Information overload
By Seamus Smyth
A recent case on Data Protection Act requests sheds some light on solicitors' duties, but further clarification is needed, says Seamus Smyth
Every law firm is a data controller, with a data protection officer. Your DPO will be grateful to you for being aware of his duties, and managing your file accordingly.
The Data Protection Act 1998 (DPA) allows many people to demand information from your firm. The DPA, regulations and guidance are not an easy read. Nor do they answer all the questions relating to solicitors' obligations. In Durant v FSA [2003] EWCA Civ 1746, the Court of Appeal dispelled some of the fog, but, for law firms, not much.
Who can make a DPA request?
Any individual who pays the fee. DPA requests cannot be made by companies, trusts, executors, administrators, PRs, local authorities, governments (local or foreign) or presumably partnerships. DPA requests can only be made by people with their own privacy to protect.
Is it only clients who can make DPA requests?
No. It could be anyone on whom your firm holds data. For private practitioners '“ public authorities have a far greater burden '“ the most likely requesters are (ex-)clients and (ex-) employees (all probably disgruntled). Others, such as opponents or their representatives, could also demand information. No matter how mistaken or malicious the request, the DPO must reply, if only to say your firm holds nothing on him. If your firm 'processes personal data' which 'relates' to the enquirer, you must provide answers and information.
Can you refuse?
Only if the request is so vague that you cannot comply '“ 'my name is Smith and I want all the information you hold on me' '“ or if the request is identical with one made without 'a reasonable interval' having elapsed (since the last one). If compliance would involve 'disproportionate effort', you may be entitled to decline.
The fee
For requests, the maximum fee is generally £10. For some health and education records it is £50. These are maxima. If less is paid you may have to justify any refusal.
How soon do you have to answer?
'Promptly' '“ but no later than 40 days after receipt of the request (or after clearance of the cheque?).
What do you have to give to the 'data subject'?
All personal data. Basically everything you hold which relates to the data subject's privacy and is biographical with its focus on the data subject.
Electronic material: everything your firm holds for processing 'by automatic means' (on a computer) must be provided. As we use computers for everything, email traffic, letters, scanned documents, internal emails, SMSs, MMSs, and voicemails are all 'held'. 'Processing' includes 'holding', so all this stored data must be provided if it contains 'personal data'.
Electronic material can be easily searched. Personal data in electronic material should be readily accessible.
Paper: our files will probably duplicate the outgoing electronic material, but there will be paper from various sources, such as incoming letters, clients' files and handwritten material. These are 'data' if they are 'recorded as part of a relevant filing system' 'held' by you, to be provided if they contain 'personal data'.
The DPA gives a five-line definition of 'relevant filing system', the kernel of which is that information is 'readily accessible'.
Paragraph 34 in Durant provides this test for 'relevant filing system': '...the intention is to provide, as near as possible, the same standard or sophistication of accessibility to the personal data in manual filing systems as to computerised records'. The mere fact that a variety of information is arranged in chronological order does not make it a 'relevant filing system'. If the effort required to find personal data involves no more than identifying the file or the section within a file the same standard of accessibility as to computerised records is achieved. Not so if someone must turn every page to find personal data.
Odds and ends
Duplicates of material already provided are not covered. Material covered by legal professional privilege is expressly exempted and Durant emphasised that the DPA is not to be used to get around privilege. What of a solicitor's lien? There is no known decision. If the information sought is 'personal data', the ex-client may '“ for £10 '“ bypass the lien entirely, unless this loophole is closed.
Expressions of opinion about the data subject are 'personal data'. The material has to be provided in 'intelligible form'.
Health and education records have to be provided no matter how great the effort.
The DPA is clearly aimed at organisations like credit agencies and does not fit solicitors' private practice. Only when some brave colleagues take a stand on the extent of our obligations will greater clarity be achieved through case law. Any volunteers?