The world is coming to terms with the opportunities and challenges created by the vast amounts of data produced by our online existence. Recent news stories, such as those surrounding Facebook and Cambridge Analytica, have highlighted the public's concern about privacy and the use of data.
One of the attractions of trust structures has traditionally been that sensitive information can be kept confidential. Data protection legislation in the UK, and the recent Dawson Damer case, might seem to have eroded trustees' abilities to maintain the confidentiality of certain classes of documents.
However, the position may not be quite as stark as has been suggested by some commentators. In this briefing, we provide a broad overview of the evolving landscape and provide some thoughts about how it can be navigated as safely as possible.
Following the Schmidt v Rosewood judgment in 2003, the common law rules relating to the disclosure of trust information to beneficiaries appeared to have been settled. In practical terms, beneficiaries can usually expect to receive disclosure of trust accounts and copies of trust instruments. Trustees would not usually disclose letters of wishes, documents evidencing their deliberations or (slightly more contentiously) material on which deliberations have been based, or correspondence with third parties (such as other beneficiaries).
As the court said in Re Londonderry's Settlement, the disclosure of such information could potentially “cause infinite trouble in the family out of all proportion to the benefit which might be received from the inspection of the same”. It is often in the interests of beneficiaries of family trusts, and advantageous to their administration, that the exercise of powers is regarded as “an essentially confidential process” from start to finish (Breakspear v Ackland).
Data protection legislation
However, data protection legislation starts from a very different premise – that personal data must be processed fairly, and the rights of data subjects must be promoted. So, “data subjects" (i.e. people in relation to whom "data controllers" hold personal data) have the right to make a subject access request for "personal data" which a data controller may hold.
Professional advisers are likely to be data controllers (as are trustees within the jurisdiction). "Personal data"’ means any data that relates to an individual who can be identified from that data. This is defined broadly and includes expressions of opinion about the relevant person. It was not, however, clear how these principles would be applied in a trust context until the Dawson Damer judgment came out.
Dawson Damer v Taylor Wessing
To recap, the claimants in the Dawson Damer case were beneficiaries of Bahamian trusts seeking disclosure of documents in relation to significant appointments of assets. The Bahamian Trustee Act 1998 provides an enhanced ability to Bahamian trustees facing hostile litigation to refuse disclosure of any trust documents. The claimants made subject access requests to the trustees' advisers.
The English Court of Appeal concluded that the advisers had to comply with the subject access request despite the facts that: (a) complying with the request would be expensive and time-consuming; (b) there appeared to be a "collateral purpose" (of obtaining documents for litigation); and (c) the information was not disclosable as a matter of Bahamian trust law.
This outcome caused understandable concern. The judgment was seen as potentially allowing beneficiaries to obtain copies of documents evidencing the exercise of discretions, and even letters of wishes and/or confidential correspondence with third parties (such as other beneficiaries), thereby overturning established principles which allow the proper administration of trusts.
The devil is in the detail
As is often the case, the devil is in the detail. It is therefore important to understand the way that responses to subject access requests work in practice.
A data controller is only obliged to provide a data subject with their personal data; there is no obligation to provide a copy of the document within which that data appears. The obligation could be discharged by providing a schedule setting out the relevant data contained in each document. As Lewinson LJ observed in Ittihadieh, an individual using a subject access request to obtain copies of documents may well be “aiming at the wrong target”.
Further, the right to obtain personal data is not an absolute one. Where it is necessary and proportionate to protect the rights and freedoms of others, a data controller may restrict access to a data subject’s personal data. In a trust context, there are likely to be overlapping rights of confidentiality owed to other family members (and, potentially, to the settlor, especially where they might have expressed clear views on this issue).
A settlor, Steven, has left a detailed letter of wishes in which he asks the trustees to consider applying the trust funds in several different ways for the various beneficiaries. The trustees have implemented these wishes, and as such have refused to make any outright distributions to Steve's daughter, Daniella, who has had a history of relationship and addiction issues in the past. Daniella makes a subject access request.
- Daniella is unlikely to be entitled to receive the entire letter of wishes, though she may be entitled to see individual sentences relating to her. There could be an argument that all the contents of the letter should be withheld because of Steve's right to maintain the confidentiality of his wishes. This point might be explored in future cases.
- Daniella may well be entitled to see the sentences which relate specifically to her in minutes regarding the exercise of the trustees’ powers, but not copies of the minutes themselves. If Daniella's data is “mixed” with data relating to other individuals, then appropriate redactions can be made.
What does this mean in practice?
- Data protection rights should be borne in mind in the day-to-day administration of trusts. Trustees will wish to continue to keep comprehensive records, especially given the scrutiny which may be applied to their decisions. However, formal documentation and correspondence should be prepared on the basis that beneficiaries can potentially obtain references to them in any documentation held within paper or electronic filing systems.
- Where a trustee or their advisers have received a subject access request it is vital to act quickly. There is a relatively short deadline, and the penalties for missing the deadline have increased.
- Trustees' fiduciary obligations and duties of confidence must be taken into account when conducting any review and disclosing information. A trustee will not wish to risk breaching these duties in complying with a subject access request.
- The concerns which trustees will inevitably have about the confidentiality of the settlor’s communications and third parties’ privacy rights may well provide a legitimate basis for refusing the full disclosure of information.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, August 2018