White v Withers LLP [2009] EWCA Civ 1122

A client made a subject access request to her former solicitors under the Data Protection Act. The solicitors withheld documents, citing legal professional privilege belonging to other clients. The Court of Appeal held privilege is a valid ground for non-disclosure.

Facts

The claimant, Mrs White, was the widow of Mr Mark White. Following his death, disputes arose between her and the trustees of various family trusts. She engaged the defendant solicitors, Withers LLP, who had previously acted for her and her late husband, and also acted for the trustees. After ceasing to instruct Withers, Mrs White made a subject access request (SAR) under section 7 of the Data Protection Act 1998 (DPA 1998) for all personal data held by the firm relating to her. Withers complied in part but withheld certain documents, claiming they were covered by legal professional privilege (LPP) belonging not to them, but to their other clients, the trustees. The High Court initially ruled that a data controller could not rely on a third party’s LPP to refuse a SAR. Withers LLP appealed this decision.

Issues

The central legal issue was whether a data controller (Withers LLP) is entitled to refuse to disclose personal data in response to a SAR under the DPA 1998, on the grounds that the data is subject to legal professional privilege, where that privilege belongs to a third party (the trustees) and not the data controller itself.

Judgment

The Court of Appeal unanimously allowed the appeal, overturning the High Court’s decision. The judgment confirmed that LPP provides a valid exemption from the duty to disclose data under a SAR, irrespective of who holds the privilege.

Reasoning of the Court

Lord Justice Ward, giving the leading judgment, analysed the interplay between the DPA 1998 and the common law principle of LPP. He emphasised that LPP is a fundamental human right and not merely a rule of evidence.

Legal professional privilege is, therefore, a single, absolute and substantive common law right not to be required to disclose privileged documents and that right can only be abrogated by statute by a clear and express provision to that effect.

The court focused on the proper construction of the exemption contained in paragraph 10 of Schedule 7 to the DPA 1998. This paragraph stated that personal data is exempt from the subject information provisions if the data consists of information in respect of which a claim to legal professional privilege… could be maintained in legal proceedings. Lord Justice Ward reasoned that the wording of the exemption was general and not limited to privilege claims available to the data controller.

In my judgment, therefore, upon the proper construction of the Data Protection Act 1998, a data controller is not obliged to supply the data subject with personal data which is contained in a document which is subject to legal professional privilege. The identity of the person entitled to the benefit of the privilege is irrelevant.

Lord Justice Sedley, concurring, highlighted that the DPA 1998 gives effect to an EU Directive which is itself concerned with the protection of fundamental rights, including the right to privacy under Article 8 of the ECHR. He noted that while Parliament had elevated the right of subject access above general duties of confidentiality, it had explicitly preserved the special status of LPP.

Parliament in enacting the DPA has… given the right of subject access a status which is paramount to the general law of confidentiality; but it has respected the special status of legal professional privilege by leaving its boundaries to be determined by the common law. The common law, in its turn, has now established unequivocally that legal professional privilege is a fundamental human right, of a class which can be abrogated only by express statutory language…

Lord Justice Wilson also agreed, adding that the purpose of the exemption was to protect LPP as a class, without reference to whose privilege it was.

Implications

The decision is of significant importance as it clarifies the relationship between statutory data access rights and the common law right of LPP. It confirms that LPP is a robust and absolute right that operates as a complete defence to a subject access request under the DPA 1998 (and its successor, the UK GDPR). The ruling establishes that data controllers, such as law firms, can and must refuse to disclose information subject to a third party’s LPP, thereby upholding their duties to all clients. It prevents SARs from being used as a tool to bypass the protection afforded by privilege in litigation or other disputes.

Verdict: The appeal was allowed and the order of the High Court judge was set aside.

Source: White v Withers LLP [2009] EWCA Civ 1122