The Court of Appeal in Dawson-Damer v Taylor Wessing LLP has confirmed the scope of data subject access requests (DSARs) under the Data Protection Act 1998 (DPA), giving food for thought for data controllers - the vast majority of UK businesses - and their professional advisers.
Members of the Dawson-Damer family (DD) were in dispute with a Bahamian trust, for which Taylor Wessing (TW) acted. For the purposes of the litigation, DD sought information which was thought to be in the possession of TW but was not disclosable under the governing law applicable to the trust.
Accordingly, DD submitted individual DSARs to TW. TW declined to disclose the information and DD applied to the High Court to enforce the DSAR. The High Court determined in TW’s favour, as follows:
the information was not disclosable being subject to legal professional privilege, (an exemption in the DPA);
searching many electronic and paper files for the information and providing it in permanent form would involve disproportionate effort (also referenced in the DPA)
the information was not being sought to check its accuracy but for an ulterior motive, namely the litigation. TW relied on a 2004 case, Durant, in support of the argument that there should be “no other purpose” to a DSAR.
DD appealed this decision.
The Court of Appeal found in favour of DD. In particular:
only information which is subject to legal professional privilege under UK law will be exempt from disclosure. The information held by TW in relation to the Bahamian trust was not subject to UK legal professional privilege. Although it was “confidential”, it was disclosable under the DPA. No other exemption had been cited;
as there might therefore be more potentially disclosable material, it might not be disproportionate for TW to search for it. However, it was held that proportionality applies not only to the search but to all aspects of compliance with a DSAR (this point might be of assistance to data controllers in future);
no rule provides that there must be “no other purpose” to a DSAR.
This decision assists litigants in obtaining information to which they might not otherwise be entitled.
Other similar cases are currently before the Court of Appeal and we expect further guidance on the issues. In May 2018, the General Data Protection Regulation will come into force which - amongst other things - will reduce the 40-day time limit for compliance with a DSAR to one month.
We recommend that data controllers - including professional firms - review their procedures for responding to DSARs and that care is taken to rely on appropriate exemptions if disclosure of personal information is being resisted.