Like any other professional or commercial organisation, a solicitors’ firm may face data subject access requests from aggrieved or merely inquisitive individuals. Like other such organisations, the firm may as a result have concerns about the confidentiality of its own internal processes in relation to matters such as client complaints, whistle-blowing investigations, grievance and disciplinary procedures, partnership disputes, and the like.
Unlike most other organisations, a solicitors’ firm will typically hold large amounts of privileged and/or confidential information about its clients. That not only increases the likelihood of subject access requests being made by third parties, but also makes such requests more difficult to handle. If you are a solicitor acting for a defendant in proceedings, how will you react to a subject access request made of you by the plaintiff that is suing your client?
The General Data Protection Regulation (“GDPR”) does not amount to a revolution in data subjects’ rights of access to their personal data, but it represents a significant incremental increase in the burden imposed on data controllers. The publicity surrounding the introduction of the GDPR will also do nothing to lessen a growing trend to use subject access requests as a litigation weapon. What do recent decisions have to say about such tactics and the possible grounds for objecting to them?
Changes in the regime
A data subject’s present rights of access to their personal data are based on section 7 of the Data Protection Act 1998 (“DPA 1998”), as qualified by section 8 and by a variety of other exemptions sprinkled through the Act.
From 25 May 2018, when the GDPR comes into force, rights of access to personal data will be those set out in Article 15 of the GDPR, which will have direct effect in the UK. Article 23 of GDPR allows for exemptions to be introduced into national legislation and it is to be hoped that the Data Protection Bill (“the DPB”), which contains a number of such exemptions (especially in Schedule 2) and is presently wending its way through Parliament, will be in place in good time.
The data subject remains entitled under the GDPR to a copy of their personal data and to information about the purposes of processing and the identity of any recipients. However, among other changes:
1. No charge can now be made for responding to a valid request. The old £10 fee (often seen by the recipient as adding insult to injury) is abolished.
2. The range of information to be provided in response to a request is expanded. It now includes the source of the data, the period for which it is envisaged that the data will be stored, and a summary of certain of the data subject’s rights.
3. The period of time allowed for a response is reduced from 40 days to one month.
Potential grounds of resistance
Where a firm acts for a client in litigation, and it receives a subject access request made by that client’s opponent in the litigation, the firm’s natural reaction to the request is likely to include all or some of the following (in increasingly plaintive tones):
- “Ask our client, not us” (the firm’s status as agent)
- “But our file’s privileged” (legal professional privilege)
- “But our file’s confidential” (the firm’s obligation of confidentiality)
- “But that’s not what data protection is for” (collateral purpose)
- “But that’s going to be a nightmare for us to deal with” (disproportionality)
- “But that’s really unreasonable and unfair” (abuse of process/rights)
- “But surely the Court’s not going to make us answer that?” (the Court’s discretion)
These understandable objections have met with only mixed success under two recent decisions of the Court of Appeal.
The firm’s status as agent
The Court of Appeal disposed briefly of the first objection in Dawson-Damer v Taylor Wessing LLP  1 WLR 3255, at , under the heading, “Fact that TW are the trustee’s solicitors of little relevance”:
There is no conceptual difficulty under the DPA arising from the fact that TW is an agent. The critical point is that TW is a data controller.
Legal professional privilege
Under paragraph 19 of Part 4 of Schedule 2 to the DPB, subject access rights do not apply to:
…personal data that consists of information in respect of which a claim to legal professional privilege… could be maintained in legal proceedings.
Leaving aside the difficulties in applying to information a legal principle which has been developed in relation to documents, a solicitor’s file will typically contain much unprivileged information. In Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd  QB 256, at , Lewison LJ said:
If some personal data are covered by legal professional privilege and others are not, the data controller will have to carry out a proportionate search to separate the two.
The firm’s obligation of confidentiality
Mere confidentiality is not a complete bar to a subject access request, but the right to access (of X) is qualified if the data is also the personal data of a third party (Y). Under paragraph 16 of Part 3 of Schedule 2 to the DPB, the subject data access provisions:
(1) … do not oblige a controller to disclose information to the data subject (X) to the extent that doing so would involve disclosing information relating to another individual (Y) who can be identified from the information.
(2) Sub-paragraph (1) does not remove the controller’s obligation where—
(a) the other individual (Y) has consented to the disclosure of the information to the data subject (X), or
(b) it is reasonable to disclose the information to the data subject (X) without the consent of the other individual (Y).
(3) In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including—
(a) the type of information that would be disclosed,
(b) any duty of confidentiality owed to the other individual (Y)…
This exemption (which does not appear to have been directly in issue before the Court of Appeal in either Dawson-Damer or Ittihadieh) is naturally likely to have a more pervasive effect when the solicitor’s client (Y) is an individual, rather than a corporation. In Ittihadieh, at , Lewison LJ observed that:
…whether it is reasonable to disclose information about another individual (Y) is an evaluative judgment which must, as it seems to me in the current state of technology, be carried out by a human being rather than by a computer.
The Court of Appeal in both Dawson-Damer (at  to ) and Ittihadieh (at  to ) rejected the submission that a subject access request was invalid if it was made with a collateral purpose, such as litigation.
The judgments in Dawson-Damer and Ittihadieh are not encouraging for solicitors seeking to reject a subject access request outright on the basis that it is disproportionate, but they both confirm that principles of proportionality apply implicitly to the burdens of search, analysis and production which are imposed by a request (Dawson-Damer, at  to ; Ittihadieh, at  to ).
In Gaines-Cooper v Commissioners for HMRC  EWHC 868 (Ch) HHJ Jarman QC held that HMRC, which had made significant efforts to comply with a subject access request, had done enough to comply with its obligations, even though significant quantities of potentially relevant documentation remained unexamined.
Abuse of process/abuse of rights
In Dawson-Damer, at , the Court of Appeal raised the possibility that an application to enforce rights of access might in some circumstances amount to an abuse of process, and this possibility was confirmed in Ittadieh, at . The Court of Appeal suggested in the latter case that there was not much difference between the domestic concept of abuse of process and the EU doctrine of “abuse of rights”.
The Court’s discretion
In Ittihadieh, at  to , the Court of Appeal considered the nature of the Court’s discretion on applications by data subjects to enforce their access rights. It held that if a data controller had failed to conduct a proportionate search in response to a valid request then, absent other material factors, the Court’s discretion should usually be exercised in favour of the data subject.
However, the Court of Appeal also identified a number of factors which are of potential relevance to the Court’s exercise of its discretion, including:
- whether there is a more appropriate route to obtaining the requested information
- the nature and gravity of the data controller’s breach
- whether there is a legitimate reason for making the access request
- whether an abuse of rights is involved
- whether the application is procedurally abusive
- whether the real quest is for documents, rather than personal data
- whether the personal data is of no real value to the data subject
- whether the data subject has already received the data
The Court of Appeal stated that this list was not intended to be prescriptive, but it is likely to be the subject of close examination on many future applications.
One suspects that (as may already be detected in the existing case-law) the courts’ application of the relevant principles will be significantly influenced by their perception of the virtues or demerits of the individual litigants involved.
Following the implementation of the GDPR, subject access requests of solicitors are likely to become more common. The requests can raise a whole host of difficult issues, which can be time-consuming and costly to resolve (and not billable). Further, the proper response to the requests is often counter-intuitive.
On the other side of the coin, solicitors advising individuals in relation to potential or current litigation should consider whether or not to advise their client to make a subject access request. Such a request may succeed in eliciting sought after information or documentation, where an application for pre-action or third party disclosure would fail.