During disclosure in litigation proceedings in England and Wales, any individuals' personal data within documents requires close attention by those managing and undertaking the disclosure process. In addition to ensuring all relevant material is disclosed according to court rules, parties to litigation are required to comply with the UK data protection regime, designed to safeguard data relating to individuals.

null
Under the UK data protection regime, there is an exemption from particular UK GDPR provisions in relation to information required to be disclosed in connection with 'legal proceedings' (and 'prospective legal proceedings'). The extent of this legal proceedings exemption under the Data Protection Act 2018 (DPA 2018) was considered for the first time in a recent Scottish case, Riley v The Student Housing Co (Ops) Ltd [2023]. The case turned on the construction of the wording of the exemption, and whether it is a blanket exemption, or qualified.

 

The court found that the wording of the exemption results in a wide application. Whilst a Scottish decision, the 'legal proceedings' exemption applies throughout the UK and it seems that this was the first case to explore the purpose and scope of the exemption under the DPA 2018, in a post proceedings context.

Disclosing personal data in litigation

The 'legal proceedings' exemption is set out in paragraph 5(3)(c) of Schedule 2 of the DPA 2018:

  1. The listed GDPR provisions do not apply to personal data where disclosure of the data -
    1. is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
    2. is necessary for the purpose of obtaining legal advice, or
    3. is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
    to the extent that the application of those provisions would prevent the controller from making the disclosure.

The Information Commissioner's Office (ICO) advises that organisations should not routinely rely on exemptions, but should consider them on a case by case basis and should justify and document their reasons for relying on an exemption. Where the 'legal proceedings' exemption applies, organisations may be exempt from certain of the UK GDPR provisions but only to the extent that complying with them would prevent the organisation disclosing the personal data.

If a data controller acts in a way which breaches data protection obligations, the risk is a report to, and investigation by, the ICO. This has potential reputational and financial implications and can be time-consuming for those dealing with any ICO investigation. Data subjects affected may also bring a claim for compensation, which will incur additional time and costs.

There is therefore a fine line between disclosing too much personal data and not complying with disclosure obligations and/or not adducing evidence to maximise a parties' prospects in the case. On one hand, the disclosure process should include the redaction of irrelevant personal data before disclosure. Parties should be prepared with explanations for redactions. Excessive redaction risks court applications challenging the adequacy of the disclosure exercise, which will inevitably lead to added litigation costs. On the other hand, the disclosure of extraneous personal data risks complaints from data subjects to the organisation and to the ICO, associated time and management costs, and potential financial penalties. It is therefore helpful to receive court guidance on the extent of the 'legal proceedings' exemption.

Is the 'legal proceedings' exemption absolute?

In Riley v Student Housing Co (Ops) Ltd [2023] SC DNF 7 (8 February 2023), the Dunfermline Sheriff's Court considered article 5(1)(a) of the UK GDPR (lawfulness, fairness and transparency) and article 5(1)(b) (purpose limitation) in conjunction with the 'legal proceedings' exemption in paragraph 5(3) of Schedule 2 to the Data Protection Act 2018 (DPA 2018) – and how they should operate.

An employee claimed that his former employer had breached the data protection principles whilst processing his personal data in defending employment tribunal proceedings brought by another former employee.

The pursuer (claimant) in the litigation had been the line manager of the former employee. In previous employment tribunal proceedings, allegations were made about the behaviour of the pursuer and other members of staff. The former employee claimed that the pursuer had used derogatory language which referred to his disability. The employment tribunal claim was successful and the former employee was awarded £9,500. In the tribunal decision, the pursuer is referred to 162 times. Later, the tribunal decision was reported in an article published online by a national newspaper, with an eye-catching headline which included the derogatory language used by the pursuer. The pursuer was then named in the body of the newspaper article on six occasions.

The pursuer argued there had been a breach of fairness and transparency and that the employer should have informed him of the proceedings, provided him with copies of the tribunal bundles, asked him to comment on the allegations made against him and invited him to provide a witness statement. He sued for £75,000 for distress and anxiety, and the impact on his employment prospects.

The employer relied on the 'legal proceedings' exemption. The key consideration was the meaning of the phrase at the end of paragraph 5(3)(c),"to the extent that the application of those provisions would prevent the controller from making the disclosure" and whether this wording qualified the exemption and if so how the employer should have acted.

The pursuer argued that the data controller must attempt to comply with the provisions of the UK GDPR before relying on the exemption, whilst the employer argued that the wording did not require this.

The court found that a data controller's duties should not fetter its discretion to conduct litigation as it saw fit or impact on its right to a fair trial. The court found that the tension between data protection requirements and the demands of litigation was exactly what the exemption was intended to address. Requiring the employer to have invited the former employee to comment and give a witness statement would undercut its discretion as a litigant.

A court or tribunal could anonymise a judgment if considered necessary to protect an individual's privacy.

There is no comment in the judgment as to whether redaction of the pursuer's personal data would have been a proportionate approach or not. This is because the judgment centred on whether the employer should have taken the particular steps alleged by the pursuer to comply with the principle of fairness and transparency where data is to be processed in connection with litigation. The sheriff made clear, "I express no opinion on what the defender [employer] should in fact have done in order to comply with the principle of fairness and transparency, as this is not the issue before me."

This decision, whilst emanating from Scottish court, and so not a precedent in English and Welsh law, nevertheless provides a persuasive judicial decision advocating the strength of the 'legal proceedings' exemption, and its wide application. In this case, the court was required to consider the 'legal proceedings' exemption after the proceedings were concluded and judgment had been handed down. This judgment endorses an approach in which parties to litigation can disclose relevant documents containing individuals' personal data, without worrying that affected data subjects must be informed, provided with bundle copies, or invited to make comment or provide evidence. However, necessity (and therefore relevance and probity) are key. Disclosure of personal data should be approached with caution. Whether this approach can be justified in any particular case depends on the context and the nature of the litigation, points at issue, disclosure and personal data.

For more information on handling data protection or queries about this article, please contact Patrick Arben, Amber Strickland or Louise Macdonald. Visit our cyber security and data protection page to find out more about the services our specialist team offer.