Case law: Organisations cannot refuse requests for personal data on grounds it could be used in legal proceedings against them
Organisations receiving 'subject access requests' from individuals under UK data protection law may not refuse to comply solely on grounds that the personal data provided could be used against them in potential or actual legal proceedings.
This update was published in Legal Alert - April 2017
Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.
UK data protection law allows an individual to ask an organisation to provide any personal data they hold on them, subject to certain safeguards. Such requests are called 'subject access requests' (SARs).
A woman and her two children were in a legal dispute with trustees of a foreign trust, and made SARs to a firm of UK solicitors advising the trust. One of the firm's arguments relied on to justify not complying with the request was that the purpose for which the requests had been made was to flush out information the woman and her children might be able to use against the trust in their legal dispute.
The High Court ruled that the principal aim of the data protection law is to allow individuals to make sure information held on them is accurate, so that making a subject access request for this other purpose amounted to an abuse of process. The firm could therefore refuse to comply with the request on those grounds.
However, this was at odds with guidance from the Information Commissioner's Office which polices data protection law. The guidance says that organisations cannot refuse to comply with a SAR because the requester is contemplating or has already begun legal proceedings.
Unsurprisingly, the Court of Appeal has overruled the High Court, saying that the relevant data protection laws are 'purpose-blind'. The fact that the personal data being requested is intended to help an individual in litigation is irrelevant, and such a request is not an abuse of process. The law firm could not refuse to comply with the request on the grounds it sought to.
- Organisations receiving subject access requests under UK data protection laws should not refuse to comply solely on grounds that the request is made against a background of potential or actual legal proceedings
Case ref: Dawson-Damer & Ors v Taylor Wessing LLP & Ors  EWCA Civ 74
Please note: An article published in the October 2015 edition of Legal Alert covered this case at an earlier stage in the legal process.
Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.