01 March 2017
Data Protection and Subject Access – a changing landscape
Could a UK law firm be compelled to provide personal data which it held by reason of it having advised the trustee of a Bahamian Trust?
The Court of Appeal of England and Wales has held – quite emphatically – that the answer is “yes” in Dawson - Damer & Ors v Taylor Wessing LLP  EWCA Civ 74.
The Data Protection Act 1998 (the “DPA”) (which transposes the EU Data Protection Directive (95/46/EC) into UK law) contains a right (known as subject access) for data subjects to be able to access their own personal data where it is held and processed by a data controller (section 7 of the DPA).
This right has a certain degree of tension with trust law in many jurisdictions, which do not impose an absolute duty on trustees to disclose information to beneficiaries. In particular, trustees are normally entitled to withhold the reasons for the decisions they have made.
What should be the approach of the court when beneficiaries attempt to use subject access as a means of obtaining information regarding decision-making and exercise of discretion by trustees? Or, as arose in this case, where individuals seek information and documents with the intention of using them in litigation?
Taylor Wessing LLP ("TW") were the London solicitors to Grampian Trust Company Limited ("Grampian") which was incorporated in the Bahamas and was sole trustee of a Bahamian law discretionary trust known as the Glenfinnan Settlement. Grampian had made several major appointments of funds from the Glenfinnan Settlement which were challenged as being invalid by certain of the beneficiaries.
Mrs Dawson-Damer and her children made subject access requests to TW under section 7 of the DPA.
TW refused to supply any documents pursuant to those requests – principally on the grounds that any documents which they held were covered by an exception for legal professional privilege.
Mrs Dawson-Damer and her children subsequently launched proceedings in the Bahamas challenging the validity of the trust decisions made by Grampian. They also issued proceedings in the UK against TW for failing to comply with the subject access request.
DECISION – FIRST INSTANCE
At first instance, the High Court held that TW were entitled to refuse the subject access request. There were three primary issues identified by the High Court:
- Legal Professional Privilege – it was asserted by TW and accepted by the High Court that the exception to the right of data subject access contained in paragraph 10 of Schedule 7 (which excepts “information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality as between client and professional legal adviser, could be maintained in legal proceedings” from subject access) should extend to information which Grampian could withhold in the Bahamian proceedings, whether under legal privilege or pursuant to Bahamian trust law. Under Bahamian law (the Bahamian Trustee Act 1998 to be precise), trustees are not obliged to disclose information relating to the exercise of their discretion as trustees, save in limited circumstances.
- Disproportionate Effort - the court also accepted TW’s argument that to require them to search across 30 years of files (that having been the duration of TW's involvement with the trust) in order to identify what was and what was not legally privileged (on the “broad” view of privilege taken by the High Court above) would involve disproportionate effort. Surprisingly, the High Court accepted that it would be disproportionate to expect TW to carry out any search at all, given the size of their files and the duration for which they had been advising Grampian.
- Purpose of the Subject Access Request - the High Court noted that it had a discretion (in section 7(9) of the DPA) as to whether to order compliance with a subject access request. It indicated that it would not have exercised its discretion because:
- It was not a proper use of the DPA to obtain information to assist the appellants in the Bahamian proceedings (per Auld LJ in Durant v FSA  EWCA 1746).
- It was not a proper use of the DPA to enable the appellants to obtain documents which they could not obtain by disclosure in the Bahamian proceedings.
DECISION - COURT OF APPEAL
The Court of Appeal disagreed with the High Court on all three issues:
- Legal Professional Privilege – The Court of Appeal concluded that the Legal Professional Privilege exception applies only to documents which attract legal professional privilege for the purposes of English law. This does not extend to documents which a trustee may refuse to disclose to a beneficiary by operation of trust law. The Court of Appeal held that the DPA does not establish an exception for documents not disclosable to a beneficiary of a trust under trust law principles.
- Disproportionate Effort - the Court of Appeal held that the High Court’s decision was erroneous in adopting a “wide” view of the documents likely to be within the legal professional privilege exception. TW had done no more than review their files and they had produced no evidence that a search would involve disproportionate effort. Difficulty and cost were not sufficient reasons on their own. The Court of Appeal took the view that “most data controllers can be expected to know of their obligations to comply with SARs and to have designed their systems accordingly”. Therefore the mere assertion that it would be too difficult to search through voluminous papers was not sufficient by itself.
- Purpose of the Subject Access Request - there has been much argument and discussion regarding the possibility that a court can use its discretion under section 7(9) of the DPA not to enforce a subject access request where the “real” motive for the request is to obtain information and documents for a collateral purpose – in particular for use in litigation. This is often described as the “no other purpose rule”. The Court of Appeal rejected the argument that the court’s discretion should be limited based on the underlying purpose of a subject access request. The DPA contains no requirement for a data subject to have to explain a request and nor does it limit the purpose for which one might be made. Provided that there was no abuse of the court’s process (which "the mere holding of a collateral purpose would not normally be") or a conflict of interest, the court could not use the purpose of a subject access request as a reason to limit the exercise of its discretion. Critically, the Court also held that the fact that disclosure could not be obtained from the trustees under the governing law of the trusts was irrelevant – the court was not exercising any jurisdiction in relation to the administration of the trust, which was a matter for the Bahamian courts. The exercise of the discretion not to order compliance did not need to make allowance for the trustee's right to refuse disclosure.
This decision should serve as a caution and a wake-up call to data controllers in both Jersey and Guernsey. The UK DPA forms the basis for data protection laws in both islands. Jersey’s Data Protection (Jersey) Law 2005 and Guernsey’s Data Protection (Bailiwick of Guernsey) Law 2001 are in materially identical terms to the DPA and the Court of Appeal's decision in Dawson-Damer is likely to be highly persuasive in considering the terms and effect of data protection laws in both jurisdictions.
What is the Channel Islands position likely to be?
The UK DPA lacks a specific exemption in relation to trust documentation (as the Court of Appeal made clear). In contrast, both Jersey and Guernsey have a specific exemption for trust information - under the Data Protection (Subject Access Exemptions) (Jersey) Regulations 2005 and the Data Protection (Subject Access Exemptions) (Guernsey) Order, 2015 respectively for information which a trustee would be authorised or required to withhold (irrespective of the proper law of the trust).
The exemptions are as yet untested but on their face they provide greater scope for a subject access request to be refused where the trustee would be justified in withholding information under general trust law principles. This will not of course assist where trust documents are transferred to a jurisdiction without such exemptions. Achieving equivalence with the GDPR may mean that these exemptions are reviewed – but there are very good reasons why they should be retained.
What does this mean for Channel Islands trustees?
The full impact of the decision and whether it will be followed in the Channel Islands remains to be seen, but trustees should in our view focus on the following:
- Offshore trustees should give careful consideration to situations in which they seek advice from legal advisers (or other professionals) in other countries and what information is provided for that purpose. The Dawson-Damer decision shows that should significant amounts of trust information be provided to advisers in the UK, beneficiaries and other persons connected to trusts may be able to make subject access requests under the UK DPA.
- Accordingly, trustees should ensure that they consider carefully where trust data is stored and processed – in particular in the context of third party advisers and service providers.
- When taking legal advice, gaining a clear understanding of the scope of legal professional privilege, its limitations and the scope of documents it applies to.
- Ensuring that data protection is treated as a priority – the General Data Protection Regulation ("GDPR") will come into force in May 2018 and both Jersey and Guernsey have indicated their intention to adopt equivalent legislation. Accordingly, the timescale for the GDPR is now becoming critical – if preparation has not begun, it should be prioritised.
Ultimately, information governance – which encompasses a range of issues including the duty of confidence (and exceptions to that duty), legal privilege, AML/CFT issues, CRS/CDOT disclosures and data protection - is becoming a critical issue for trustees as never before.