The High Court has provided useful guidance on a claimant’s subject access request (SAR) where the defendants’ provided partial disclosure and had claimed legal professional privilege exemption in relation to disclosure of some documents. The court concluded that:
The abuse issue
The defendants had responded to the SAR and argued that it was abuse of the rights conferred by section 7 of the DPA, as its predominant purpose was not to obtain early and/or additional disclosure in relation to litigation. In this way the claimant would obtain the documents without the restrictions on collateral use imposed by CPR 31.22 (ie ‘a party to whom a document has been disclosed may use the document only for the purpose of the proceedings in which it is disclosed’). There were conflicting authorities on this issue and although a significant purpose of the SAR was to obtain disclosures for litigation, the court decided that it was better not to rule on whether the SAR was an abuse until the Court of Appeal judgments in Dawson-Damer v Taylor-Wessing LLP, Deer v University of Oxford and Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd touching on this issue had been handed down.
The search issue
The court found that the data controller’s implied obligation to carry out a search on receipt of a SAR is limited to what is “reasonable and proportionate”. The limitation may be viewed either as imposed by section 8(2) of the DPA or as a limit imposed by the principle of proportionality, a fundamental principle of EU law which must be applied in construing national legislation implementing the EU Data Protection Directive (95/46/EC). The searches undertaken by the defendants were reasonable, proportionate and compliant with the obligations under section 7 of the DPA. The searches had involved a review of over 17,000 individual documents and generated time charges in excess of £37,000 (excluding the service providers’ charges).
The court concluded that a company is not required to ask a company director if s/he uses a personal email account for corporate business and to allow access to that account to enable the company to comply with a SAR, unless there is some sufficient reason to do so. Nor does the company have a general right of access to check the position. There was no evidence that directors had used private email accounts for company business.
The legal professional privilege issue
The evidence before the court sufficiently made out the defendants’ case for legal professional privilege in relation to the personal data in question applying the principles in Roberts v Nottinghamshire Health NHS Trust  EWHC 1934, subject only to the iniquity and inspection issues.
The iniquity issue
Legal professional privilege may be lost if the communication or document in question came into being for the purpose of furthering a fraudulent or criminal design. A court will refuse to uphold privilege if there is a strong prima facie case of wrong doing. A speculative case that there might be iniquity will not suffice to displace legal professional privilege. The claimant argued that legal professional privilege could not be relied on because the underlying surveillance/investigation activities were tainted by criminal conduct. However there was not sufficient evidence for concluding that the iniquity exception applied.
The court rejected the “legally ambitious” argument that “iniquity” had a broader meaning than crime or fraud and extended to breaches of fundamental human rights and observed that such an extension of the iniquity principle could significantly erode the right to legal professional privilege, itself a fundamental human right. Accordingly, the court rejected the approach of balancing one competing right against another, which would be inconsistent with House of Lords authority in R v Derby Magistrates Court, ex parte B  1 AC 487.
The inspection issue
A court will only inspect material protected by legal professional privilege to determine whether the privilege has been properly applied as a last resort. This is not a proper approach for the court to take unless there is “credible evidence that those claiming privilege have either misunderstood their duty or are not to be trusted with decision making or there is no reasonably practicable alternative” relying on West London Pipeline and Storage Limited and Another v Total UK Ltd and Others  EWHC 1729 Comm.
Employers who receive SARs will welcome this decision as it confirms that a data controller’s obligation to carry out a search on receipt of a SAR is limited to what is “reasonable and proportionate” and that it will not go behind “legal professional privilege” without evidence to show misunderstanding or impropriety.