The English Court of Appeal has issued a judgment in relation to subject access rights under the Data Protection Act 1998 (“the DPA”). The Court’s decision centres on three main issues in relation to subject access requests: (1) the extent of the exemption for legal professional privilege; (2) when the effort to comply with a subject access request is disproportionate; and (3) the discretion of the court when considering an application pursuant to Section 7(9) of the DPA .
The right of subject access is one of the fundamental rights afforded to data subjects. It allows individuals to discover what information a data controller is processing about them, in what way they are processing it (including who it has been or may be disclosed to) and to check the accuracy of the personal data being processed. The importance of the data subject’s right is marked by the right of a data subject to apply to the courts in order to secure compliance where a data controller has failed to comply. It is not an absolute right; there are circumstances in which a data controller does not need to comply with a subject access request.
The Extent of the Legal Professional Privilege Exemption
Paragraph 10 of Schedule 7 to the DPA makes provision for exempting information from the subject access provisions in Section 7 where “the data consist of information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications could be maintained in legal proceedings.”
In Dawson-Damer there were two interpretations of this exemption put forwarded, described in the judgment as the “narrow” and “wide” interpretations. The Court preferred the narrower of the two holding that the exemption “relieves the data controller from complying with a subject access request (“SAR”) only if there is relevant privilege according to the law of any part of the UK.”  The Court also held that “the DPA does not contain an exception for documents not disclosable to a beneficiary under trust law principles.”  The Court held that the Legal Professional Privilege exemption does not extend to such information. .
The Court held that whether complying with the SAR, or taking certain steps as part of the process of complying with the SAR, “will be a question for evaluation in each particular case . The court noted that “it is clear from the recitals to the Directive that there are substantial public policy reasons for giving people control over data maintained about them through the system of rights and remedies contained in the Directive, which must mean that where and so far as possible, SARS should be enforced.” .
The discretion afforded to the Court under section 7(9) of the DPA is a “general discretion” . The Court held that Durant v Financial Services Authority did not create a position whereby a data subject cannot exercise DPA rights for purposes outside the DPA. Durant was concerned with the scope of the term ‘personal data’ and as such the Court’s comments in Durant were in that context. They did not mean that where individuals had another purpose (for example, with a view to using the material in litigation) that they could not exercise their subject access rights. The Court noted that “it would be odd if the verification of data was always in practice a complete aim in itself which excluded all others…neither the Directive nor the DPA compels that interpretation. Nor has Parliament expressly required a data subject to show that he has no other purpose.”  The court did not that there might be a different outcome where an application under section 7(9) of the DPA “was an abuse of the court’s process…or if the claimant was a representative party who had some purpose which might give rise to a conflict of interest with that of the group or body he represents.”
This is an important case concerning the right of subject access under Section 7 of the DPA and is one that all data protection practitioners ought to be familiar with. Although it is not directly binding on the courts in Scotland (it being a decision of the English Court of Appeal), it is quite likely that a Scottish court faced with similar issues will arrive at the same conclusions as the Court of Appeal has done here.
The exemption for legal professional privilege is a narrow one; it does not cover information that might be the subject of such claims in jurisdictions other than one of the three UK jurisdictions, nor does it extend to claims of confidentiality that fall outside of the scope of legal professional privilege.
When it comes to disproportionate effort in dealing with a SAR, it is a balance between the effort to comply and the data subject’s right. It is clear from both the statutory provisions themselves and the comments of Arden LJ in this case that the data subject’s right is a fundamental one. As a consequence the barrier is a high one when trying to argue that complying would cause a disproportionate effect. The Court did not consider that the Taylor Wessing LLP had even begun the process, let alone be able to demonstrate that complying would be disproportionate. It would appear that data controllers will not simply be able to look at a SAR and dismiss it out of hand as resulting in a disproportionate effort; the fundamental nature of the right of subject access will trump the effort it is necessary to go to in to comply in most cases.
Finally, if you’ve ever been under the belief that law firms are data processors for client information then this case is clear that this is wrong: law firms are data controllers. If a law firm receives a subject access request from a third party then the personal data must be assessed carefully to establish whether privilege exists and where it does, it must be claimed.