The recently enacted Data Protection Act 2018 (DPA) brings into force limitations on the right of individuals right to their data under the General Data Protection Regulation (GDPR).
One of these exceptions is curious: several rights (including the right of access under Article 15) are stymied if the data in question consists of information “in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the advisor” (para 19(b), Schedule 2, DPA).
This exception is odd for two reasons.
- First, it appears as part of a two-pronged provision under the subheading “legal professional privilege.” The first prong (Para 19(a)) excepts “information in respect of which a claim to legal professional privilege… could be maintained in legal proceedings.” That makes perfect sense as an exception for legal privilege, and indeed, it is all encompassing. The wording in Paragraph 19(b) about confidentiality adds nothing in respect of legal professional privilege because information that is privileged is by its nature confidential. If Paragraph 19(b) is to have any meaning it therefore seems to apply to information which is not privileged.
- The second oddity is that the DPA makes no effort to define what a duty of confidentiality in this context might look like. The Solicitors Regulation Authority states that solicitors must “keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents.” This moves the discussion on a little further, but not by very much – it begs another question, which is “what are the affairs of clients?” Most solicitors would take a cautious approach as part of their daily practice, holding the view that even disclosing the identity of a client breaches a professional duty of confidentiality. But applying that definition would lead to much broader exemptions than those that existed before Schedule 2, and the potential for abuse is obvious.
Our view is that Schedule 2 has extended the scope of the exemptions contained in the DPA considerably. In particular, we think that the duty of confidentiality must extend further than legal privilege would under law and that the exemptions would now cover some situations where:
- Information is provided by a third party in circumstances where adversarial proceedings are not in reasonable contemplation or are not the dominant purpose for gathering the information (so that litigation privilege would not apply). For example, a review of why an accident in the workplace happened in which individuals affected or involved are discussed, but which has the main purpose of avoiding such accidents occurring in future;
- A solicitor is involved in a discussion about the commercial objectives of the client which fall outside the relevant legal context in which advice is being given. For example, a solicitor might be consulted by a client to express a view on whether a course of action makes commercial sense, and individuals’ data might be discussed in that context; and
- The client discloses pre-existing information in its hands about an individual to a solicitor in the context of a confidential but not privileged exchange, then the solicitor (as a Controller) cannot be required by the individual to comply with the listed GDPR provisions. However, this is not likely to work in the opposite direction – ie, if the individual exercised their rights against the client to know what that information is then the client would probably not be able to rely on the exemption in Paragraph 19(b). In other words, the client cannot cloak pre-existing information with the exemption in Paragraph 19(b) simply because they subsequently pass it on a confidential basis to their solicitor.
There are obviously grey areas. For example, what about the solicitor instructing an inquiry agent on behalf of the client to conduct a review of the activities of other individuals? Absent privilege, can the information generated by the inquiry agent be “information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser”? In the hands of the solicitor, the answer would seem to be “yes.” However, what if the inquiry agent is approached by the individual on the basis that the inquiry agent is also a Controller? It may be that the exemption applies to the information in respect of which the duty is owed by the legal adviser to the client, regardless of whose hands it is in.
What to do
For the moment, lawyers would be well advised as a starting point to take the view that any information about individuals that they are told by their clients, or that they acquire on their client’s behalf in a professional capacity is covered by the Paragraph 19(b) exemption and maintain that line as far as possible. These boundaries will no doubt be tested by third parties launching collateral attacks on legal advisers or others assisting them. We are aware that these collateral attacks are already happening.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2020