People do have strong rights under the Data Protection Act confirms Court of Appeal
On 16 February 2017, the Court of Appeal issued its long-awaited judgment in Dawson-Damer v Taylor Wessing clarifying certain aspects of the subject access right (SAR) under the Data Protection Act 1998 (DPA). The Information Commissioner’s Office intervened to make submissions in the case.
Subject to the possibility of an application for permission appeal to the Supreme Court, the Court’s decision should be seen as upholding the fundamental right of a data subject to access personal data processed by a data controller. It also underlines the need for data controllers to take a careful approach to all SARs in order to avoid a breach of the DPA requirements.
In particular, the Court’s decision confirms that the fact that a data subject has some other, collateral purpose in making a SAR does not matter – albeit it may do so if the SAR is considered to be abusive.
Further, it is common for a data controller to argue that the supply of a copy of the information in permanent form would involve disproportionate effort. The Court’s decision confirms that an assertion of disproportionate effort under the DPA can extend to the search for the information, as well as the supply of the information, but it is not sufficient for a data controller to assert that it would be a disproportionate effort to search through voluminous papers. In reaching its decision, however, the Court failed to distinguish between those circumstances when the proportionate effort criterion applies and when it does not. Further, whilst the Court decided that the balance needs to be tested between the effort to search and supply data, and the interests of the data subject, it could be argued that that the proportionality test lies between the efforts required and the volume of data held. The data subject’s interest is the fundamental right to know what personal data is being held by the controller.
Finally, the decision confirms that where a data controller intends to rely on the exception for information covered by legal professional privilege, this will be given a narrow interpretation, limited to UK jurisdictions only.
Mrs Dawson-Damer was a beneficiary under a trust. Taylor Wessing was the legal adviser to the trustees. In 2014, Mrs Dawson-Damer (and her children) made a SAR to Taylor Wessing seeking personal data relating to them held by the firm. Taylor Wessing relied upon legal professional privilege in the personal data held by it – data subject to legal professional privilege is exempted from disclosure under the DPA.
Arguing that Taylor Wessing had not complied with the SARs, Mrs Dawson-Damer and her children (the appellants) applied for a declaration from the Court under its discretion in section 7(9) of the DPA for an order compelling the law firm to comply. A High Court judge dismissed the application, but this was overturned by the Court of Appeal.
Court of Appeal Decision
There were three issues before the Court of Appeal:
- the extent of the exemption for legal professional privilege
- when the effort to comply with a subject access request is disproportionate; and
- the discretion of the court when considering an application pursuant to Section 7(9) of the DPA.
Extent of the legal professional privilege exception
Under the DPA (Schedule 7, Para 10), information is exempt from the subject access provisions where “the data consist of information in respect of which a claim to legal professional privilege … could be maintained in legal proceedings“.
The issue before the Court of Appeal was whether this exemption should be afforded a narrow or a wide interpretation. Under the narrow view, the exception would be limited to documents to which any privilege attached was legal professional privilege under UK law, so that those documents were exempt from disclosure in legal proceedings in the UK as against the appellants. The wide view extended the exception also to include any documents which the trustee could refuse to disclose to the beneficiaries under any other country’s law.
The Court of Appeal adopted the narrow interpretation. The exemption will only relieve the data controller from complying with a SAR “if there is relevant privilege according to the law of any part of the UK”.
Given that the narrow interpretation was adopted, the second issue was whether any further search would involve ‘disproportionate effort’ for the purposes of section 8(2) of the DPA. This provision qualifies the obligation in section 7(1)(c)(i) of the DPA which is to provide copies of the information sought in permanent form, “unless … the supply of such a copy is not possible or would involve disproportionate effort.“ The Court of Appeal decided that section 8(2) does not relate only to the ‘supply’ of such information, but also extends to searching for such information.
While those additional words are not in the DPA, the inclusion of searching is not obviously objectionable – it makes some sense to read ‘supply’ as including the ‘search’ steps needed and, in many ways, it makes little sense to speak of ‘supply’ without the concept of ‘search’. However, an issue the Court did not get into at all is that the concept of ‘disproportionate effort’ in section 8(2) will only kick in – whether at search or supply stage – if the information is to be provided in permanent form. If it is not to be provided in permanent form (for example, by permitting the data subject to review the data at the controller’s premises), the concept of ‘disproportionate effort’ should not apply.
The Court of Appeal decided that, in determining disproportionate effort, “the word ‘supply’ is used so that what is weighed up in the proportionality exercise is the end object of the search, namely the potential benefit that the supply of the information might bring to the data subject, as against the means by which that information is obtained. It will be a question for evaluation in each particular case whether disproportionate effort will be involved in finding and supplying the information as against the benefits it might bring to the data subject“. However – and again on this point, the Court was not engaged – it could be argued that the balancing act required in the concept of proportionality is not against the benefits to be obtained by the data subject, but relative to the size of the dataset being searched. To spend 100 hours searching a small dataset might well be disproportionate, but to do so against a very large dataset would not be.
In any event, the total failure to review certain files (here, because Taylor Wessing considered that all the papers were subject to legal professional privilege) would never suffice. The data controller must consider what data it holds, and assess, on a case by case basis, whether such data is exempt from disclosure. As the Court of Appeal noted, “[Taylor Wessing] must produce evidence to show what it has done to identify the material and to work out a plan of action. It has singularly failed to do this and so has not discharged the onus on it. ”
Discretion to grant order and collateral purpose of SAR
The trial Judge had decided that he could, in his discretion, refuse to make the order sought, because the appellants’ real motive was to use the information in legal proceedings against the trustees.
To some extent, almost all SARs have some other, collateral, purpose to them – it will probably be rare that a data subject makes a SAR only to find out what data the controller holds on him or her. There will usually be something going on that has caused the request to be made – an employment dispute, for example – where the personal data disclosed here is hoped to be useful there.
The Court of Appeal concluded that the discretion in section 7(9) DPA is a “general discretion”, which it had to apply with a view to fulfilling the purposes of the DPA, which confers rights on data subjects. As for collateral purposes, the Court said that Durant v Financial Services Authority did not create a position whereby a data subject cannot exercise their DPA rights for purposes outside the DPA. The Court reflected that “it would be odd if the verification of data was always in practice a complete aim in itself which excluded all others…neither the Directive nor the DPA compels that interpretation. Nor has Parliament expressly required a data subject to show that he has no other purpose.” However, where an application under section 7(9) DPA “was an abuse of the court’s process…or if the claimant was a representative party who had some purpose which might give rise to a conflict of interest with that of the group or body he represents” the outcome might be different.