Jonathan Swift QC considers the lines of defence available to firms faced with a subject access request, and whether they should be treated as data controllers at all

All law firms are data controllers under the Data Protection Act 1998 (DPA). Two recent decisions of the Court of Appeal highlight the risk that client information held by firms can be vulnerable to disclosure through subject access requests under the DPA. The cases are Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 and Deer v University of Oxford [2017] EWCA Civ 121. But how great is this risk?

The risk arises when a DPA subject access request is directed to a law firm by someone who is not that firm’s client. The requestor only asks to see their personal data, but that information may well be held in the firm’s client files &ndash...

Continue Reading for less than 70p per day!

This article is part of our subscription-based access. Please pick one of the options below to continue.

Already registered? Login to access premium content

Not registered? Subscribe

Login  Subscribe

On-line Web Offer

To save 40% off your first years subscription enter discount code: sjweb40 at the checkout