The Court of Appeal recently considered the scope of subject access requests ("SAR") under section 7(2) of the Data Protection Act 1998 ("DPA") in Dawson-Damer & Others –v- (1) Taylor Wessing LLP (2) Information Commissioner  EWCA Civ 74. In doing so, it provided important practical guidance on obligations of data controllers when responding to a SAR. In light of the increased use of SARs, including for tactical reasons in the early stages of litigation, it is important that data controllers understand what their obligations are under the DPA and the extent of any exemptions for compliance with a SAR.
The appellants, data subjects for the purposes of the DPA, were beneficiaries of various Bahamian Trusts and Taylor Wessing LLP (“TW”) were the legal representatives for the trustees. The appellants challenged the validity of certain appointments made by the trustees under the trusts.
In August 2014, the appellants served a SAR (“the Request”) on TW seeking personal data held by TW. TW refused to comply contending that the personal data it held was covered by legal professional privilege ("LPP") and exempted from disclosure under the DPA (“the Exception”). Further, the trust is governed by the law of The Bahamas: under Bahamian law, no trustee can be compelled to disclose trust documents. The documents sought would not therefore be disclosable in the Bahamas.
In January 2015, the appellants applied to the court for a declaration that TW had not complied with the Request and sought an order under section 7(9) DPA (“the section 7(9) discretion”) compelling TW to comply with the Request.
The determination of the High Court
By order dated 6 August 2015, the High Court dismissed the application and found that the Exception applied on the basis that it should be interpreted purposively so as to include all the documents which the trustee would be entitled to resist compulsory disclosure of in the Bahamian proceedings. The High Court emphasised that the principles of disclosure for trustees and beneficiaries could not be separated from LPP. In addition, it was found that it was neither reasonable nor proportionate to expect TW to carry out any search or to expect TW to be able to determine which documents were privileged. The claim to privilege was a matter for the trustee and a matter of Bahamian law, which might have to be resolved in the separate Bahamian proceedings.
The High Court also held that it should not exercise the section 7(9) discretion because it was not a proper use of the DPA to assist the appellants in the Bahamian proceedings or to enable the appellants to obtain documents which they could not obtain by disclosure in the Bahamian proceedings.
The Court of Appeal Judgment
In light of the importance of the issues, permission was granted for the Information Commissioner (“the IC”) to intervene and make oral and written submissions. There were 3 key issues of general importance for determination. The Court of Appeal disagreed with the High Court on each of the key issues.
Issue 1: Extent of the Exception: whether the Exception is limited to documents to which any privilege which attached was LPP under English law (“the narrow view”) or whether that Exception also includes any documents which the trustee could refuse to disclose to the beneficiaries under Bahamian trust law (“the wide view”)
It was found that the Exception could relieve a data controller from complying with a SAR only if there is relevant privilege according to the law of any part of the UK. As regards documents which are not subject to LPP as conventionally understood but which are subject to a right of non-disclosure, such as a trustee’s right of non-disclosure (which is recognised both in England and in The Bahamas), the Court of Appeal found that the DPA does not contain an exception for them: they are not within the Exception. Further, TW was in no special position so far as the Exception is concerned because it is an agent for the trustee.
- Issue 2: Disproportionate effort: the extent of any search that should be undertaken.
The Court of Appeal accepted the IC's representations that the DPA does not permit a data controller to exclude information from a response to a SAR merely because it is difficult to access. Data controllers should be prepared to make extensive efforts to find and retrieve the requested information. However, they are not required to do things that would be unreasonable or disproportionate to the importance of providing subject access to the information. Any decision should reflect the fact that the right of subject access is fundamental to data protection.
TW had not shown that to comply with the request would involve “disproportionate effort” - all it had done was review its files. TW had made a blanket assertion of LPP when there was a clear possibility of material that would not be subject to LPP. Whilst there is an element of proportionality involved in assessing a data controller’s task, the correct approach is to examine what steps a data controller has taken, and then to ask if it would be disproportionate to require further steps to be taken to comply with the individual’s right of access.
The burden of proof is on the data controller to show that it has taken all reasonable steps to comply with a SAR, and that it can rely on any specific exemptions to refuse to provide data. TW had to produce evidence to show what it had done to identify the material and to work out a plan of action. The Court of Appeal found that it had failed to do this and had not discharged the onus on it.
- Issue 3: section 7(9) discretion: whether the motive of the data subject in serving the SAR was relevant to the question as to whether the Court should exercise the section 7(9) discretion
Importantly, the Court of Appeal found that the High Court had been wrong to decline to enforce the Request on the basis that the appellants intended to use the information obtained in their Bahamian proceedings. The Court of Appeal held that the DPA does not include a “no other purpose” rule pursuant to which the Court could or should assess the proposed use by the data subject of the information obtained. A “no other purpose” rule would have undesirable secondary consequences, such as non-compliance by data controllers with SARs on the grounds that the data subject had an ulterior purpose. In the circumstances, the Court must apply the section 7(9) discretion with a view to fulfilling the purposes of the DPA, which confers rights on data subjects.
In coming to that conclusion, the Court of Appeal considered the submissions made by the IC that, for a data controller to deny to comply with a SAR, it must point to the DPA, and an exemption. It must then satisfy the various legal requirements of the exemption. The IC’s Code of Practice states, “there is nothing in the Act that limits the purposes for which a SAR may be made, or which requires the requester to tell you what they want the information for.”
The Court of Appeal emphasised that it was not exercising any jurisdiction in relation to the administration of the trust, which was a matter for the Bahamian courts. Foreign proceedings and data regimes do not provide a basis for a data controller or court to refuse to give effect to a data subject’s rights under domestic law. It is for the foreign court to consider questions of admissibility of any documentation obtained pursuant to a SAR.
The case provides important guidance on the scope and application of the Exception and the review task to be undertaken by data controllers. When presented with a SAR, it will not be enough for a data controller, including law firms, to simply assert a right to withhold documents. Instead, a thorough review will need to be undertaken to obtain documents that fall within the ambit of the SAR and then an assessment undertaken on whether certain documents fall within an exemption. When seeking to rely on the LPP Exception, data controllers will need to be sure that the documents are legally privileged: if not, they will need to be disclosed.
As to the exercise of the section 7(9) discretion, the Court of Appeal emphasised that the DPA confers important rights of access on data subjects to protect fundamental rights. The confirmation that motive for issuing a SAR is not relevant for the purposes of compliance by data controllers, may well lead to a further rise in their deployment in litigation as a cheaper way to obtain pre-action disclosure for the modest sum of £10. Advice may well need to be taken on the scope of any SAR if a data controller is concerned about its ability to rely on an exemption.