Back in November 2015 we reported in our HRLaw newsletter that the High Court decision in Dawson-Damer v Taylor Wessing brought cautious optimism for data controllers when the judge refused to make an order for compliance with three subject access requests. However, the Court of Appeal has taken a different approach, overturning the High Court decision and ordering compliance by Taylor Wessing, the data controller, with the subject access requests.
In its decision the Court of Appeal focused on the following three key issues:
1. The extent of the legal professional privilege exception
One of the family members was involved in litigation in the Bahamas with Taylor Wessing’s client which was a Bahamian trustee. Taylor Wessing did not comply with the subject access requests, claiming to be entitled to the exemption for legal professional privilege. The High Court decided that all documents in respect of which the trustee would be entitled to resist disclosure under the ongoing litigation in the Bahamas would be protected by the legal professional privilege exception under English law.
However, the Court of Appeal took a more narrow view, finding that the legal professional privilege exception:
(ii) applies only to documents which are protected by legal professional privilege under English law, and does not extend to systems of law outside the UK; and
(ii) does not extend to documents which are the subject of non-disclosure rules, in this case the applicable rules being the trustee’s right of non-disclosure.
Overall the Court of Appeal decided that Taylor Wessing was able to claim legal professional privilege in respect of those documents to which the privilege applies, but must disclose the personal data to which the legal professional privilege exception does not apply in accordance with the subject access requests.
2. Whether any further search would involve “disproportionate effort”
The Data Protection Act provides that a data controller must supply the data subject with a copy of the information requested under a subject access request unless the supply of such information “is not possible or would involve disproportionate effort”.
Although the High Court concluded that it was not reasonable or proportionate for Taylor Wessing to carry out searches to determine if any particular document was covered by privilege, the Court of Appeal disagreed.
The Court of Appeal stated that Taylor Wessing must produce evidence to show what it has done to identify the material and to work out a plan of action. It found that further compliance with the subject access requests would not involve disproportionate effort by Taylor Wessing, and that disproportionate effort must involve more than an assertion that it is too difficult to search through voluminous papers.
3. Whether the judge would have been entitled to refuse to exercise his discretion in favour of the data subjects because their motive was to use the information in legal proceedings against the trustees
The Court of Appeal held that the High Court judge was wrong not to enforce the subject access requests despite the motive of the data subjects.
Neither the Data Protection Act nor the ICO’s subject access code of practice provides that data subjects have to inform the data controller of their reason for making the subject access request, or what they intend to do with the information requested. There is no “no other purpose” rule which would allow a data controller to refuse to respond to a subject access request if the data subject proposes to use the information obtained for a purpose other than verifying or correcting the personal data held about them.
It follows that the intention of the data subject to use the personal data for the purpose of litigation proceedings cannot be used by a data controller to avoid complying with a subject access request.
What does this mean for employers?
The decision of the Court of Appeal finds in favour of the data subjects and serves as a warning to data controllers that significant effort may be needed in responding to subject access requests. Employers as data controllers should also bear in mind that following the implementation of the GDPR in May 2018, there will be less time to comply with subject access requests – under the GDPR the information must be provided without delay and at the latest within one month of receipt rather than the current 40 days. It is prudent for employers to be reviewing their policies and procedures now to ensure that they will be able to comply with the GDPR once it comes into force.