The decision clarifies a number of issues relating to subject access requests, including that the court is not prevented from ordering compliance with a subject access request simply because the applicant proposes to use the information for some purpose other than verifying or correcting the data held about him. It follows that a subject access request may be used to obtain information for the purposes of litigation, whether or not the information would be disclosable in the litigation in question. The court does however retain a broad discretion, and may refuse an order if for example the application is found to be an abuse of the court’s process.
The decision also confirms that the exception from section 7 for information which is subject to legal professional privilege (under paragraph 10 of schedule 7 to the Act) should be interpreted narrowly, so that it applies only to legal professional privilege recognised in proceedings in any part of the UK. Accordingly, it was irrelevant whether the documents in question were privileged or exempt from disclosure under Bahamian law.
Richard Norridge, Gary Horlock and Sophie Jaggard outline the decision below.
Background
Under section 7 of the Data Protection Act 1998 (DPA), an individual can make a subject access request to a data controller requesting details of any personal data that the data controller holds in relation to the individual. If the data controller fails to comply, the party that has made the request can apply to court for an order requiring him to comply. The court has a discretion whether to make such an order.
There is an exemption from the data controller’s obligation to comply with the request, under paragraph 10 of schedule 7 of the DPA, where the personal data consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings.
In the present case, the appellants were beneficiaries of a number of trusts governed by Bahamian law. The respondent, Taylor Wessing, is an English law firm that acted for the trusts.
The appellants sought to challenge the validity of various appointments that were made by the trustee in 2006 and 2009 and commenced proceedings against the trustee in the Supreme Court of the Bahamas.
In the Bahamas, there are certain categories of trust documents that trustees cannot be compelled to disclose (even for the purposes of disclosure in litigation). This is different to the position in the UK where trust documents are subject to the normal rules of disclosure in litigation.
Therefore, the appellants made subject access requests to Taylor Wessing in relation to any personal data held by them as solicitors for the trusts. Taylor Wessing, as a data controller established in the UK, would ordinarily be required to respond to a subject access request under the DPA provided no exemptions apply. Taylor Wessing’s response to the subject access requests was that the data it held was covered by legal professional privilege and therefore exempt from disclosure.
The appellants were not satisfied with this response and applied to the court for an order compelling Taylor Wessing to comply with the requests. At first instance, the deputy judge dismissed the application. The appellants then appealed to the Court of Appeal.
Decision
The Court of Appeal found that the subject access requests were valid and that Taylor Wessing’s efforts to comply with the requests had been inadequate. Its reasoning is summarised below.
Legal professional privilege
The privilege exemption in the DPA should be construed narrowly and only applies to information that would be covered by legal professional privilege in legal proceedings in the UK. The fact that the documents might have been privileged in the Bahamas proceedings was not sufficient on its own.
The Court of Appeal did not consider whether any individual documents held by Taylor Wessing would be covered by privilege in proceedings in the UK. Beneficiaries would usually be able to access documents covered by legal advice privilege if the advice was paid for with trust funds (this is a form of joint, or joint interest, privilege). However, the trustees might have been able to withhold some documents on the grounds that they were covered by litigation privilege.
The Court of Appeal also rejected a broad interpretation of the exemption to include the trustee’s right, as a matter of general trust law, not to disclose certain categories of documents to the beneficiaries, as this was not supported by the aims and objects of the EU Data Protection Directive.
Disproportionate effort
It would not be disproportionate for Taylor Wessing to take further steps to identify the appellants’ personal data. The law firm had not provided any evidence of the searches it had conducted but instead pinned its hopes on legal professional privilege providing a blanket exemption.
The Court of Appeal found that Taylor Wessing would have to produce some evidence to show what it had done to identify the relevant material and work out a plan of action but did not specify what particular steps it would be proportionate for Taylor Wessing to take.
Collateral purpose and the court’s discretion
The Court of Appeal rejected the existence of a rule that a data controller should not be ordered to comply with a subject access request where the applicant proposes to use the information for some purpose other than verifying or correcting the data held about him (eg for the purposes of litigation). There is nothing in the DPA or the Directive to limit the purpose for which a data subject may request his data.
The Court of Appeal also rejected the argument that it should refuse to exercise its discretion on the basis that the disclosure could not be obtained from the trustees under Bahamas law, the governing law of the trusts. The court was not exercising any jurisdiction in relation to the administration of the trust so it was not interfering with the jurisdiction of the Bahamas court in determining whether the personal data within the trust documents was disclosable.
This article is care of hsfnotes.com and the original article can be found here.
