Subject access requests and litigation: unwelcome clarity?
The Court of Appeal recently held that a subject access request will be valid even if a collateral purpose of it is to obtain information for the purposes of litigation and also confirmed that the exemption for privileged material does not extend to other protected information. However, it also clarified that it is not necessary for the data controller to supply personal data if to do so would involve disproportionate effort.
The Court of Appeal's recent decision in Dawson-Damer v Taylor Wessing LLP contains three important points of law:
A subject access request (SAR) will be valid even if a collateral purpose of that SAR is to obtain information for the purposes of litigation (see box "What is a SAR?").
The exemption in the Data Protection Act 1998 (DPA) that allows data controllers to withhold material that is subject to legal professional privilege (LPP) does not extend to other protected information, such as information that can be withheld under trust law principles. The LPP must also be recognised by the UK courts.
It is not necessary to supply personal data if to do so would involve disproportionate effort (section 8(2), DPA) (section 8(2)). In making this assessment, it is possible to consider both the work needed to find the relevant personal data and to produce copies of them ( EWCA Civ 74).
The final point will be welcomed by businesses facing broad and unreasonable SARs, but the other findings are less helpful. They are likely to encourage individuals to use SARs as an additional tool in litigation against both counterparties and their solicitors. This may or may not result in additional disclosure but, at the very least, will cause additional cost and disruption.
The decision is the result of a SAR made by Mrs Ashley Dawson-Damer and her two children, Piers Dawson-Damer and Adelicia Dawson-Damer (see News brief "Subject access requests: a welcome result for recipients ( www.practicallaw.com/3-618-8669) "). It was made against the law firm Taylor Wessing, which acted for the trustee of a number of Bahamian trusts of which the Dawson-Damers were beneficiaries.
The SAR was made in connection with a dispute about those trusts, in respect of which Mrs Dawson-Damer has commenced proceedings in the Supreme Court of The Bahamas. Taylor Wessing rejected the SAR so the Dawson-Damers sought to enforce it in the English courts.
SARs made for litigation purpose
Taylor Wessing refused the SAR, alleging that it was made to obtain information for the purposes of litigation and that this collateral purpose was not a proper use of the right to request a SAR. This is a point of general importance as SARs are frequently made in preparation for litigation, particularly in employment law claims.
There had been conflicting authority on whether the underlying purpose of a SAR affects its validity. However, the court's decision makes it clear that a SAR is valid even if a collateral purpose of the SAR is to assist in litigation.
Legal professional privilege
Taylor Wessing also relied on the exemption in the DPA for information subject to LPP (paragraph 7, Schedule 10, DPA). The position was complicated by the fact that the information was not privileged but instead was immune from compulsory disclosure under Bahamian trust law.
The court roundly rejected this broad interpretation. The reference to LPP means just that: it does not include other protected information, such as information that can be withheld under trust law principles. Similarly, it must be possible to claim LPP in the courts of the UK. It is not possible to rely on any wider concepts of privilege that might be available in foreign courts.
Equally, Taylor Wessing was not excused from complying with the SAR on the basis that it acted for the trust, nor because it was the agent for the trustee. This was despite the trust not being subject to the court's jurisdiction, and despite the fact that a similar disclosure requirement could not have been placed on the trust by the Bahamian courts.
The final issue for the court was whether Taylor Wessing could refuse the SAR under section 8(2) because supplying the personal data would involve disproportionate effort.
This is also a significant issue. SARs can be very burdensome. It is reported that the Nursing and Midwifery Council recently spent £239,871.85 (including VAT) in legal fees dealing with a single SAR. While that appears to be a fantastic figure, it reflects the inevitable practical difficulties that arise when having to search emails and other unstructured data in response to a SAR.
Businesses often hold very large volumes of unstructured data. Searching that information to identify relevant personal data, and to redact irrelevant information or the personal data of third parties, inevitably involves an expensive and time-consuming manual review. For example, in Dawson-Damer, Taylor Wessing would undoubtedly have needed to use skilled reviewers to consider each document individually to identify and remove material subject to LPP.
Here, at least there is some good news. The court decided that, when assessing whether a response to a SAR would require disproportionate effort, it is necessary to consider both:
The work needed to find the relevant personal data.
The work needed to produce copies of that personal data.
This overrides the Information Commissioner's Code of Practice, which suggests that only the work in producing copies of the personal data is relevant, but not the work in finding those data. The court also confirmed that the proportionality test involves balancing the potential benefit that the supply of the information might bring to the data subject against the means by which that information is obtained.
This assessment must be made on a case-by-case basis and the burden is on the data controller to show that supplying the personal data would involve disproportionate effort. While the court also referred uncritically to Ezsias v Welsh Ministers, in which a relatively modest review of 2,400 documents was sufficient, there is little further guidance on the practical application of the proportionality principles ( EWHC B15; www.practicallaw.com/9-380-8877). This, combined with the court's statement that there are substantial public policy reasons for giving people control over their personal data, suggests that this will continue to be a burdensome obligation for businesses.
The court also suggested that data controllers should design their systems in a manner which helps them to respond to SARs. Those who have had the joy of trawling through emails to identify personal data and redact irrelevant or exempt information would certainly welcome a tool of this kind, although it seems unlikely that one will be available in the near future.
In any event, all Taylor Wessing had done was review its files and conclude that most would be privileged on the basis of Bahamian trust law. Given the court's narrow interpretation of the LPP exemption, this was not sufficient. Instead, to demonstrate that the supply of a copy of information would involve disproportionate effort, Taylor Wessing will have to produce a plan and provide evidence of its work to review and identify relevant personal data.
The decision in Dawson-Damer is not the end of the matter. The court is expected to hand down two further decisions on SARs in the next month or so. There may also be an appeal to the Supreme Court. Whether this will bring any relief to data controllers remains to be seen.
David Speakman is counsel, and Rich Jones is an associate, at Linklaters LLP.
What is a SAR?
Under the Data Protection Act 1998 (DPA), individuals have the right to obtain copies of their personal data from a data controller by making a subject access request (SAR) (section 7, DPA). This is an important right. It enables individuals to confirm that their personal data are accurate and processed in a lawful manner, and to exercise their rights under data protection law to have that data corrected, deleted or blocked.
The SAR must be in writing and the individual must, if asked, pay a fee of £10 and prove his identity. Otherwise there are no formalities and there is no need to provide any justification for the SAR.