Subject access requests: Court of Appeal bolsters right to disclosure of data

Published on 17th Feb 2017

On 16 February 2017, the Court of Appeal handed down judgment in one of its hotly anticipated forays into data protection law. The decision in Dawson-Damer v Taylor Wessing LLP reverses a decision by the High Court that the law firm Taylor Wessing had not breached the Data Protection Act 1998 (DPA) by refusing to carry out searches on grounds of proportionality, legal privilege and improper purpose.

The judgment strengthens the position for individuals making a request to access their personal data under section 7 of the DPA (also known as a subject access request), but will come as a disappointment to the many businesses that receive wide-ranging requests from individuals seeking to obtain documents for litigation purposes.

Background

In 2014, Mrs Dawson-Damer and her adopted children, the data subjects and beneficiaries of a certain Bahamian trust, served a subject access request under the DPA on Taylor Wessing, the data controller and solicitors for the trust. Importantly, the request was made in the context of an on-going trust dispute in the Bahamas.

Taylor Wessing, relying on the legal professional privilege exemption under the DPA, declined the request and withheld the relevant personal data. Taylor Wessing asserted that:

  • some of the data was held in manual files and not a relevant filing system for the purposes of the DPA;
  • it was not reasonable or proportionate to carry out a search for the information and to assess what was covered by privilege and what was not; and
  • as a matter of discretion, the Court should refuse to make an order for disclosure because the application had been made for improper purposes.

What was the position following first instance?

The judge at first instance ruled in favour of Taylor Wessing, finding that:

  • the legal professional privilege exemption did apply to documents in respect of which there is a right to resist compulsory disclosure in legal proceedings – which, in this case, included the Bahamian proceedings;
  • referring to the observation in Durant v FSA, as Taylor Wessing’s manual files were not chronologically arranged or filed by reference to individuals, they may fall outside the scope of the DPA’s ‘relevant filing system’;
  • in spite of the Information Commissioner’s Code of Practice, a “data controller is only required under section 8(2) to supply the individual with such personal data as is found after a reasonable and proportionate search”; the proposed search of Taylor Wessing’s files was held not to have been reasonable or proportionate, particularly given the disproportionality of lawyers reviewing the documents for privilege whereas the applicant need only pay £10; and
  • on the basis that the Dawson-Damers would not have served the request were it not for the on-going Bahamian dispute and they would not be able to obtain disclosure in the Bahamian proceedings, no discretion would have been given by the High Court to order the disclosure.

The Court of Appeal’s decision

The appeal focused on three issues of practical importance and the Court of Appeal took a very different stance to the High Court on all three points:

  1. the extent of the legal professional privilege exemption;
  2. the existence and extent of a disproportionate effort limit on searches; and
  3. the approach to be taken to the judicial discretion under section 7(9) DPA to order compliance with a subject access request.

Addressing these issues, first, the judge held that the legal professional privilege exemption does not extend to systems of law outside of the UK and does not apply to documents which are solely the subject of non-disclosure rules (whether under English law or not).

Second, the DPA obliges a data controller to supply copies unless “it is not possible or would involve disproportionate effort“. The judge held that it therefore falls to the data controller to show that a supply of information in a permanent form, which extends beyond simply the process of supplying a copy, but to compliance with the request itself, would involve such disproportionate effort, which Taylor Wessing had failed to do. Disproportionate effort must involve more than an assertion that it is too difficult to search through voluminous papers (although there is still an element of proportionality involved in assessing a data controller’s task)

Third, nothing in the Data Protection Directive (Directive 95/46/EC) limits the purpose for which a data subject can request his personal data or provides data controllers with an option to deny it based solely on such purpose. Neither does the DPA require a data subject to show that he has no other collateral purpose. While it may have been different had the application been an abuse of the court’s process, the High Court was wrong to decline the request because the data subjects intended to use the information in legal proceedings.

Practical implications of the judgment

As data protection law has risen to prominence in recent years, the use of subject access requests has become more common and is now often used as a litigation tactic.  As this and other recent cases have demonstrated, dealing with subject access requests is often complex, burdensome, and costly.  There is no question that the process is open to abuse and this judgment does little to assist to guard against such cases.

Subject to any appeal to the Supreme Court, for the time being at least it will be no answer to a subject access request to say that it is clearly made for some other purpose than to protect the lawful processing of personal data.  That does not mean to say that subject access requests can be disproportionate.  The proportionality principle holds firm, but the onus will be on the data controller to demonstrate that it has carried out a proportionate response to the request.

However, the subject access regime only entitles data subjects to obtain access to and copies of their own personal data, and information about how and why that data is being processed.  It does not entitle data subjects to obtain documents.  We are therefore likely to see more data controllers extracting data from documents and disclosing it separately to avoid handing a litigation advantage to the data subject.  There may also be an opening to revisit this area post-Brexit if the UK government decides to re-evaluate how much of the General Data Protection Regulation to retain in English law.

This article was prepared with the assistance of Peter Barratt, trainee solicitor at Osborne Clarke.

Follow
Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up