Subject Access Requests and Client Matters
Over the past few months we have received a number of queries as to whether a solicitors’ firm needs to respond to a data subject access request (DSAR) where the request has come from the other party in a litigation matter or from a solicitor or agent on their behalf. The answer, as you will shortly see, is not necessarily all that straight forward.
The Right to Information
Article 15 of the UK General Data Protection Regulation (UK GDPR) provides data subjects with the right to obtain confirmation from a data controller as to whether or not the data controller is processing their personal data and, where that is the case, to information relating to that data and how it is used. The purpose, as is stated in Recital 63 of the GDPR, is so that the data subject could make themselves “aware of, and verify, the lawfulness of the processing.”
However, and it is an important point that we will come to shortly, that recital also states that the right “should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property”.
The issue therefore is the extent to which a provision intended to allow data subjects to be aware of what data about them is being processed should be allowed to become a provision for those bringing or defending claims, and others, to circumvent the rules of disclosure or the requirements of client confidentiality.
Providing Information
The current view taken by the Information Commissioner’s Office (ICO) is that a DSAR is “purpose blind”. In other words the reason for the DSAR is not necessarily relevant in deciding whether or not the data controller should deal with it. There are exceptions, which we will come to. However, the starting point must be that the DSAR when received must be responded to within the required time limit of one month, providing all of the ancillary information required by the UK GDPR, free of charge and in an appropriate format. Thus, the firm would not be able to refuse to respond to the DSAR simply because its purpose was to obtain information in a litigation matter, for example.
Therefore, if the defendant contacts you where you act for the claimant, and asks for information about the data you hold about them, then you may not simply refuse to supply that data just because you suspect that they are making the application by way of a fishing exercise.
Manifestly Unfounded or Excessive
There are situations in which you can refuse to provide in formation in response to a DSAR. This will generally be where an exemption applies or where the refusal is in reliance on the provisions in Article 12 (5) of the UK GDPR. So, if an exemption applies (wholly or in part), then you can refuse to supply information if the exemption is met. More about that shortly.
Article 12 (5) provides more general reasons why you can refuse to comply with a DSAR which apply in all cases – not just in relation to legal matters. It states that where requests from a data subject are manifestly unfounded or excessive, for example because they are repetitive and designed simply to increase costs or impede the data controller, then the data controller can either charge a fee for dealing with the DSAR or alternatively refuse to act on the request. It is, however, up to the controller to prove that the request was either manifestly unfounded or excessive.
For these purposes, manifestly unfounded requires that the person making the request to have clearly no intention to exercise their right or to be doing so with malicious intent. It also covers requests used to harass an organisation, with no real purpose other than to cause disruption. Note, however, that request must be viewed in its own context and with all the surrounding circumstances. So far as manifestly excessive is concerned, the request can be viewed as such when it is clearly or obviously unreasonable and in the light of whether it is proportionate, when balanced with the burden or costs involved in dealing with the request. That does not mean that a request is excessive just because it covers a large amount of information, even if you find it a burden to deal with. Further information can be found on the ICO website[1].
Reasons to Refuse
However, the manifestly unfounded or excessive route will not always be appropriate so what are the other reasons you can rely on to refuse to provide information.
The first is where the data contains information that identifies another individual. The DPA 2018[2] contains a provision stating that you do not have to comply with a DSAR, if doing so means disclosing information which identifies another individual, unless they have consented to the disclosure or it is reasonable to comply with the request without that individual’s consent. Here, the ICO recommends a three-stage approach. You should first consider whether it is possible to comply with the request without revealing information that relates to and identifies another individual. If that is not possible then an attempt should be made to obtain the individual’s consent to the disclosure. If they will not consent, or it cannot be obtained, then you should look at the reasonableness of disclosing without consent.
In determining this last point, you should take account of the confidentiality of the information provided. The ICO acknowledge[3] that the relationship of solicitor client will generally carry with it a duty of confidentiality so it is likely that in most cases where a duty of confidentiality does exist, it is usually reasonable to withhold third-party information, unless you have the third party’s consent to disclose it. However, confidentiality should not be assumed and the specific circumstances of the request must always be looked at.
Do bear in mind that you will still need to respond to the requester whether or not you decide to disclose information about a third party. If the third party gives their consent, or if you are satisfied that it is reasonable to disclose it without consent, you should provide the information in the same way as any other information you provide in response to the DSAR. Note that generally this should also be within the 1 month allowed for a response. Also, make sure that if you refuse that you can not only justify the refusal but also that you keep a detailed note on your file as to why it was refused.
Aside from confidentiality relating to third-party information, you should also be aware that personal data is exempt from the right of access if legal professional privilege (or confidentiality of communications in Scotland) could be maintained in legal proceedings or it is information which a professional legal adviser could claim came within their duty of confidentiality to his or her client.
So far as privilege is concerned, this exemption covers both litigation privilege and legal advice privilege with, in essence, the former applying to confidential communications between a client, professional legal adviser or a third party where litigation is contemplated or in progress and the latter applying to confidential communications between a client and professional legal adviser for the purpose of seeking or obtaining legal advice.
Bear in mind that, other than where litigation is contemplated, legal professional privilege is only available for communications that are confidential in nature and are made solely between client and professional legal adviser acting in a professional capacity for the purpose of obtaining or providing legal advice or being used by lawyers in possible or probable litigation. For these purposes, this applies to letters, reports, emails, memos, photographs, notes of a conversation or audio/visual recordings and can include draft documents.
The previous legislation, the Data Protection Act 1998, limited this exemption to where legal professional privilege existed, stating at paragraph 10 of schedule 7 that “Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications, could be maintained in legal proceedings.” However, the DPA 2018 has gone further than this and has added paragraph 19 (b)[4] which includes “information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser”.
This addition means, in effect, that the firm does not need to disclose information or documents when replying to a DSAR where it owes a duty of confidentiality to a client in respect of that information or those documents. This is an important addition. It means that the firm can rely on a duty of confidentiality even in those circumstances where legal professional privilege would not apply or in circumstances where privilege has been waived or never even applied.
The duty of confidentiality is a strong one and is not to be lightly ignored. The SRA Code of Conduct for Solicitors, RELs and RFLs requires at paragraph 6.3 that solicitors “keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents”.
However, the new provision in the DPA 2018 does still introduce a degree of uncertainty as to how far the confidentiality protection is to be applied. Does it, for example, apply to information provided by a third party in connection with a matter where litigation is not contemplated? If that information contains relevant facts about the person making the application that the firm would rather not disclose that it holds, is it permitted to rely upon confidentiality in relation to it? How about where the solicitor instructs a third party, for example an investigator, to obtain information about someone who wishes to make a DSAR? Whilst the solicitor may be able to rely on the confidentiality principle, would the same apply to the investigator if the DSAR was directed at them?
Whilst there is no doubt that firms should take a robust approach when responding to DSARs where they risk breaching their duty of confidentiality to clients by providing too much to the person making the request nevertheless, they do need to be circumspect when doing so.
Finally in this section, don’t forget the provision referred to earlier and to be found in Recital 63 of the GDPR, namely that the right of access “should not adversely affect the rights or freedoms of others”. This could, in fact, be an answer to the query raised earlier as to whether information provided by a third party was subject to the confidentiality exception. If, for example, a third party has provided information about the person making the request and supplying that information to them could put the third party at risk, then it is likely that the provision referred to in Recital 63 would come into play. Firms would need to be pragmatic and reasonable in how they asses a threat to rights and privileges but nevertheless where such information has been supplied and that information could be prejudicial to the person making the request then in many circumstances refusal could be justified.
Exercise Care when Refusing
So it is, therefore, possible for law firms to refuse to provide information in certain circumstances. That does not mean that a blanket refusal to provide any information should be seen to be the appropriate response. Information which can be supplied – for example personal details about the person making the request, information contained in emails or correspondence with them or their representatives, public information that may have been gathered about them, etc. should be disclosed. Remember also that the disclosure should address why the information is being processed, the basis for processing, how it is kept secure, who it will be shared with and when it will be destroyed. Any refusal should therefore be a measured one with, where it does not breach confidentiality, a reason given for that refusal. It should be accompanied by why you are not supplying information – without obviously breaching confidentiality, the right for the person making the request to complain to the ICO and their right to seek to enforce this right through a judicial remedy.
Be prepared also for the person making the subject access request to be dissatisfied with the response that they have received and to demand again that you provide them with data, or that you delete or cease processing the data you hold or even that you “amend” the data – not necessarily to a correct version! If they request the data again, or if they demand that you supply them with copies of documents containing the data, then hold your nerve. Remember that the duty is to provide data, not documents, and if you have already supplied the data once then you may be able to rely on the provision that the request is unfounded or excessive and make a charge for it supply going forward – or simply refuse.
You should also make sure that you have in fact supplied all of the relevant data – something which in a complex matter might not be easy. This is one reason why doing data impact assessments is always a good idea, since the exercise may help you to identify relevant data. Bear in mind also that if the request is purely for data about a person then it is not limited to any current matters. You may have had them on the other side of a transaction on previous occasions, or may even have acted for them in other matters. The request is likely to be for details of the data you hold generally and if you cannot identify where this data is held, you may find that the requester has a valid grievance.
How Might the Law Develop?
Clearly using a DSAR as a means for circumventing the legal process is not what was intended by the legislation. So how is the developing and what is the view of the courts?
The amendment to the legislation contained in the DPA 2018 referred to earlier is one example of the law moving forward to rectify a position taken by the courts. It should be viewed in the light of decisions in cases based on the previous version of the DPA, such as Dawson-Damer v Taylor Wessing [2020] EWCA Civ 352 which held that privilege did not apply to information requested from a trust by the trust beneficiaries and the DSAR was not invalid simply because it had been made ‘for the collateral purpose of assisting in litigation, or in the case of Rudd v Bridle & Anor [2019] EWHC 893 (QB) where the court was unwilling to accept that litigation privilege applied unless litigation was reasonably contemplated or anticipated or prepared for the purpose of enabling legal advice to be provided or information to be used in connection with the anticipated litigation.
In the case of Lees v Lloyds Bank Plc [2020] EWHC 2249 (Ch) the High Court dismissed a claim where the real purpose of the DSAR had been to obtain documents rather information. However, one of the clearest statements of the way in which the courts may now be moving is that of Mrs Justice Farbey in X v. The Transcription Agency and Master Jennifer James [2023] EWHC 1092 (KB)[5] . In this case, which related to refusal to disclose information because the requested data was exempt, Mrs Justice Farbey stated that the intention of the UK GDPR and the DPA 2018 was to have “a specific and limited purpose, which is to enable a person to check whether a data controller’s processing of his or her “personal data” unlawfully infringes privacy rights and, if so, to take such steps as the DPA 2018 provides … It is impermissible to deploy the machinery of the Act as a proxy for the wider purpose of obtaining documents with a view to litigation or further investigation.”
Finally on the topic of how the law might develop, it is worth noting that had the Data Protection and Digital Information Bill made it into legislation before the general election, then it would have amended the threshold for refusing a DSAR from “manifestly unfounded or excessive” to “vexatious or excessive” which could well have allowed data controllers more flexibility in refusing DSARs whose primary purpose was to thwart litigation. Examples that would have been given in the legislation included as vexatious requests those that were intended to cause distress, not made in good faith or an abuse of process. Whether these provisions will appear in any future amendments to the legislation remains to be seen.
Conclusion
The use of DSARs to reach information that would not otherwise be available is one that will no doubt continue until such time as there is a change in the legislation. Whilst firms do have available to them a number of options for not sharing information in relation to clients and their matters, care must be exercised when doing so. Think carefully about what can and cannot be disclosed; don’t apply blanket policies; give reasons where doing so does not in itself compromise the interests of clients; abide by the requirements in relation to time limits and the supporting information that must be supplied; and ensure that you include in the response ALL of the information that pertains to the individual making the request and not just that which relates to a particular matter.
Above all brace yourself for the backlash that will inevitably follow a refusal, keep your nerve and remember that your duty is to act in the interests of the client where those interests do not conflict with other duties.
[1] https://ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/individual-rights/manifestly-unfounded-and-excessive-requests
[2] https://www.legislation.gov.uk/ukpga/2018/12/schedule/2/paragraph/16
[3] https://ico.org.uk/media/for-organisations/documents/2619803/right-of-access-1-0-20210520.pdf
[4] https://www.legislation.gov.uk/ukpga/2018/12/schedule/2/paragraph/19
[5] https://www.bailii.org/ew/cases/EWHC/KB/2023/1092.html