Data protection, client information, and subject access requests
Jonathan Swift QC considers the lines of defence available to firms faced with a subject access request, and whether they should be treated as data controllers at all
All law firms are data controllers under the Data Protection Act 1998 (DPA). Two recent decisions of the Court of Appeal highlight the risk that client information held by firms can be vulnerable to disclosure through subject access requests under the DPA. The cases are Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 and Deer v University of Oxford [2017] EWCA Civ 121. But how great is this risk?
The risk arises when a DPA subject access request is directed to a law firm by someone who is not that firm’s client. The requestor only asks to see their personal data, but that information may well be held in the firm’s client files – particularly if the requestor is in dispute with the client. The judgments in Dawson-Damer and Deer make important points about the lines of defence that are available to a firm facing this type of request, but there is also one important issue not raised in either case, which goes to whether firms should be treated as data controllers at all when it comes to client information.
Legal professional privilege
The most visible defence is the section 10, schedule 7 DPA exemption, covering information that is subject to legal professional privilege (the LPP exemption). In Dawson-Damer, the court confirmed this exemption could be relied on by a solicitor to the extent that any person could assert LPP against the requestor in respect of information held by the solicitor.
The LPP exemption may be a solution in many cases, but not in all, as Dawson-Damer demonstrates. There, the solicitor’s clients were trustees, and the requestor was a beneficiary of the trust. The court accepted the LPP exemption would cover information that was subject to litigation privilege, but concluded that the exemption would not prevent disclosure if only legal advice privilege could be asserted because, on the facts of that case, that privilege was held jointly by the trustees and the beneficiary.
Another, more run-of-the-mill issue is that the LLP exemption will often not provide a complete answer because the contents of solicitors’ files are rarely limited to LPP material – in particular when the file is not a litigation file. Here, a second line of defence can come in. In Dawson-Damer and in Deer, the court readily accepted that a data controller need undertake only a proportionate (not an exhaustive) search for disclosable personal data. So, depending on the circumstances, it may be too difficult, time consuming, or expensive to separate exempt information (or third-party personal data) from disclosable information.
But, as the judgment in Dawson-Damer made clear, this defence must be supported by evidence; the solicitor must be able to demonstrate why it would be disproportionate to respond to the request. In many instances it will be impossible to justify a blanket refusal. The information will most likely be electronically stored, and when it comes to searches and search techniques there is obvious scope here to read across from the e-disclosure provisions in the Civil Procedure Rules practice direction 31B.
Refusing relief
The last line of defence is the court’s power under section 7(9) DPA to refuse relief to a requestor, even if the request is valid. Yet it is plain from Dawson-Damer and Deer that this power will not readily be used. In Dawson-Damer, the court expressly rejected the idea that relief would be refused wherever the requestor had a collateral purpose. For example, relief will not be refused just because the requestor wants to use the information in other litigation.
Although the judgment in Deer is in less definitive terms (see in particular the suggestion by Lord Justice Lewison that proportionality has some role to play), it is tolerably clear that for relief to be refused, there must be something in the circumstances of the request that approaches an abuse of process.
Data controllers
Since none of the defences is foolproof, it is time to question the premise of the exercise. Are law firms data controllers of information held subject to client instructions at all? Yes, says the information commissioner, because (according to her guidance) ‘solicitors determine the manner in which the personal data... will be processed’.
But this fails to recognise the client’s power to determine how information held by their solicitor is used. In many instances, the hallmark of a data controller – their ability to determine the purposes for which data is used, and the way in which is it used – is more a description of the client’s powers than those of their solicitor.
There are situations where regulatory obligations can require disclosure by a solicitor notwithstanding the client’s instructions, but why should these occasions be used to characterise the solicitor/client relationship for DPA purposes? Rather, there is a parallel with the reasoning of In re Southern Pacific Personal Loans Limited [2014] Ch. 426. That case concerned liquidators; the judge accepted that liquidators held the company’s data as agents and therefore declined to conclude they were data controllers.
In Dawson-Damer, the status of the firm as a data controller was not in issue, but when this point is litigated, the same conclusion should apply. If so, firms will remain subject to significant obligations as data processors of client information, and as data controllers for other classes of information, but the DPA will recognise the centre of gravity in the solicitor/client relationship is the client.
Jonathan Swift QC is a barrister at 11KBW