Case update (2): Data protection – easy access

Summary: Can an organisation be ordered to comply with a data subject access request, even if the intention of the request is to use the data in connection with litigation?

Yes, says the Court of Appeal in Dawson-Damer v Taylor Wessing LLP, available here.

Background:  An individual has the right to access data held about them and to check it is being processed lawfully. To do this, an individual may make a Data Subject Access Request under the Data Protection Act 1998 to ask:

  1. whether data is being processed about them, for a description of the data, the purposes for which it is being processed and to whom it may be disclosed; and
  2. for a copy of that personal data (which should be supplied in permanent form unless that is not possible or would involve disproportionate effort).

The subsequent search for personal data carried out by the employer must be reasonable and proportionate but may be limited if the effort to find and supply the document outweighs the benefit to the employee and the purpose for which an individual is requesting personal data is not relevant (i.e. the effort would be disproportionate).

There is no obligation to comply with a subject access request in relation to personal data that is subject to legal professional privilege. Such data would include confidential communications between lawyers and their clients for the purpose of 1) seeking or giving legal advice or 2) being used in litigation. Legally privileged documents do not need to be shown to a third party or the court.

Facts:  Members of the Dawson-Damer family were in dispute with a Bahamian trust, for which Taylor Wessing had acted for 30 years and held more than 50 historical paper files, as well as more recent computerised ones.  For the purposes of the litigation, the Dawson-Damer family sought information which was thought to be in the possession of Taylor Wessing but was not disclosable under the governing law applicable to the trust.

Accordingly, the Dawson-Damer family submitted individual subject access requests to Taylor Wessing. Taylor Wessing declined to disclose the information and Dawson-Damer applied to the High Court to enforce the subject access request. The High Court decided in Taylor Wessing’s favour, as follows:

  • the information was not disclosable being subject to legal professional privilege;
  • searching many electronic and paper files for the information and providing it in permanent form would involve “disproportionate effort”; and
  • the information was not being sought to check its accuracy but for an ulterior motive, namely the litigation, and there should be “no other purpose” to a subject access request.

The Dawson-Damer family appealed this decision.

The Court of Appeal took a very different view from the High Court and found in favour of Dawson-Damer.  In particular:

  • only information which is subject to legal professional privilege under UK law will be exempt from disclosure. The information held by Taylor Wessing in relation to the Bahamian trust was not subject to UK legal professional privilege. Although it was “confidential”, it was disclosable under the DPA. No other exemption had been cited;
  • as there might therefore be more potentially disclosable material, it might not be “disproportionate” for Taylor Wessing to search for it. However, it was held that proportionality applies not only to the search but to all aspects of compliance with a subject access request; and
  • no rule provides that there must be “no other purpose” to a subject access request.

Implications:  This decision assists litigants in obtaining information to which they might not otherwise be entitled and employers may need to revisit their usual approaches and responses to subject access requests.  This is particularly the case if you have routinely resisted such requests on the grounds that they amount to an abuse of the right to request because it is being used as a pre-litigation fishing expedition and/or that a response would involve a disproportionate effort.

Overall, it is important to remember that:

  • each subject access request should be dealt with on a case by case basis and an employer faced with a subject access request must show that it has taken all reasonable steps to comply with it;
  • the purpose for which personal data is requested should not be used as a reason to reject a subject access request;
  • a subject access request should not be immediately rejected. An initial search should be undertaken, at least to determine the scope of the search required; and
  • the search required may be limited if the effort to find and supply the document is disproportionate and outweighs the benefit to the employee.

Given the now added complexities to responding to a subject access request, please do not hesitate to ask us for help if your organisation does receive such request by telephoning Luke Menzies or a member of the team on 0117 325 0526.