The Data Protection Act: a new route for beneficiaries to obtain information

In Dawson-Damer v Taylor Wessing LLP [2017] EWCA 74 the Court of Appeal has determined that the Data Protection Act 1998 (“DPA”) may be used by beneficiaries of trusts to obtain information which under established trust law principles they would not have had a right to.

The DPA was enacted to implement the EU Data Protection Directive (Directive 95/46/EC) which is designed to protect EU citizens’ privacy with respect to the processing, use and exchange of personal data. It is regarded as protecting fundamental privacy rights conferred by EU law. It provides a right of access by “data subjects” (i.e. people) to their personal data held by “data controllers” by issuing written “subject access requests” (“SARs”).

If the data controller does not comply with the SAR then under the DPA the courts have a general discretion to order compliance if satisfied that the data controller has failed to comply with the SAR in contravention of the DPA. The DPA sets out a number of exceptions to a data subject’s rights of access.

Dawson-Damer concerned a dispute between the beneficiaries of certain trusts relating to substantial appointments of funds by the Bahamian trust company. London-based solicitors Taylor Wessing (“TW”) acted for the trust company. For the purpose of the litigation in the Bahamas, certain beneficiaries made SARs to TW, who declined to provide information relying on the exception under paragraph 10 schedule 7 of the DPA, being that the information requested was subject to a claim for legal professional privilege which could be maintained in legal proceedings (the “LPP Exception”). The information sought could not be obtained through the Bahamian courts as Bahamian law, which governed the trusts, provided strict statutory restrictions on a beneficiary’s right to obtain trust documents.

Three key issues were dealt with on appeal. The appellant beneficiaries were successful on all three.

 

  • The LPP Exception and Trustees’ right of non-disclosure

In their supervisory role of the administration of trusts, the English courts weigh the ability of beneficiaries to have access to information (which allows them to hold trustees to account) against things such as personal or commercial confidentiality, and balancing the competing interests of different beneficiaries, the trustees themselves and third parties (see Schmidt v Rosewood Trust Ltd [2003] 2 AC 709 at [66] and [67]). Further, as trustees are not bound to give reasons for their exercise of discretion, they are not required to disclose documents which would reveal those reasons, unless required to do so under procedural rules applying in litigation. The position is less favourable for beneficiaries seeking disclosure of trust information under Bahamian law.

The issue was whether the DPA was intended to cut across such rules, be they English law or the equivalent law in the jurisdictions governing the trusts, thus allowing beneficiaries to obtain information pursuant to a SAR which trustees would not ordinarily have to disclose. TW argued that such an intention could not have been the case.

The Court held that the LPP Exception only applied where there is relevant privilege according to the law of any part of the United Kingdom and not other jurisdictions. TW could therefore not rely on the fact that the documents subject to the SAR are not disclosable under Bahamian law relating to disclosure by trustees.

TW argued that the words “legal professional privilege” should be interpreted to extend to documents which trustees have a right to withhold from beneficiaries under trust law. The Court did not accept this argument, confining the LPP Exception to documents which are subject to legal professional privilege as conventionally understood. The Court was unable to see any aim or objective in the EU Directive relating to the DPA which justified the wider interpretation.  In the words of the judgment, when determining whether to uphold a SAR, “this Court is not exercising any jurisdiction in relation to the administration of the trust… [T]he exercise of the section 7(9) discretion [under the DPA] does not, therefore, in my judgment make allowance for the trustee’s right to refuse disclosure.”

Accordingly, TW could not rely on the EPP Exception to avoid complying with the SAR.

 

  • Proportionality

The DPA fixes the cost of a data subject making a SAR at £10. However, the obligation imposed on data controllers who receive a SAR to supply copies of information constituting personal data “in permanent form” is qualified by s 8(2)(a) whereby disclosure is not required if it “is not possible or would involve disproportionate effort”.

Disagreeing with the judgment at first instance, the Court of Appeal did not accept that TW’s compliance with the SAR would involve disproportionate effort. Yet, in coming to this view the Court held that, contrary to the Information Commissioner’s Office Subject Access Code of Practice, disproportionate effort does not simply apply to the supply of the data in the narrow sense of producing a copy of the document. It applies to all the means by which the personal data is obtained, such as finding and collating the information. Whether the supply of personal data involves “disproportionate effort” will turn on whether the effort involved outweighs the benefits it might bring to the data subject in any particular case.

Although clearly there will be limits to the search required by data controllers, the judgment makes it clear that s 8(2)(a) cannot be used by data controllers to avoid compliance simply because finding, compiling or producing personal data is costly or time-consuming and that:

“…it is clear from the recitals to the Directive that there are substantial public policy reasons for giving people control over data maintained about them through the system of rights and remedies contained in the Directive, which must mean that where and so far as possible, SARs should be enforced.”

In this vein the Court went on to make it clear that the correct approach when considering s 8(2) is to ask what steps the data controller has taken and whether it would be disproportionate to require further steps to be taken, with the burden of proof being on the data controller. It was not simply enough for TW to assert that it was too difficult to search through voluminous papers. On the facts it was found that there was no evidence that TW had undertaken a sufficient review of the potentially disclosable material to make out an argument under s 8(2).

 

  • Use of a SAR for a collateral purpose

The judge at first instance had refused to exercise his general discretion to order compliance with the SAR on the basis that: (1) it was not a proper use of the DPA to assist the claimant beneficiaries in the Bahamian proceedings; and (2) it was not a proper use of the DPA to enable the claimant beneficiaries to obtain documents which they could not obtain by disclosure in the Bahamian proceedings.

The Court of Appeal rejected any idea that there is a “no other purpose” rule. There was nothing in the DPA or the Directive which limits the purpose for which a SAR can be made or provides data controllers with the option of not providing data based solely on the requester’s purpose. The Court was concerned to avoid “undesirable secondary consequences” such as non-compliance by data controllers on the grounds that the data subject had an ulterior motive and the concern that this would lead to satellite litigation. The position would be different if the SAR was an abuse of process, however, the threshold for establishing that normally requires more than merely demonstrating that the claimant has a collateral purpose.

Conclusion

The writer understands that there are other similar cases before the Court of Appeal which may yet provide further clarification on the application of SARs in the context of trust disputes; and there are other potential issues which might arise for data subjects, for example, where the personal data being sought by one beneficiary is impractical or impossible to separate from another beneficiary’s personal data (even with redaction) and the latter does not consent to disclosure.

Regardless, this is an important decision which is undoubtedly helpful for beneficiaries seeking information about a trust’s affairs. Trustees need to prepare themselves for the greater possibility of SARs being utilised by beneficiaries.  Given the potential costs involved when faced with SAR, careful consideration will be needed as how best to respond to an SAR, both in terms of finding and collating personal data and also whether any exceptions under the DPA might be relevant.

Jeremy Bell-Connell