The Court of Appeal (CA) has overturned the High Court decision that data controllers can refuse to comply with a data subject access request on the basis that it would be costly or time consuming to do so, exempt from disclosure, or because the data subject is making the request for the furtherance of litigation.
The Data Protection Act 1998 (DPA) gives individuals the right to access their personal data by making a subject access request (SAR).
It provides that the court may order compliance if it is satisfied that the data controller has failed to comply with an SAR request and requires the requested information to be provided to an individual in response to an SAR, unless it would involve disproportionate effort.
The DPA also allows an exemption from providing information where a claim of legal professional privilege could be maintained in respect of that data.
In the above case, a mother and her two children (the Appellants) were beneficiaries of a Bahamian trust and made an SAR to the trust’s solicitors Taylor Wessing (the Respondent).
The Respondent refused to provide the data, maintaining that it was exempt from disclosure under the DPA's legal professional privilege exemption.
The Appellants applied to the High Court to compel the Respondent to comply with their request but this was dismissed as:
- the documents were exempt from disclosure;
- it would require a disproportionate effort for the Respondent to search for documents; and
- the Appellants had a collateral motive in making the request.
The Appellants appealed.
The Court of Appeal overturned all three aspects of the High Court's decision as follows:
- Legal Professional Privilege Exemption
The CA indicated that although under trust law principles certain documents are not disclosable to the beneficiary of a trust, such documents are not subject to traditional legal professional privilege and should therefore be disclosed.
- The proportionality of searches
The CA took the view that data controllers should know of their obligations to comply with SARs, and should have designed their systems to enable them to make most searches time and cost efficient. It falls upon the data controller to prove that a search would be disproportionate and evidence will be needed to support this.
- The data subject's motive
The CA found that an SAR would not be invalid if made for the collateral purpose of assisting with litigation. In any event, the verification of data is unlikely to ever be the only motive behind SARs.
The Court of Appeal made an order compelling compliance with the request.
This judgment is positive for data subjects and provides welcome guidance on the legal professional privilege exception, the concept of disproportionate effort and the relevance of the data subject's motive in making the request.
It remains to be seen whether this decision, which will not be welcomed by data controllers, will lead to an increasing number of claimants and potential claimants trying to use the DPA to their advantage. However, there is no doubt that professional firms should ready themselves for any possibility in this regard.
What you should do
- Have easily navigable document management systems to make responding to SARs more cost and time efficient.
- If seeking to rely on the Legal Professional Privilege Exemption, you should ensure that the relevant documents really are legally privileged in the traditional sense.
- Seek to encourage a data subject to narrow their request by requesting further information about when the data was processed, and what it was processed for.
- Be aware of deadlines. A data controller must respond to an SAR within 40 days.