Data protection: proportionality of search and legal professional privilege

14 March 2017

Audrey Horton

The High Court has refused an application to order compliance with a subject access request where the data controller's searches had been proportionate and the legal professional privilege (LPP) exemption had been properly claimed.

Background

Individuals have the right of access to their personal data by means of a subject access request (SAR) (section 7, Data Protection Act 1998) (DPA) (section 7). If a court is satisfied that the data controller has failed to comply with the SAR in breach of section 7, the court may order compliance (section 7(9)).

A copy of the personal data and related information must be provided to an individual in response to a SAR, unless this is not possible or would involve disproportionate effort (section 8(2), DPA).

There is an exemption from the requirement to provide personal data in response to a SAR where LPP could be maintained in respect of the data. (paragraph 10, Schedule 7, DPA).

The Court of Appeal has clarified the scope of "disproportionate effort" and whether a SAR is an abuse of section 7 if its predominant purpose is litigious in Dawson-Damer v Taylor Wessing LLP, Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd.

Civil Procedure Rule (CPR) 31 sets out the requirements for disclosure of documents in civil proceedings. Generally, a document that is disclosed under CPR 31 may only be used for the purpose of the proceedings in which it is disclosed (CPR 31.22).

The court will only inspect material protected by LPP if there is credible evidence that those claiming privilege have either misunderstood their duty or are not to be trusted with decision making or there is no reasonably practicable alternative (West London Pipeline and Storage Limited and Another v Total UK Ltd and Others, www.practicallaw.com/7-383-1237).

Facts

H issued proceedings against C and CP in relation to a loan agreement from CP to H.

H applied to the court to order compliance with his SAR.

C and CP responded to the SAR but relied on the LPP exemption in relation to some documents.

H argued that C and CP had not carried out adequate searches when responding to the SAR, and as to the validity of C's reliance on the LPP exemption. H also argued that C should not be allowed to rely on LPP as the data for which LPP was claimed might reveal a breach of the fundamental right to privacy. In addition, H argued that iniquity had a broader meaning than crime or fraud and extended to breaches of fundamental human rights.

Decision

The court held that the searches were reasonable and proportionate and the data controller had complied with the obligations under section 7. There was no basis on which to require further searches. C had properly claimed the LPP exemption.

Although a significant purpose of the SAR was to obtain disclosures for litigation, the court decided that it was better not to rule on whether the SAR was an abuse until the Dawson-Damer decision on this issue became available.

The data controller's implied obligation to carry out a search on receipt of a SAR is limited to what is reasonable and proportionate. The searches undertaken were reasonable, proportionate and compliant with section 7. The searches had involved a review of over 17,000 individual documents. The court did not accept the flaws alleged by H, failure to ask C or CP whether any investigations or surveillance of H had been commissioned and the failure to search private email accounts (other than C's).

There was no evidence that CP's directors had used private email accounts for company business. If a company director uses a personal email account for corporate business then he may owe the company a duty to allow access to that account if necessary to enable the company to comply with a SAR. However, the company is not required to ask the question unless there is some sufficient reason to do so. Nor does the company have a general right of access to check the position.

LPP may be lost if the communication or document in question came into being for the purpose of furthering a fraudulent or criminal design. A court will refuse to uphold privilege if there is a strong prima facie case of wrong doing. A speculative case that there might be iniquity will not suffice to displace LPP. H argued that LPP could not be relied on because the underlying surveillance and investigation activities were tainted by criminal conduct. However, there was not sufficient evidence for concluding that the iniquity exception applied.

The court rejected H’s argument that extending the iniquity principle to breaches of fundamental human rights  and noted this could erode the right to LPP, itself a fundamental human right.

Following West London Pipeline, the court will only inspect material protected by LPP to determine whether the privilege has been properly applied as a last resort.

Comment

Data controllers will welcome this decision which concluded that the searches were reasonable and proportionate and that the LPP exemption was properly claimed. The court’s comments that the data controller's obligation to carry out a search on receipt of a SAR is limited to what is reasonable and proportionate are particularly helpful. The decision also provides useful guidance on when corporate data controllers should consider searching directors' private email accounts when responding to a SAR.

Case: Holyoake v Candy and another [2017] EWHC 52 (QB).

First published in the March 2017 issue of PLC Magazine and reproduced with the kind permission of the publishers. Subscription enquiries 020 7202 1200.

Authors