10 January, 2017
Compliance with Subject Access Requests (SARs) can be a lengthy and costly exercise especially where the request may involve reviewing a large volume and range of documents. In the recent case of Dawson-Damer and Others v Taylor Wessing LLP, the High Court provides useful guidance regarding the right to personal information, structured filing systems and disproportionate effort.
Facts of the Case
A mother and two children (the Claimants) made SARs regarding their personal data held by the solicitors' firm Taylor Wessing (TW). TW's client whom it started acting for in 1987 is the trustee involved in administering a multimillion trust fund connected to the data subjects and others. The data subject are involved in litigation in the Bahamas in relation to the actions of the trustee.
TW did not comply with the SARs on the basis of legal professional privilege (section 10, Schedule 7 of the Data Protection Act (DPA)) in respect of the majority of the documents for advice going back 30 years. It also claimed that it would be disproportionate and/or unreasonable to expect it to carry out a search to determine which document were privileged and which were not (section 8 (2) DPA). A further argument raised by TW was that some of the information was contained in unstructured manual files which for the purposes of the DPA were not "a relevant filing system".
Alongside a data subject's right to access personal data, there are exceptions such as information that is subject to legal advice privilege, disproportionate effort or it may be that information is not held in a relevant filing system at all and a data controller would not be required to comply.
Right to personal information
The Court recalled that the DPA provides an individual with the right to access personal data so that he or she knows whether a data controller is processing his or her data; if so, what is its source; why it is processing it and to whom it has disclosed it. This does not extend to disclosure of information to another individual without the other's consent or unless it would be reasonable in all circumstances for disclosure without consent.
However, having considered the decision in Durant the Court said an individual's right is to obtain information about himself or herself from a data controller's filing system (computerised or manual), it is not an entitlement to original copies or documents. The purpose is to enable a data subject to check whether there is unlawful processing and take such steps as provided by law, although it is not an automatic right to any information or to provide assistance to obtain discovery of documents that may be of assistance in litigation against third parties.
Relevant filing system
Similarly, as to a relevant filing system the Court recalled that the DPA is to apply to manual record only if they are of sufficient sophistication to provide accessibility as a computerised filing system. This would require a filing system referenced or indexed to enable the data controller to identify at the outset and with reasonable certainty and speed the files that contain the relevant information and locate such information without conducing a manual search of them. If a data controller is required to go through files at great length and cost looking for the information, this bears no resemblance to a computerised search.
TW had stated that the information was held in manual files with the majority in loose leaf boxes with multiple categories of information not structured by reference to individuals or criteria relating to individuals. It had only implemented an electronic system in 2005, whereas its relationship with the client went back 30 years. On this basis the Court's provisional view was that TW's manual filing system did not fulfil the definition of relevant filing system as provided for in the DPA.
Legal advice privilege
The DPA exempts disclosure of personal data if the data consists of information in respect of which legal privilege applies. In the present case the Court stated that applying the exemption provided for in the DPA, its purpose is to protect the claimant' right to privacy and accuracy, not to provide the claimant with information or disclosure to assist it in its litigation. Further it would be difficult for the principles of disclosure in relation to trustees and beneficiaries to be separated from legal professional privilege. As such the Court was satisfied that legal professional privilege applied.
In relation to disproportionate effort in Ezsias v Welsh Ministers it was held that "the data controller is only required under s 8(2) to supply the individual with such personal data as is found after a reasonable and proportionate search."
Whilst the Court was not provided with results of searches being conducted in response to the SARs, due to the application of legal professional privilege it was not reasonable or proportionate to expect TW to carry out any search. This is because any search would require determining as to which documents legal professional privilege applied and to which it did not. Determining applicability of legal professional privilege required consideration by a skilled lawyer, which would be time consuming and costly and due to the work required would be neither reasonable nor proportionate.
In dealing with an application, the Court does have discretion to order compliance with SARs. In the present case the Court was not convinced that such discretion arose for a number of reasons.
Firstly, when considering the purpose of a SAR context is everything. In the present case the data subjects were not concerned with accuracy of their data, rather it was to assist the Bahamian proceedings, which according to Duran this is not a proper purpose. Secondly, the question of whether it was reasonable or proportionate for TW to conduct a search were just as valid on the question of discretion. Thirdly, it is not a proper purpose of the DPA to obtain documents under English law, which the claimants could not obtain in the Bahamian proceedings.
This is an important decision as it highlights a number of relevant points when dealing with SARs. Whilst a data subject is entitled to make a request, a data controller is equally entitled to consider its response within the remit of the DPA. Disproportionate effort may be relevant where the burden of dealing with SARs is labour and recourse intensive. At the same time other aspects such as whether a relevant filing system exists can be particularly important, as well as consideration of relevant exemptions such as legal professional privilege. The guidance provided by this decision may not be the final word on disproportionate effort as the case has been appealed. Further updates will be provided through our blog.
Forbes Solicitors regularly assists housing associations, charities and a range of business with data protection matters. If you have any questions relating to data protection policy or procedure or if you are in the process of dealing with a SAR, please contact Daniel Milnes.