The courts have grappled with the limits of legal advice privilege (i.e. the confidentiality of documents recording advice between lawyer and client) and the scope of data subject access requests (“DSAR”) under the Data Protection Act in recent litigation. The decisions of the courts provide some helpful guidance on the protection afforded by the privilege exemption and its limits for any data controller (“DC”) who might be subjected to a tactical DSAR.
In Holyoake v Candy and another, a property dispute, the High Court had to decide whether to order the DC’s further compliance with a DSAR. In reaching its decision, it had to consider whether the DC had carried out adequate searches for personal data in response to the DSAR, and whether it was entitled to rely on the legal professional privilege exemption to limit what was included in its response.
The court decided that no order for further compliance should be made. The records of legal advice between the DC and its lawyers were exempt from disclosure because they qualified for legal professional privilege. However, this might not be the case held the court, if there was evidence of iniquity i.e. the documents formed part of some fraudulent or criminal design. The possibility that the data might reveal a breach of a data subject's right to privacy did not meet the threshold to remove the exemption.
So far so good for the DCs, but a note of caution from the Court of Appeal’s decision in Dawson-Damer and others v Taylor Wessing LLP.
The law firm, Taylor Wessing, did not comply with a DSAR submitted by the beneficiaries of a trust administered by one of its clients. The firm made a blanket assertion that all the personal data was covered by legal professional privilege and therefore exempt from disclosure. The Court of Appeal overturned an earlier High Court decision not to order compliance. On the issue of legal professional privilege, it held that a narrow interpretation had to be used. This meant that:
- only data for which there was relevant privilege according to the law of any part of the UK was exempt. Data which the DC could refuse to disclose under the laws of another jurisdiction was not exempt from disclosure in the context of the DSAR; and
- the fact that Taylor Wessing were an agent for a trustee who was not before the court, and who could not be ordered to disclose the documents under the foreign law applicable to the trust, did not affect Taylor Wessing’s duty to disclose personal data to which the legal professional privilege exemption under UK law did not apply.
There is some comfort for DCs in these decisions, and some helpful clarification, but the note of caution is clear. DCs must be wary of relying on legal professional privilege too liberally when seeking to resist disclosure in response to a DSAR made under the UK's Data Protection Act. Only data that is protected under the UK rules on privilege will be exempt, and that exemption will be lost if there is evidence of iniquity.
For more information please contact: