The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) enforce a high level of transparency on data controllers, including solicitors. In practice this generally means telling people if you’re processing their personal data and providing them with a copy of that data if they request it.
The DPA 2018 introduces an important exception to these transparency requirements for:
- information in respect of which a claim to legal professional privilege, or in Scotland, confidentiality of communications, could be maintained in legal proceedings, or
- information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
The exception is contained in DPA Schedule 2, Part 4:19 and it applies specifically to ‘the listed provisions’. These provisions are set out in DPA Schedule 2, Part 4:18.
They cover the information you are required to provide someone under Articles 13 and 14 when you are collecting personal data from that individual; or when you are required to provide them with information when the personal data comes to you from someone else.
It also includes some information – including subject access requests – under Article 15 and the general principles of Article 5, but only to the extent that these principles correspond to the rights and obligations for which the exceptions to the other Articles have been made.
In practice this means that data subjects’ rights under the GDPR / DPA do not trump legal professional privilege or client confidentiality when it comes to transparency.
You will still have to respond to a data subject access request from a client on whose behalf you could maintain a claim to legal professional privilege or to whom you owe a duty of confidentiality, but you may not need to respond to his or her opponent.
The Law Society has published a practice note on legal professional privilege that may help in establishing whether privilege can be claimed.
However, as under the old Data Protection Act, the ICO can issue an information notice requiring a controller or processor to provide information that the Commissioner reasonably requires to carry out her functions.
There is no exemption for legally privileged or confidential material except that an information notice does not require anyone to give the Commissioner information in respect of which a communication is made between a professional legal adviser and the legal adviser’s client and in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.
The position is similar in respect of assessment notices which have no effect so far as compliance would result in the disclosure of such communications.
In our next update we will be looking in more detail at the ICO’s enforcement powers and share the latest thinking on cross-border data flows post-Brexit.
The ICO has issued 100 penalty notices to organisations for failure to pay the new data protection fee. Read more about payment of the fee.
GDPR in practice
The Law Society’s policy team would like to talk to you about your experience of implementing the GDPR / DPA since it came into force last May. The discussion will be confidential and data will be pseudonymised.
We are happy to discuss our view of emerging good practice across the profession and to explore any issues of particular concern to you. By participating you will be helping us to develop sector-specific guidance for the profession.
To express an interest please email firstname.lastname@example.org. We look forward to hearing from you.