The GDPR, trustees' lawyers and the right to resist subject access requests

The DPA 2018 broadens the 'legal privilege' defence to allow law firms to resist subject access requests to the extent that documents are the subject of a duty of confidentiality

03 July 2019

The General Data Protection Regulation (GDPR) contains various provisions which enable individuals to find out how their personal data is being used. In particular, Article 15 (right of access) gives them the right to request (inter alia):

  • confirmation as to what personal data is held and the purposes for which it is being processed
  • details of who personal data is shared with
  • copies of personal data.

This is known as a 'subject access request' and the third point has caused particular concern for some advisers as it could allow individuals to obtain copies of documents which would otherwise be protected from disclosure.

The right of access does not apply to documents and information which are covered by legal professional privilege (which includes both litigation privilege and legal advice privilege). However, as has been demonstrated in the recent Dawson-Damer judgments ([2017] EWCA Civ 74 and [2019] EWHC 1258 (Ch)) legal professional privilege will not always apply. This is particularly true in a trust context because, generally speaking, advice which is provided to a trustee and paid for from the trust is not privileged against trust beneficiaries [1].

So are law firms now a soft target for disgruntled beneficiaries who want to try and obtain copies of trust documents?

Importantly, the Dawson-Damer judgments were decided under the old law (the repealed Data Protection Act 1998) which has since been replaced by GDPR and the Data Protection Act 2018 (the DPA 2018).

Helpfully, the DPA 2018 expands the scope of the 'legal professional privilege' exemption to make it easier for lawyers to resist subject access requests, even where privilege cannot be maintained against the individual making the request.

The extension of legal professional privilege to cover the duty of confidentiality

The DPA 2018 does this by extending the legal professional privilege exemption so that it also applies to personal data in respect of which a duty of confidentiality is owed.

In the Data Protection Act 1998 (which is relevant to the Dawson-Damer case), the legal professional privilege exemption was set out in paragraph 10 of schedule 7, which provided that:

'10 Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of communications, could be maintained in legal proceedings.'

In contrast, the equivalent provision of the Data Protection Act 2018 is paragraph 19 of schedule 2, which reads:

'19 The listed GDPR provisions do not apply to personal data that consists of —

(a) information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or

(b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.'

The 'listed GDPR provisions' include article 15 which contains the right to make a subject access request.

Crucially, paragraph 19(b), which refers to a duty of confidentiality, is new. Just as importantly, we know that it was deliberately inserted in order to extend the scope of the legal professional privilege exemption. The explanatory notes [2] for the DPA 2018 which were issued by the Department for Digital, Culture, Media and Sport state (at 684):

'[Paragraph 19] expands on the exemption in paragraph 10 of Schedule 7 to the 1998 Act'.

Conclusion

The upshot of this change is that documents need not be disclosed by a law firm in response to a subject access request if the law firm owes a duty of confidentiality to a client in respect of those documents.

A duty of confidentiality may well be owed even in situations in which legal professional privilege could not be maintained, such as if advice is provided to a trustee. Although privilege could not be maintained against a beneficiary, the law firm’s duty of confidentiality is clearly to the trustee and not the beneficiary. On this basis, the law firm could resist any request for copy documents made by the beneficiary.

The extension will also be helpful if privilege has somehow been waived, or never applied in the first place.

Law firms should therefore be robust in their response to subject access requests and ensure that they do not breach their duty of confidentiality to clients by providing too much to the individual making the request.

This article was written by Edward Hayes, an Associate in our Private Client Team. For further information, please contact Edward Hayes or John Barnett.

Disclaimer

This article gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content. © Burges Salmon 2019

[1] See for example, Halsbury's Laws of England Vol 12 (2015) para 659 which describes the position as: 'When a fiduciary relationship exists, such as between a trustee and a beneficiary of the trust … legal professional privilege cannot be claimed by the trustee, except in respect of communications and documents brought into existence by the trustee for the purpose of litigation against him by the beneficiary'.

[2] http://www.legislation.gov.uk/ukpga/2018/12/notes/division/1/index.htm

Key contact

John Barnett

John Barnett Partner

  • Head of Private Client Services
  • Head of Partnerships
  • Tax

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more