Subject access in a professional services context

Article 15 of the General Data Protection Regulation (GDPR) gives data subjects the right to obtain their personal data from data controllers by submitting a subject access request (SAR). The request can be made to any data controller for the purposes of the individual finding out:

• whether any of their personal data is being processed

• what personal data is being processed

• whether that personal data is being processed lawfully.

SARs are most commonly submitted in a consumer or employment context - typically by those who wish to use the right of subject access to decide whether to litigate, or to obtain early disclosure in litigation.

Sometimes, however, a SAR might be made outside of the ordinary consumer/business or employee/employer relationship and instead be made in a professional services context. For example:

• one party to a legal dispute might make a SAR to the opposing party’s legal counsel

• a former client might make a SAR to their former advisor, such as their former legal counsel or accounting advisors

• an employee might make a SAR not only to their employer but also to their employer’s adviser.

While receiving SARs in these contexts is less common, the unique nature of professional services relationships and the competing duties owed to different parties mean that responding can prove challenging.

Circumstances specific to professional services

The primary relationship in a consumer SAR context will typically be between the consumer and the business. Similarly, for a SAR received in an employment context, the primary relationship will typically be between the employee and the employer. In contrast, when a SAR is received in a professional services context, a number of important relationships may need to be taken into account and competing duties may arise from those relationships. 

For instance, professional services firms with existing clients will be particularly keen to ensure that their advice to those clients remains confidential. In the case of litigation, the parties will want to ensure that their legal strategy is not disclosed to the other side. And in the case of those retained by clients to carry out confidential investigations (often covering very sensitive fact matrices), the investigators will want to ensure that data provided to them in confidence are not disseminated, thereby aggravating an already volatile situation.

What can the parties in these tricky scenarios do when they are faced with a SAR?

Third-party information

Recital 63 of the GDPR sets out that the right to access personal data “should not adversely affect the rights or freedoms of others”. The Data Protection Act 2018, the UK legislation implementing the GDPR, ensures that third-party rights are not disproportionately affected. It does so by ensuring that third-party data is only disclosed to the data subject either with the consent of that third party, or where it is reasonable to disclose the data without such consent.

This is a helpful exemption for professional services firms when dealing with cases in which difficulties arise because of a clash of competing rights between two opposing parties.

Often, the data of Party A (the data subject) will be completely distinct from that of Party B (the potentially opposing party), in which case Party B’s data can simply be redacted without affecting Party A’s data. However, a balancing act is necessary in situations with “mixed” data - for example, where Party B holds an opinion about Party A. This is mixed because the opinion belongs to Party B, but it concerns Party A. Data controllers, when deciding whether to disclose mixed data, will need to balance competing rights - the rights of data subject to their data, and the rights of the third party to their privacy.

The Court of Appeal (CA) gave a useful judgment concerning mixed data in the 2018 case of DB v GMC. The CA confirmed that:

• The data controller is the primary decision-maker in determining whether it would be reasonable to disclose third-party data.

• The legislature envisaged a wide margin of discretion when making that decision.

• The data controller has a wide margin of discretion as to which particular factors to treat as relevant to the balancing exercise.

Relevant factors in the professional services context will include: any duty of confidentiality owed to the third party; the nature of the relationship between the data controller and the third party; and the nature of the relationship between the third party and the data subject. In many cases the third party will be the firm’s own client, so balancing the above factors will often fall in the third party’s favour.

The third-party data exemption is useful for professional services data controllers in appropriate cases, so long as they use it reasonably and consider the balance of competing interests when doing so. They can redact third-party data where it is reasonable to do so in order to prevent disclosure to a data subject and protect the third party’s privacy. Or they can withhold the data completely where it is mixed data and it would be unreasonable to disclose the data without consent. Alternatively, it might be that the balance lies with the requesting data subject so that data should be provided.

Legal professional privilege and the duty of confidence

Another useful exemption for professional services firms relates to legal professional privilege. It specifies that the right of access under a SAR does not apply to information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. This covers both legal advice privilege and litigation privilege. Bearing in mind the context for how professional services firms might interact with data subjects, there is potentially a lot of material that would be covered by this exemption.

Law firms, and other professional services firms in some limited contexts, can also benefit from the second part of this exemption, which says that that the right of access under a SAR does not apply to information in respect of which a duty of confidentiality is owed by a professional legal adviser to its client. The extension of the exemption to cover the duty of confidence makes it much broader than its previous iteration under the (now replaced) Data Protection Act 1998. Where a law firm (or other legal adviser in a professional services firm) receives a SAR, not only can it potentially withhold the advice that it has provided to clients under legal professional privilege, but also any other data which attracts a duty of confidence.

The Solicitors Regulation Authority’s Code of Conduct for Solicitors, RELs and RFLs and Code of Conduct for Firms require lawyers to keep the affairs of current and former clients confidential unless disclosure is required or permitted by law, or the client consents (see paragraph 6.3 of both codes). Confidentiality will attach to all information given to lawyers by a client or a third party, in connection with the retainer in which they or their firm are instructed.

Given that most of the information provided to lawyers is in connection with the applicable retainer, most of the data processed will be exempt from disclosure. Nonetheless, it is worth bearing in mind the full suite of services provided by lawyers and the extent to which data will be privileged or confidential. Where a lawyer is providing other services, such as conducting an open investigation or providing training, the exemptions set out above are unlikely to apply.

A final word of caution

The third-party, legal professional privilege and duty of confidence exemptions are therefore potentially broad in scope. Despite this, professional services firms should be cautious about asserting blanket legal privilege or other exemptions in relation to all the data in question without first conducting any searches and reviewing materials uncovered to verify that this is the case.

For example, even in situations where it appears that most data might be subject to legal professional privilege, there is always a possibility that a professional services firm might be processing data belonging to the data subject which is not subject to privilege. If a firm simply makes a blanket assertion that all data is exempt without conducting proper searches, it will leave itself vulnerable to a complaint from the data subject and enforcement action by the Information Commissioner or the courts.

Details of how we can help with SARs and other matters concerning data privacy are available here.