UK: Solicitors' Practices And Subject Access Requests

Last Updated: 4 May 2018
Article by Ben Elkington and Charles Phipps

Introduction

Like any other professional or commercial organisation, a solicitors' firm may face data subject access requests from aggrieved or merely inquisitive individuals. Like other such organisations, the firm may as a result have concerns about the confidentiality of its own internal processes in relation to matters such as client complaints, whistle-blowing investigations, grievance and disciplinary procedures, partnership disputes, and the like.

Unlike most other organisations, a solicitors' firm will typically hold large amounts of privileged and/or confidential information about its clients. That not only increases the likelihood of subject access requests being made by third parties, but also makes such requests more difficult to handle.  If you are a solicitor acting for a defendant in proceedings, how will you react to a subject access request made of you by the plaintiff that is suing your client?

The General Data Protection Regulation ("GDPR") does not amount to a revolution in data subjects' rights of access to their personal data, but it represents a significant incremental increase in the burden imposed on data controllers. The publicity surrounding the introduction of the GDPR will also do nothing to lessen a growing trend to use subject access requests as a litigation weapon. What do recent decisions have to say about such tactics and the possible grounds for objecting to them?

Changes in the regime

A data subject's present rights of access to their personal data are based on section 7 of the Data Protection Act 1998 ("DPA 1998"), as qualified by section 8 and by a variety of other exemptions sprinkled through the Act.

From 25 May 2018, when the GDPR comes into force, rights of access to personal data will be those set out in Article 15 of the GDPR, which will have direct effect in the UK. Article 23 of GDPR allows for exemptions to be introduced into national legislation and it is to be hoped that the Data Protection Bill ("the DPB"), which contains a number of such exemptions (especially in Schedule 2) and is presently wending its way through Parliament, will be in place in good time.

The data subject remains entitled under the GDPR to a copy of their personal data and to information about the purposes of processing and the identity of any recipients. However, among other changes:

1.No charge can now be made for responding to a valid request. The old £10 fee (often seen by the recipient as adding insult to injury) is abolished.

2.The range of information to be provided in response to a request is expanded. It now includes the source of the data, the period for which it is envisaged that the data will be stored, and a summary of certain of the data subject's rights.

3.The period of time allowed for a response is reduced from 40 days to one month.

Potential grounds of resistance

Where a firm acts for a client in litigation, and it receives a subject access request made by that client's opponent in the litigation, the firm's natural reaction to the request is likely to include all or some of the following (in increasingly plaintive tones):

  • "Ask our client, not us" (the firm's status as agent)
  • "But our file's privileged" (legal professional privilege)
  • "But our file's confidential" (the firm's obligation of confidentiality)
  • "But that's not what data protection is for" (collateral purpose)
  • "But that's going to be a nightmare for us to deal with" (disproportionality)
  • "But that's really unreasonable and unfair" (abuse of process/rights)
  • "But surely the Court's not going to make us answer that?" (the Court's discretion)

These understandable objections have met with only mixed success under two recent decisions of the Court of Appeal.

The firm's status as agent

The Court of Appeal disposed briefly of the first objection in Dawson-Damer v Taylor Wessing LLP [2017] 1 WLR 3255, at [55], under the heading, "Fact that TW are the trustee's solicitors of little relevance":

There is no conceptual difficulty under the DPA arising from the fact that TW is an agent. The critical point is that TW is a data controller.

Legal professional privilege

Under paragraph 19 of Part 4 of Schedule 2 to the DPB, subject access rights do not apply to:

...personal data that consists of information in respect of which a claim to legal professional privilege... could be maintained in legal proceedings.

Leaving aside the difficulties in applying to information a legal principle which has been developed in relation to documents, a solicitor's file will typically contain much unprivileged information. In Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2018] QB 256, at [102], Lewison LJ said:

If some personal data are covered by legal professional privilege and others are not, the data controller will have to carry out a proportionate search to separate the two.

The firm's obligation of confidentiality

Mere confidentiality is not a complete bar to a subject access request, but the right to access (of X) is qualified if the data is also the personal data of a third party (Y). Under paragraph 16 of Part 3 of Schedule 2 to the DPB, the subject data access provisions:

(1) ... do not oblige a controller to disclose information to the data subject (X) to the extent that doing so would involve disclosing information relating to another individual (Y) who can be identified from the information.

(2) Sub-paragraph (1) does not remove the controller's obligation where—

(a) the other individual (Y) has consented to the disclosure of the information to the data subject (X), or

(b) it is reasonable to disclose the information to the data subject (X) without the consent of the other individual (Y).

(3) In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including—

(a) the type of information that would be disclosed,

(b) any duty of confidentiality owed to the other individual (Y)...

This exemption (which does not appear to have been directly in issue before the Court of Appeal in either Dawson-Damer or Ittihadieh) is naturally likely to have a more pervasive effect when the solicitor's client (Y) is an individual, rather than a corporation. In Ittihadieh, at [101], Lewison LJ observed that:

...whether it is reasonable to disclose information about another individual (Y) is an evaluative judgment which must, as it seems to me in the current state of technology, be carried out by a human being rather than by a computer.

Collateral purpose

The Court of Appeal in both Dawson-Damer (at [105] to [114]) and Ittihadieh (at [86] to [89]) rejected the submission that a subject access request was invalid if it was made with a collateral purpose, such as litigation.

Disproportionality

The judgments in Dawson-Damer and Ittihadieh are not encouraging for solicitors seeking to reject a subject access request outright on the basis that it is disproportionate, but they both confirm that principles of proportionality apply implicitly to the burdens of search, analysis and production which are imposed by a request (Dawson-Damer, at [74] to [79]; Ittihadieh, at [95] to [103]).

In Gaines-Cooper v Commissioners for HMRC [2017] EWHC 868 (Ch) HHJ Jarman QC held that HMRC, which had made significant efforts to comply with a subject access request, had done enough to comply with its obligations, even though significant quantities of potentially relevant documentation remained unexamined.

Abuse of process/abuse of rights

In Dawson-Damer, at [109], the Court of Appeal raised the possibility that an application to enforce rights of access might in some circumstances amount to an abuse of process, and this possibility was confirmed in Ittadieh, at [88]. The Court of Appeal suggested in the latter case that there was not much difference between the domestic concept of abuse of process and the EU doctrine of "abuse of rights".

The Court's discretion

In Ittihadieh, at [104] to [110], the Court of Appeal considered the nature of the Court's discretion on applications by data subjects to enforce their access rights. It held that if a data controller had failed to conduct a proportionate search in response to a valid request then, absent other material factors, the Court's discretion should usually be exercised in favour of the data subject.

However, the Court of Appeal also identified a number of factors which are of potential relevance to the Court's exercise of its discretion, including:

  • whether there is a more appropriate route to obtaining the requested information
  • the nature and gravity of the data controller's breach
  • whether there is a legitimate reason for making the access request
  • whether an abuse of rights is involved
  • whether the application is procedurally abusive
  • whether the real quest is for documents, rather than personal data
  • whether the personal data is of no real value to the data subject
  • whether the data subject has already received the data

The Court of Appeal stated that this list was not intended to be prescriptive, but it is likely to be the subject of close examination on many future applications.

One suspects that (as may already be detected in the existing case-law) the courts' application of the relevant principles will be significantly influenced by their perception of the virtues or demerits of the individual litigants involved.

Conclusion.

Following the implementation of the GDPR, subject access requests of solicitors are likely to become more common.  The requests can raise a whole host of difficult issues, which can be time-consuming and costly to resolve (and not billable).  Further, the proper response to the requests is often counter-intuitive. 

On the other side of the coin, solicitors advising individuals in relation to potential or current litigation should consider whether or not to advise their client to make a subject access request.  Such a request may succeed in eliciting sought after information or documentation, where an application for pre-action or third party disclosure would fail.

Ben and Charles will be speaking on Subject Access Requests at 4 New Square's Regulatory Enforcement in the Financial & Legal Sectors Half Day Conference on Wednesday 13th June in London. Click here for more information and to request a place.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
McDermott Will & Emery
McDermott Will & Emery
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
McDermott Will & Emery
McDermott Will & Emery
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions