The Court of Appeal has confirmed that there is no exemption from the requirement to comply with a subject access request (SAR) where it is made to assist in legal proceedings.
The court has also clarified the application of the "disproportionate effort" and "legal professional privilege" exemptions, in the case of Dawson-Damer v Taylor Wessing LLP.
The right of subject access under the Data Protection Act 1998 (DPA) gives individuals a right to access copies of personal data held about them by an organisation acting as data controller. There are certain exemptions to the obligation to comply with a SAR, most notably for the purposes of this case, where information attracts legal professional privilege. The DPA states that unless information is exempted, it must be provided in a "permanent form" unless it would be impossible or involve disproportionate effort to do so. If a data controller refuses to comply with a SAR, the courts have discretion under the DPA to order compliance if they consider the refusal is a breach of the DPA.
Mrs Dawson-Damer and her two adopted children were the beneficiaries of a Bahamian trust. Taylor Wessing (TW) acted as solicitors for the trustee of the trust in question. As part of an ongoing trusts dispute in the Bahamas, in August 2014 Mrs Dawson-Damer and her children made a SAR to TW for personal data relating to themselves held by TW as data controller.
TW refused to comply with the SAR on the basis that:
The Dawson-Damers then applied to the court for an order for disclosure against TW. The judge at first instance declined to exercise his discretion to grant such an order. He agreed with TW that it would be disproportionate for TW, as lawyers, to review all of its files for documents covered by legal professional privilege. He also considered that the legal professional privilege exemption extended to documents which TW would have been entitled to withhold in the Bahamian proceedings. Finally, the judge considered that the SAR had been made for the purpose of obtaining documents to which the Dawson-Damers would not otherwise have been entitled under Bahamian law, which was contrary to the purposes for which the right of subject access is intended (namely to enable individuals to check their data is accurate and has not been unlawfully processed).
The Court of Appeal overturned the High Court's decision and ordered TW to comply with the SAR. It held that:
The decision is likely to disappoint data controllers who were hoping for more scope to push back on requests that are made to circumvent disclosure. SARs are increasingly being made in the context of litigation with the intention of obtaining early disclosure or even as a tactic to take up valuable time and resources. The case confirms that refusing to comply with a SAR solely on this basis is unlikely to be permissible.
However, data controllers can take some comfort from the confirmation that the "disproportionate effort" exemption applies not only to the obligation to provide copies of data in a permanent form, but also to the data controller's search process itself. This means that there is scope for data controllers to argue that it would be disproportionate to conduct extensive searches. However, data controllers should be aware that the burden of proof will be on them to demonstrate disproportionality. There is no guidance yet on how data controllers will demonstrate this.
The right of subject access only extends to personal data about the individual(s) concerned, and does not cover full copies of documents containing that data. So data controllers should consider whether providing personal data in an extracted form, separately from the document that originally contained it, might be a pragmatic approach where there are concerns about giving an advantage to individuals in litigation.