...a data controller to take further action in order to comply with a subject access request, overturning a High Court decision.
Legal Background
Under the Data Protection Act 1998 (DPA), individuals are entitled to request a copy of the personal data which an organisation holds about them. This right can be exercised by the individual making a subject access request (SAR). If a data controller fails to comply with such a request satisfactorily, the court may order compliance.
The DPA requires a copy of the information requested to be provided to the requester in a permanent form unless providing such a copy is not possible or would involve disproportionate effort. In addition, there are various exemptions that might apply in relation to whether personal data should be disclosed to the individual in response to their SAR, including whether the information is subject to legal professional privilege.
Facts
In the case of Dawson-Damer v Taylor Wessing LLP, a Bahamian trust company was a client of Taylor Wessing (TW), a firm of solicitors. As part of litigation, one of the beneficiaries of one of the trusts made a SAR to TW in connection with a trust dispute in the Bahamas.
TW did not comply with the SAR, saying that the data was covered by legal professional privilege and therefore exempt from disclosure as part of a SAR response. The requestor made an application to compel TW to comply with the SAR which was dismissed by the High Court.
Court of Appeal (CoA)
The CoA overturned the High Court's decision and ordered TW to comply with the SAR.
In making its decision the CoA considered three main issues:
Best Practice
This decision is important. Employees may make SARs when contemplating or commencing legal proceedings against their employer, and this case potentially limits an employer's ability to reject that request on the ground that the requested data might be used as part of legal proceedings or to further a dispute. Employers should carefully consider any SARs that they receive. As part of this, employers should consider whether any of the requested personal data might be exempt from disclosure and how those exemptions should be applied.