there was material which was not covered by legal professional privilege.
The High Court previously decided that:
- the law firm did not have to disclose any documents which the trustee could refuse to disclose to the beneficiaries under Bahamian trust law (as the legal professional privilege exception applied); and
- it was not reasonable or proportionate for the solicitors to search over 30 years of files to determine whether the information requested was protected by legal professional privilege; and
- since the Dawson-Damers intended to use the information in the Bahamian court case, and this was not a proper use of data protection law, the judge declined to enforce the request.
As a result of the High Court decision, the law firm was not required to comply with the DSAR.
However, the Court of Appeal took a very different view, deciding that:
the legal professional privilege exception applies only to documents which carry legal professional privilege for the purposes of English law. Bahamian trust law should not be taken into consideration;
disproportionate effort must involve something more than an assertion that it is too difficult to search through voluminous papers;
the disproportionate effort qualification applies to all stages of subject access compliance; and
the judge had been wrong to decline to enforce the request because the Dawson-Damers intended to use the information obtained in their Bahamian litigation. Previous cases have confirmed that an individual cannot claim that something is personal data in order to obtain that data to use against a third party in court. However, if the data is personal data relating to the individual, the purpose for which they are requesting it should not be taken into account.
The result was that the law firm was required to comply with the DSAR.
What this means for employers
It is helpful that the court has clarified the use of two exemptions in the data protection legislation which helps employers determine the limits of compliance with a DSAR. First, that the exemption that can be relied on when the effort to conduct the search for personal data would be "disproportionate" applies to the process of compliance with a DSAR and not just the action of supplying the copy documents. Secondly, the legal professional privilege exception applies only to documents which carry legal professional privilege for the purposes of English law.
It is important to remember that:
(i) each DSAR should be dealt with on a case by case basis and an employer faced with a DSAR must show that it has taken all reasonable steps to comply with it;
(ii) the purpose for which personal data is requested should not be used as a reason to reject a DSAR;
(iii) a DSAR should not be immediately rejected. An initial search should be undertaken, at least to determine the scope of the search required;
(iv) the search required may be limited if the effort to find and supply the document is disproportionate and outweighs the benefit to the employee.