Data Controller DSAR obligations clarified

Dawson-Damer and others v Taylor Wessing LLP and others [2019] EWHC 1258 (Ch)

This is the latest judgment in a long-running multijurisdictional dispute between the beneficiaries of an offshore discretionary trust and its trustee. The judgment relates to issues arising out of a data subject access request (DSAR) made by the claimants against the firm acting for the trustee (Taylor Wessing). The judgment clarifies the obligations of data controllers in the context of DSARs. Due to the timing of the DSAR (2015) the judgment was concerned with sections of the Data Protection Act (DPA) 1998. However, the findings are relevant to the interpretation of equivalent provisions in the Data Protection Act 2018.

Key points to note from the judgment are:

1. Where filing systems do not allow for the high-level identification of the data subject, data controllers will not be able to argue against conducting a search of those files based on inconvenience alone. If the filing system meets the criteria set out in Tietosuojavaltuutettu [2018] All ER (D) 48 (Jul) then it will need to be searched for the purposes of any DSAR. The Court emphasised that since the protection of personal data has become a fundamental right in EU law, greater weight must be given to protecting that right than inconvenience to the data controller when balancing those interests
2. The legal professional privilege exemption for DSAR disclosure obligations only applies to documents attracting privilege under English law, and not documents attracting privilege as a matter of statute in other jurisdictions, and
3. The burden lies with the data controller to prove that a reasonable and proportionate search has been conducted for a DSAR applicant’s personal data.

A longer commentary article will follow.