What's New?
On 17 July 2015, the UK Government announced a five member committee which will be tasked with reviewing the Freedom of Information Act 2000 (the “2000 Act”). Members include former Conservative leader, Michael Howard, and former Foreign Secretary, Jack Straw.
The committee is to consider whether the 2000 Act provides an appropriate balance between "transparency, accountability and the need for sensitive information to have robust protection" and the need for a "safe space" for policy making and advice giving. Politicians from both sides of the House of Commons have openly criticised the 2000 Act and a reform is expected to make it less onerous on public bodies. We will keep you updated on the review as it develops and provide advice on how to prepare for any changes.
Subject Access Requests - Subject to Scrutiny
Background
The Data Protection Act 1998 (the “Act”) allows individuals to request access to copies of personal data held about them by “data controllers” (i.e. individuals or organisations who control personal data). This is known as making a “Data Subject Access Request” or “DSAR”.
There are, however, exemptions within the Act, which set out situations in which data controllers do not need to respond to DSARs. For example, a data controller does not need to respond if the data is protected by legal professional privilege or if responding would be impossible or involve disproportionate effort.
If a data controller fails to respond to a DSAR, the requester can apply for a court order requiring the data controller to comply.
Facts
A recent High Court case considered the circumstances in which a court would compel a data controller to release personal data. In that case, a firm received a DSAR from Mrs Dawson-Damer, the wife of a beneficiary to a multi-million dollar trust fund based in the Bahamas. The DSAR related to data regarding payments from the trust to members of her family, which were the subject of an ongoing dispute in the Bahamas.
The firm did not comply with the DSAR arguing that the data was: (i) covered by legal professional privilege; and (ii) part of an unstructured filing system, and therefore exempt from the Act.
Decision
The Court upheld the firm’s decision not to disclose the personal data. The Court stated that the exemption for legal professional privilege should be applied purposively and that the Act was not intended to give parties to litigation access to legally privileged information. The Court noted that the sole purpose behind the DSAR was to obtain information which would assist Mrs Dawson-Damer in the Bahamian legal proceedings, which was not a proper purpose.
The Court held further that it would not be proportionate to order the firm to search their records for data relating to Mrs Dawson-Damer which was not protected by legal professional privilege. The Court noted that the firm’s records relating to the trust fund stretched back a number of decades and that this “would accordingly be a very time consuming (and costly) exercise”.
Comment
This case provides an interesting analysis of the DSAR rules. It shows that the courts will take a purposive approach when interpreting exemptions under the Act and that context is everything. This case will be of interest to businesses, which often receive costly and time-consuming DSARs. However, caution should be exercised when deciding whether to refuse to comply with a DSAR on grounds of proportionality or legal professional privilege. The Information Commissioner has previously disagreed with the Court on both counts and the decision has been appealed.
Co-author'd by: Kevin McDade.
