This court of appeal case, handed down on 16th February, concerns a subject access request (‘SAR’) made under s.7 of the Data Protection Act 1998 (‘DPA’). It has the effect of limiting the grounds upon which data controllers may rely as a basis for refusing to comply with a SAR.
Background
Mrs. Ashley Dawson-Damer, and her two adopted children, Piers Dawson-Damer and Adelicia Dawson-Damer, sent SARs to the respondent, Taylor Wessing LLP, which was acting for the trustee of a number of Bahamian trusts of which Mrs. Dawson-Damer is a beneficiary. Taylor Wessing did not provide the requested personal data on the grounds that: (i) it was covered by legal privilege; (ii) doing so would involve a disproportionate effort; and (iii) the appellant’s motive was to use the information in legal proceedings. The judge at first instance accepted Taylor Wessing’s arguments and dismissed Mrs. Dawson-Damer’s application. Mrs. Dawson-Damer appealed the decision.
The Court of Appeal decision
Overruling the judge at first instance, the Court of Appeal decided the following:
- The legal professional privilege exemption under DPA Sch.7(10) should be construed narrowly and only applies to documents which carry legal professional privilege for the purposes of English law. The exemption does not extend to other documents that are not disclosable to a beneficiary of a trust under trust law principles, nor documents subject to other non-disclosure protections, such as those under foreign laws.
- The respondent failed to show that complying with the request would involve a disproportionate effort, since all it had done was review its files. Data controllers cannot avoid complying with a SAR by arguing that the work involved would be expensive or time consuming.
- A data subject’s intention to use personal data for the purpose of litigation proceedings cannot be used by a data controller to avoid complying with a SAR. There is nothing in the DPA that limits the purposes for which a data subject may request his or her personal data, nor anything that provides data controllers with the option of refusing to comply with a SAR on the basis of the data subject’s motive.
Practical Implications
The £10 maximum fee chargeable for dealing with a SAR may give a misleading impression as to the lengths data controllers must go to in order to fulfil their obligations. DPA s.7 falls very much in favour of the data subject, with a presumption firmly in favour of disclosure. This Court of Appeal judgement confirms that the legal professional privilege exemption is narrow, that the ‘disproportionate effort’ bar is high, and the data subject’s motivation is not a ground for withholding information. In the words of Lady Justice Arden ‘The cost of compliance is the price data controllers pay for processing data’.
Organisations should prepare themselves for the fact that dealing with a SAR may well require a significant effort. They should also be mindful of the fact that when the General Data Protection Regulation (GDPR) takes effect in May 2018, the period for compliance with a SAR will be reduced from 40 days to 30, and that they will no longer be able to charge a fee.