Privilege is an issue which frequently arises in the context of litigation - the question of what can be withheld from disclosure on the basis that it is privileged communications between client and legal adviser - and a recent spate of cases before the UK and European Courts have reconsidered various aspects of the scope of privilege. The principles discussed in these cases are important points to be considered by data controllers in the context of dealing with a subject access request.
Exemption from subject information provisions
The Data Protection Act 1998 ("DPA") provides a number of exemptions to the obligation on data controllers to provide documents to a data subject following a subject access request. One of these exemptions applies where the personal data consists of information in respect of which legal professional privilege could be maintained in legal proceedings. If privilege attaches to a document, it can operate to protect a confidential document containing personal data from disclosure.
When does privilege operate?
Broadly speaking, there are two main categories of documents to which privilege can attach:
- Confidential communications passing between a lawyer and client for the purposes of giving or receiving legal advice ("legal advice privilege"); and
- Communications in contemplation of litigation ("litigation privilege"). This form of privilege extends beyond communications solely between solicitors and clients.
Legal advice privilege
It cannot be assumed that privilege will operate to protect all communications between advisers and a client from disclosure. Many businesses will receive advice in a legal context from non-lawyers, such as HR professionals and management consultants, which might contain personal data and therefore be caught by a subject access request. The general rule in the UK is that legal advice privilege will not protect communications between a client and a non-lawyer, and this rule was recently confirmed by the Court of Appeal in the context of advice from tax advisers. In addition, general input received from a lawyer may not be protected from disclosure if it is not advice given in a 'relevant legal context'.
A further issue, which arises in ascertaining legal advice privilege, is determining who is the "client" since privilege only attaches to a communication with a "client". Many businesses communicate with lawyers through a variety of personnel and a number of discrete teams, but the Courts can take a restrictive view of which employees can be said to be the "client" for the purposes of instructing the lawyer. Each situation will depend on its circumstances, but consideration should be given as to who within the organisation is to be regarded as the "client" instructing the lawyer, and through what routes advice should be channelled.
Litigation privilege can attach to documents produced where litigation is in reasonable contemplation. If a subject access request is made by a litigant in order to recover documents in the context of issuing court proceedings, privilege may attach to communications discussing how to manage a difficult customer or situation which has arisen. The key point will be whether, in the circumstances, the document has been produced for the dominant purpose of actual or pending litigation.
Whilst the UK Courts recognise in-house lawyers may be treated as "lawyers" for the purposes of privilege, the European Court of Justice ("ECJ") recently decided that in-house lawyers do not enjoy privilege in the context of a competition investigation. The ECJ, which was influenced by the position adopted towards in-house lawyers in the majority of Member States, took the stance that in-house lawyers had a lack of independence from their employer and that meant they should not be treated the same as external lawyers.
Whilst this decision was made in the context of a European Commission competition investigation, the rationale for the decision was based on the Court's application of fundamental European law. As a result, there is potentially scope that the same rules could extend in the future to other areas such as data protection where EU authorities could have investigatory powers.
This exemption to the subject information provisions in the DPA should be kept in mind by data controllers when obtaining advice and dealing with subject access requests. Businesses should consider what strategies they wish to put in place to manage internal and external communications with advisers to maximise the chances of privilege being afforded to sensitive documentation.