Professional Lien and GDPR Subject Access Request
It’s a not uncommon situation for lawyers and accountants and other professionals. Your client hasn’t paid you, you hold a lien, but then you receive an email request for their file.
A traditional and pithy two word response springs to your mind but then you read the bombshell.
“This request is a Subject Access Request (SAR) pursuant to Article 15 GDPR”
You quickly scramble to look at Article 15 (for the first time) and a feeling of horror creeps through your body and brain as you read (A15.1) “the subject shall have… access to the personal data” and (A15.3) you find that you have to “provide copies of the personal data” and to add insult to injury, you can’t even charge the tenner that you could under DPA 1998.
Finally you turn to Article 83(5), you know, the one that says that you are going to get a E20 Million fine if you don’t give them what they want and by the short mental hop that is catastrophic thinking, you just declared your company insolvent and joined the ranks of the prematurely retired and chronically under pensioned at the local Probus club. Nightmare.
The only way to avoid the above scenario, you reason, is to forget your lien and just to hand over the file.
Or is it ? STOP as the Green Cross code man might have said (that one is for anyone born before 1980). There may be ways of complying with your obligations whilst at the same time protecting your lien.
This is the point where I pop in a quick disclaimer. There are a whole raft of exemptions not touched on is this article and if you want to look at them I would suggest you hit the schedules to DPA 2018 As an example exam scripts have a specific exemption that might help schools and other educational organisations. More of that later.
Also my old and wise tutor in data compliance used to say the Data Protection Act should be renamed Fifty Shades of Grey. The reason being much of data law is, shall we say, a bit hazy. GDPR makes things worse, if anything, and there are many occasions where, on reading it, you are left not totally sure what the drafters had in mind.
Accordingly this article is not legal advice and cannot be taken as law. It is opinion only so don’t act on it thinking you can blame me if it all goes horribly wrong. You can’t. No doubt things will become clearer as the law develops.
The first port of call might be to consider and clarify the obligation you are under.
Conflating the definition of personal data with the obligation under Article 15, and paraphrasing wildly for ease of understanding, the obligation reads;
The data controller must provide to the data subject a copy of the information undergoing processing that relates to them.
We must be clear (as Teresa May might say), that a subject access request under Article 15 of the GDPR is a request to see a copy of the information undergoing processing that relates to the data subject as opposed to a right to see copies of documents containing personal data. This is not the same thing.
So as an obvious example. Consider a copy of a long contract which you signed on behalf of the company you work for. Your personal data would be the parts of the document that contain your personal data (in this case it may just be your name and signature) not the whole contract (because that relates to the firm)
Whilst the easiest way to provide certain forms of data may be simply to send the person making the request a copy of the entire document containing that data, there is no obligation upon the holder of the data to do so
Then consider GDPR recital 63 which says of Article 15,
“That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property”
There is no case law on this I am aware of, but this would include documents that contain personal data but the substance relates to something over which you hold IP rights.
Some examples.
An architects client sends in a SAR hoping to get a copy of the plans drawn up by architect
My View. The plans are not personal data and do not relate to the data subject
An injury solicitor receives a file request from a client seeking to challenge his fee
My View. Large parts of the file will not relate to the data subject (for example; the contract parts relating to the obligations of the firm, some file notes between fee earners, and the experts signature and qualifications. Other parts can be redacted and other documents with the names of other data subjects such as witness statements may have to be redacted or left out entirely if they do not relate to the data subject).
An accountant receives a SAR requesting the completed accounts from a client who has not paid.
My View. If the organisation is a limited company then the accounts will not relate to the data subject. Even if the organisation is a sole trader, the numerical information probably does not identify the data subject and I would just send a copy of the document with the sole traders name showing but with the figures redacted.
Another exception is found in recital 62
“ However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information ….. or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort.”
Again, I am not aware if this has been tested yet, but you can see where the gaps in the obligation might lie. Consider a legal file, where you have already sent the document containing the personal data once, you may be able to refuse to send it again.
Lastly, when making any disclosure, whether you have a lien or not, you are obliged to consider the rights of other data subject apart from the person making the SAR. So a statement taken from an individual may contain the name of the person who is making the SAR and be about them, but you would have to think carefully whether you could or should disclose any or all of it. It might be hard to do so with without disclosing enough about the statement maker to identify them and you may not have their consent or other grounds for this purpose.
When it comes to other data subjects you could go on forever but it’s probably enough here to say that you need to look very carefully at all the other subjects’ personal data, before sending anything off to the person making the SAR.
If you find yourself in the position where you think someone is using a SAR just to get hold of your file without paying for it or even parts of your file over which they hold no proprietary right (such as file notes) then my initial advice would be to go look at the file and look at your obligation.
Once you have decided what you do an do not have to send it might be worth writing back to the data subject together with your standard SAR reply with an advice of what you are and what you are not obliged to send.
We recently dealt with an exam board who received many SARs from disgruntled scholars wanting to see their script. Just to make things more awkward, the SARs were on the whole, not specific and just asked for ‘all my personal data’.
We were able to advise them that this was an exception to GDPR (DPA 2018 Sch 2 Pt 4 25(1)) and they did not have to provide a copy of the script. When this was pointed out to the data subjects, the requests fell away and the exam board could close the request.
I am not advocating an obstructive approach to dealing with legitimate SARs generally. It is the misuse of SARs, especially when you hold a lien, that can impose an unfair burden on businesses and lead to an erosion of traditional lien rights. Data privacy laws must be applied in such a way as to achieve a fair balance between the rights of the data subject and the rights of the data controller.