Data protection rules (including GDPR and the UK Data Protection Act 2018) allow for individuals to make so-called “Subject Access Requests” (SARs) where they can seek to obtain information about the personal data held about them by organizations or individuals and certain other related information including about how that data is processed, to which certain exemptions may apply.
In the UK there continues to be a significant increase in the number of SARs and some of these matters have also been litigated. One matter that has been the subject of continuous litigation (in the context of the pre-GDPR EU-UK data protection regime) is the case of Dawson-Damer v Taylor Wessing, which we have previously written about here: https://www.corderycompliance.com/uk-high-court-sar-and-legal-privilege-trustee-ruling/.
On 11 March 2020 the UK’s Court of Appeal made a further important ruling in Dawson-Damer v Taylor Wessing case, again about legal professional privilege but also about the meaning of a so-called ‘relevant filing system’.
What’s the case about?
The salient background facts of this case are as follows:
- Mrs. Dawson-Damer and her two children submitted a SAR to the law firm Taylor Wessing in the context of a dispute about a trust in the Bahamas of which Mrs. Dawson-Damer and her two children were the beneficiaries – Taylor Wessing was acting for the Bahamian trust in on-going legal proceedings. Taylor Wessing declined to comply with the request arguing that legal professional privilege applied;
- An application was made to the High Court for an order for Taylor Wessing to comply with the SAR, which the court dismissed. Following this the case went to the Court of Appeal which overturned the High Court decision, where, amongst other things, the Court of Appeal ruled that the legal professional privilege exemption did not extend to personal data which was subject to privilege under Bahamian law – the exemption had to be considered as a matter of English law;
- Following the Court of Appeal judgment, the matter went back before the High Court, which ruled that Taylor Wessing was entitled to rely on the legal professional privilege exemption against Dawson-Damer because the latter had no Bahamian trust law rights which “cut across, limit or qualify the trustee’s claim to legal professional privilege” under English law. The High Court also ruled on the issue of what constitutes a “relevant filing system” (for the purposes of deciding whether paper files earlier maintained by Taylor Wessing fell within scope of the SAR). Here it decided that (certain of) Taylor Wessing’s paper files were a “relevant filing system” – because the files were arranged chronologically the personal data could be “easily retrieved”, and therefore going through those files looking for personal data would not be particularly burdensome, which Taylor Wessing was ordered to do by the High Court; and,
- Next, Taylor Wessing appealed the “relevant filing system” issue and Dawson-Damer appealed the legal professional privilege issue and so the case came before the Court of Appeal again.
What did the court rule?
The privilege issue in this case is particularly technical and very much in the trust law context and so won’t be discussed further here except to say that the Court of Appeal ruled in favour of Dawson-Damer. As regards the issue of a ‘relevant filing system’ the Court of Appeal departed from previous case-law in a very useful ruling.
By way of quick reminder the issue of a ‘relevant filing system’ relates to the definition of data (as opposed to personal data). Under the previous UK data protection regime, the UK Data Protection Act 1998, ‘data’ included information that ‘is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system’. A ‘relevant filing system’ is itself defined as ‘any set of information relating to individuals to the extent that…the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible’. The issue in the case at hand was whether 35 paper files held by Taylor Wessing under the description ‘Yuills Trusts’ constituted ‘a relevant filing system’.
By way of further important background information that is relevant to the Court of Appeal’s ruling, guidance issued by the UK’s Information Commissioner’s Office (the ICO) provides a rule of thumb for identifying a ‘relevant filing system’, referred to as the ‘temp test’, in its May 2011 FAQs as follows:
“Is there any rule of thumb I can apply to establish whether I have a relevant filing system?
If you employed a temporary administrative assistant (a ‘temp’), would they be able to extract specific information about an individual from your manual records without any particular knowledge of your type of work or the documents you hold? The ‘temp test’ assumes that the temp in question is reasonably competent, requiring only a short induction, explanation and/or operating manual on the particular filing system in question for them to be able to use it.”
The Court of Appeal concluded that some aspects of the Court of Appeal’s judgement in the 2003 case of Durant v Financial Services Authority (which had adopted a narrow approach to ‘a relevant filing system’) could no longer be relied on following the European Court of Justice ruling in the 2018 Tietosuojavaltuutettu case, which we have written about here https://www.corderycompliance.com/european-court-ruling-in-jw-data-protection-case-2-2/.
Based on this European Court judgment, the Court of Appeal ruled that in order to determine whether there is a ‘relevant filing system’ (i.e. the paper files in the case at hand) the following questions must all be answered with a ‘yes’:
- Are the files a ‘structured set of personal data’?
- Are the data accessible according to specific criteria?
- Are those criteria ‘related to individuals’; and,
- Do the specific criteria enable the data to be easily (or ‘readily’) retrieved?
In applying this to the case at hand the Court of Appeal ruled as follows:
- “Having concluded that the criterion ‘Yuills Trusts’ related to individuals in a very broad sense, [the High Court judge] then formed an assessment of how easy he thought the process of recovery of the personal data would be, relying on evidence that a trainee lawyer and an associate solicitor had in fact been able to extract personal data from the files, as well as the ability of a senior lawyer to identify documents subject to legal professional privilege. That was an incorrect approach. The ‘ready access’ required under the [then existing EU-UK data protection regime] must be enabled by the criteria, that is to say by the structure of the files. If access to the relevant data requires the use of trainees and skilled lawyers, turning the pages of the files and reviewing the material identified, that is a clear indication that the structure itself does not enable ready access to the data;
- In fact, the 35 files were completely unstructured beyond their chronological compilation under the description ‘Yuills Trusts’. The Judge lost sight of the need for the causative link between that criterion and the ease of retrieval of the data;
- In that connection we consider the ‘temp test’ to which the Judge referred to be of more assistance to Taylor Wessing than to [Dawson-Damer]. The temp is postulated to be ‘reasonably competent but without any particular knowledge of the type of work or the documents you hold’. None of the evidence which the Judge relied on could sensibly be regarded as satisfying that test. Whilst this is no more than a rule of thumb, its application in this case did nothing to support a finding of ready access to personal data;
- It follows, in our judgment, that [Dawson-Damer] did not establish that the 35 files were a relevant filing system […]”.
What are the takeaways?
This case was concerned with the UK’s previous data protection legislation. The scope of GDPR encompasses ‘the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.’ Under GDPR and the UK Data Protection Act 2018, a ‘filing system’ is defined as ‘any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis’. The first of the Court of Appeal’s questions that need to be addressed is about a ‘structured set’ (of personal data) and so it can be argued the Court of Appeal’s overall approach would likely apply in the context of GDPR and the UK Data Protection Act 2018.
To rephrase the cliché, it’s not a question of if you get a SAR but when you get a SAR, so you need to be in a good place to be able to deal with one. In general practical terms businesses should therefore consider doing the following:
- Check your existing SARs policy and procedure and make sure that they are up to the job including making sure that it is clear what information has to be provided, and whether the exemptions are covered (including legal professional privilege) – update them as need be;
- Ensure that you have systems in place that can locate personal data when a SAR is made, most importantly from an IT perspective;
- Train staff on spotting and handling SARs; and,
- Set up and undertake regular compliance audits or reviews in order to identify and rectify SARs issues.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Guidance on the rights of data subjects;
- A draft Subject Access Policy for employees;
- A detailed Subject Access procedure for those handling requests;
- Guidance on the right to data portability; and
- Films and other resources on data protection topics.
For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/
The court’s judgment can be found here: http://www.bailii.org/ew/cases/EWCA/Civ/2020/352.html.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785