- Personal data sought by a beneficiary of a trust under a Subject Access Request cannot be withheld by a trustee on the ground of legal advice privilege (the position being one of joint privilege)
- Manual (paper) records fall within the data protection regime if: (1) the records are a "structured set of personal data"; (2) the data is accessible according to specific criteria; (3) the criteria are "related to individuals"; and (4) the specific criteria enable the data to be easily retrieved
The Claimants are the beneficiaries of certain Bahamian trusts. A trustee of one of the trusts was legally represented by the Defendant law firm. Among other things, the Defendant held 35 paper files under the description "Yuills Trusts" arranged in chronological order.
On 4 August 2014, the Claimants (as data subjects) made Subject Access Requests (SARs) to the Defendant (as a data controller) under section 7 of the Data Protection Act 1998 (DPA 98). The SARs were made in the context of a dispute in relation to the Bahamian trusts.
The SARs had been the subject of earlier litigation reaching the Court of Appeal in which the scope of legal professional privilege (LPP) and the Defendant's search obligations were examined (see:  EWCA Civ 74). The Defendant's subsequent compliance raised further questions that were explored in the current proceedings. The questions that arose (and also considered on appeal) were as follows:
- Is the Defendant entitled to rely on the LPP exemption under paragraph 10 of Schedule 7 to the DPA 98? (LPP Issue)
- Do the Defendant's paper files constitute a "relevant filing system" within the meaning of section 1(1) of the DPA 98? (Data Protection Issue)
At first instance (see: 2019 EWHC 1258 (Ch)), it was held that the effect of the Bahamian Trustee Act 1998 effectively removed any joint privilege between a trustee and a beneficiary as it entitles trustees to refuse to disclose information concerning the exercise of fiduciary decisions. The Defendants were therefore able to avail themselves of the LPP exemption under the DPA 98.
The Judge also held that the 35 paper files did constitute a relevant filing system for the purposes of section 1(1) of the DPA 98, which required the Defendant to search each of the files for the Claimants' personal data.
Both parties appealed.
KEY LEGAL POINTS
The Court of Appeal held that LPP is a part of legal practice and procedure, not substantive trusts law. It followed that the present case was governed by English legal practice and procedure by virtue of the action being brought in England, not the Bahamas. On that analysis, the position as a matter of Bahamian law fell away.
Following a comprehensive review of the authorities, it was held that, under English law, trustees and beneficiaries are in a position of joint privilege. As a result, in the current proceedings, the Defendant could not rely on the LPP exemption under paragraph 10 of Schedule 7 to the DPA 98. It will only be in situations in which LPP can be asserted under English law that the LPP exemption may be used as a basis for non-disclosure.
Data Protection Issue
As the Defendant could not rely on the LPP exemption under the DPA 98, the Court of Appeal proceeded to consider the issue of whether the 35 chronological paper files labelled "Yuills Trusts" consisted of a relevant filing system for the purposes of section 1(1) of the DPA 98. In so doing, the Court of Appeal consulted a full suite of authorities, including: the DPA 98, the Data Protection Directive, the Court of Appeal's previous decision in Durant v. Financial Services Authority  EWCA Civ 1746, the CJEU's decision in Tietosuojavaltuutettu  EUECJ C-25/17, and the "temp test" suggested by the ICO as a rule of thumb for identifying relevant filing systems.
The Court of Appeal considered that the Court in Durant had previously taken an overly restrictive view of what constitutes a "relevant filing system". The approach in Durant required files forming part of a relevant filing system to be structured in such a way as clearly to indicate at the outset of the search whether specific information relating to an individual is held in the system and if so in which file or files it is held.
The approach favoured by the Court of Appeal was the functional test adopted by the CJEU in Tietosuojavaltuutettu which simply asks whether specific criteria enable the data to be easily retrieved. In light of the CJEU's judgment, the Court of Appeal posited four questions which must be asked:
- Are the files a "structured set of personal data"?
- Are the data accessible according to specific criteria?
- Are those criteria "related to individuals"?
- Do the specific criteria enable the data to be easily (or "readily") retrieved?
On the facts, it was on the fourth question that the Judge had fallen into error. At first instance, the Judge's adopted an incorrect approach by relying on evidence that a trainee solicitor and an associate solicitor were in fact able to extract personal data. The fact that the access to the personal data required the use of trainees and skilled lawyers manually turning pages, and reviewing identified material, it was clear that the structure of the files did not enable ready access to personal data. The manual files were completely unstructured beyond their chronological compilation under the criterion "Yuills Trusts".
The Court of Appeal considered the ICO's "temp test" to be of some assistance to the Defendant on the fourth question (whilst also recognising that the test is no more than a rule of thumb). The test asks whether a temporary administrative assistant would be able to extract specific information about an individual from manual records without any particular knowledge of the type of work or documents held. The "temp" is assumed to be reasonably competent, requiring only a short introduction, explanation and/or operating manual on the particular filing system in order for them to be able to use it.
Applying the "temp test" to the facts of the appeal did nothing to support a finding of ready access to personal data and thus the Defendant's 35 paper files could not be deemed to be a "relevant filing system" for the purposes of section 1(1) of the DPA 98.
Whilst this is a decision under the DPA 98, it will, of course, still be of relevance in the context of the GDPR and the Data Protection Act 2018 (DPA 18):
- The Court of Appeal's decision serves as a cautionary note for law firms (and other legal professionals) acting on behalf of trustees in a similar context. It will necessitate a considered and positive approach to SARs received from trust beneficiaries, rather than defaulting to the LPP exemption under the current data protection regime.
- Under the GDPR and DPA 18, a "filing system" means "any structured set of personal data which is accessible according to specific criteria…" The reference to a "structured set of personal data" under the current regime, means it is likely that the Court of Appeal's approach will continue to apply under the current data protection regime. This clarification ought to be welcomed by Controllers, particularly in an era where data subjects are becoming more cognisant of their data protection rights.