The march of the SARs: Dawson-Damer v Taylor Wessing LLP  EWCA Civ 74; and Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University  EWCA Civ 121
When can legal professional privilege (LPP) be used to block a subject access request (SAR)? And when can the “disproportionate effort” exemption be used to block a SAR?
The Dawson-Damer family (DD) are the beneficiaries of a number of Bermudian trusts, one of which was the subject of this appeal. Taylor Wessing is the solicitor to its trustee, who is currently involved in legal proceedings in the Bahamas with DD for breach of the trust.
In order to obtain information that could be useful in their proceedings, DD served SARs on Taylor Wessing requesting all data of which they were subjects. Taylor Wessing has around thirty years’ worth of case files relating to the proceedings.
Taylor Wessing refused to provide this data. They relied on the DPA provision exempting data that falls under LPP (even though the ongoing proceedings were under Bahamian law). Further, they asserted that a search for the information and assessment of what fell under LPP was unreasonable and disproportionate.
The High Court judge agreed with Taylor Wessing, finding that the exemption did apply and that the search would indeed be disproportionate. In any event the judge did not think it was appropriate to exercise his discretion under the DPA to enforce the request, as assisting a party to litigation is not the proper purpose of the DPA. DD appealed this decision.
The Court of Appeal was asked to consider whether the exemption applied solely where there is a right to resist disclosure in English proceedings, or if this extended to documents protected under Bahamian law (being the view that the High Court judge had taken).
The Court decided that the exemption only applies where the information is protected by LPP under English law. As the ongoing proceedings were under Bahamian law the exemption did not apply. Therefore, if the information is not privileged under English law and no other DPA exemption applies then the SAR must be complied with.
Regarding the extent of the search, the Court stated that the burden of proof is on the data controller (here Taylor Wessing), to evidence that searching for the data would involve disproportionate effort. It appeared that Taylor Wessing had failed to provide this evidence and so could not rely on the disproportionate effort exemption.
The court also decided that the High Court judge was wrong to not exercise his discretion under the DPA. There is no rule that prohibits a SAR from being granted where there is an ulterior purpose behind the request; it would be strange if the verification of data was the sole and constant aim of a SAR.
The court therefore allowed the appeal.
Why is this important?
SARs are increasingly being used as a ‘fishing’ tactic in litigation proceedings. This data subject-friendly ruling shows its full steam ahead for SARs.
Further points to consider: Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and others, and Deer v The University of Oxford
Three weeks after the judgment was handed down in Dawson-Damer v Taylor Wessing LLP, the Court of Appeal handed down another in Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd and others, and Deer v The University of Oxford, two further cases that concerned subject access requests made in the context of wider disputes or litigation. The key points to take away from the joint appeals are:
- the court agreed with the judgment in Durant v FSA  EWCA Civ 1746 which set out that the mere mention of a data subject’s name in a document did not necessarily mean that the documents would contain the individual’s personal data
- having a collateral purpose for making a SAR should not be a bar to ordering compliance however, the lack of a ‘legitimate reason’ when a data subject makes a SAR is a factor that will be considered when deciding whether to grant relief
- data controllers cannot rely on the principle of proportionality to justify a blanket refusal to comply with a SAR but it can limit the scope of the search the data controller has to undertake to be compliant with a SAR
- In addition, when exercising the discretion to order compliance with a SAR, the courts should have regard to:
– the nature and gravity of the breach
– whether there might be a more appropriate route to obtaining the requested information such as disclosure in legal proceedings
– whether there was an absence of a legitimate reason for having made the request
– whether the SAR constitutes an abuse of process, such as where the information requested has already been provided otherwise than under a previous SAR, or where documents are sought of which the data subject was an author or recipient and
– whether the request is for specific documents rather than personal data.
Any practical tips?
There are three key watchouts:
- The privilege exemption: Beware the territorial limitations when it comes to using LPP to try to block a SAR. Dawson-Damer shows that the LPP exemption only applies to information which would attract LPP as a matter of English law. And from a purely practical perspective, one can see the decision having a negative impact on foreign bodies looking for legal advice. By way of example, foreign trustees may avoid instructing solicitors based in the UK for fear of losing privilege via a SAR.
- The reasonable search: When served with an SAR, make sure you can show in evidence that you have carried out a reasonable search of the relevant files. In Dawson-Damer, Taylor Wessing failed to show what it had done to identify the material and to work out a plan of action – accordingly, it could not refuse to provide information on the basis that any search for non-LPP material would require “disproportionate effort”.
- The purpose of the SAR: The Court of Appeal has made it clear that a collateral purpose to a SAR does not prohibit it. The fact that DD’s purpose was to obtain information for the family’s dispute with the Bahamian trust was not a ground to allow a court to refuse to exercise its discretion to order compliance in DD’s favour.
Above all, beware the march of the SARs! Not only are they being increasingly used as a “fishing” tactic in litigation, but we are likely to see an explosion in the level of requests when the fee for requesting a SAR (currently £10) is removed under the GDPR. And when something becomes free, it becomes (very) popular…
Of course, if you’re in full compliance with the GDPR (including building systems to cope with the right to erasure), then you have less to worry about – because it should be relatively simple to track all the relevant data connected to a SAR. But from what we’ve seen to date, few (if any) businesses are anywhere near the kind of shape they need to be in to avoid a very large headache every time a SAR is received.