Teal blue header image

Subject access requests: No 'improper purpose' exemption says Court of Appeal

The Court of Appeal has confirmed that there is no exemption from the requirement to comply with a subject access request (SAR) where it is made to assist in legal proceedings.

The court has also clarified the application of the "disproportionate effort" and "legal professional privilege" exemptions, in the case of Dawson-Damer v Taylor Wessing LLP.

The right of subject access under the Data Protection Act 1998 (DPA) gives individuals a right to access copies of personal data held about them by an organisation acting as data controller. There are certain exemptions to the obligation to comply with a SAR, most notably for the purposes of this case, where information attracts legal professional privilege. The DPA states that unless information is exempted, it must be provided in a "permanent form" unless it would be impossible or involve disproportionate effort to do so. If a data controller refuses to comply with a SAR, the courts have discretion under the DPA to order compliance if they consider the refusal is a breach of the DPA.

Background

Mrs Dawson-Damer and her two adopted children were the beneficiaries of a Bahamian trust. Taylor Wessing (TW) acted as solicitors for the trustee of the trust in question. As part of an ongoing trusts dispute in the Bahamas, in August 2014 Mrs Dawson-Damer and her children made a SAR to TW for personal data relating to themselves held by TW as data controller.

TW refused to comply with the SAR on the basis that:

  • the majority of information held by TW was likely to attract legal privilege in the UK and/or be exempted from disclosure under Bahamian law;
  • it was not reasonable and proportionate to expect TW to search all of the information it held and extract any documents not covered by legal privilege; and
  • compliance with the SAR should not be ordered because the SAR had been made for improper purposes.

The Dawson-Damers then applied to the court for an order for disclosure against TW. The judge at first instance declined to exercise his discretion to grant such an order. He agreed with TW that it would be disproportionate for TW, as lawyers, to review all of its files for documents covered by legal professional privilege. He also considered that the legal professional privilege exemption extended to documents which TW would have been entitled to withhold in the Bahamian proceedings. Finally, the judge considered that the SAR had been made for the purpose of obtaining documents to which the Dawson-Damers would not otherwise have been entitled under Bahamian law, which was contrary to the purposes for which the right of subject access is intended (namely to enable individuals to check their data is accurate and has not been unlawfully processed). 

Decision

The Court of Appeal overturned the High Court's decision and ordered TW to comply with the SAR. It held that:

  • the legal professional privilege exemption does not extend to documents that are restricted from disclosure in jurisdictions other than the UK. TW could not rely on non-disclosure rules in the Bahamas to justify withholding personal data in response to the SAR under UK law;
  • the "disproportionate effort" exemption applies more widely than just to the obligation to provide copies of data in a "permanent form". It could also exempt a data controller from compliance where the search for information itself would involve disproportionate effort (though on the facts, the Court of Appeal considered that it would not be disproportionate for TW to search its files for documents not covered by legal privilege); and
  • nothing in the DPA, nor the Data Protection Directive on which the DPA is based, places any limitation or restriction on the purpose for which an individual can request his or her personal data. Data controllers cannot refuse to comply with a SAR because they consider it has been made for an "improper purpose". The original judge was wrong to refuse to order compliance because the Dawson-Damers intended to use the information obtained in legal proceedings.

Implications

The decision is likely to disappoint data controllers who were hoping for more scope to push back on requests that are made to circumvent disclosure. SARs are increasingly being made in the context of litigation with the intention of obtaining early disclosure or even as a tactic to take up valuable time and resources. The case confirms that refusing to comply with a SAR solely on this basis is unlikely to be permissible.

However, data controllers can take some comfort from the confirmation that the "disproportionate effort" exemption applies not only to the obligation to provide copies of data in a permanent form, but also to the data controller's search process itself. This means that there is scope for data controllers to argue that it would be disproportionate to conduct extensive searches. However, data controllers should be aware that the burden of proof will be on them to demonstrate disproportionality. There is no guidance yet on how data controllers will demonstrate this.

The right of subject access only extends to personal data about the individual(s) concerned, and does not cover full copies of documents containing that data. So data controllers should consider whether providing personal data in an extracted form, separately from the document that originally contained it, might be a pragmatic approach where there are concerns about giving an advantage to individuals in litigation.

 

Contributor: Emma Fox
 

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.


Insights & events View all