Given the publicity surrounding data protection, individuals now have a greater awareness of their data protection rights and are more likely to seek to exercise those rights. Data protection is also being used as a tactic within litigation itself. It is important, therefore, that litigators have a general awareness of any data protection issues that may arise in the context of litigation.
We have set out below the general interplay between data protection and litigation, as well as some top tips to consider when handling personal data in a litigious setting.
Interplay between data protection and litigation
Virtually all documentation involved in litigation will contain some personal data. Litigators should therefore be aware of what they can and cannot do with that personal data – i.e., is there a lawful basis to process (share/use) that personal data at different stages of litigation. Compliance with the data protection principles is fundamental when handling personal data.
Subject access requests (SARs) are increasingly being used to seek early disclosure of documents. This is because claimants are likely to receive a SAR response (usually within one month of submitting a request) before disclosure takes place. SARs are also used as a pre-litigation mechanism, to assess the viability of a claim or to simply undergo a “fishing expedition” in the hope of finding a key piece of evidence to support a claim. However, SAR responses are limited to the disclosure of the requester’s personal data, with several exemptions at a data controller’s disposal, whereas disclosure is likely to cover a much broader spectrum of information. In any event, measures should be taken to ensure there is a degree of consistency between what is disclosed under a SAR and under a disclosure exercise (see more below). The one-month deadline can also be extended for a further two months when the SAR is “complex”.
Alleged breaches of the UK GDPR are increasingly being raised during litigation as a scaremongering tactic to pressurise the other side. If a data breach is asserted during a litigious process, do not automatically assume that one has occurred, nor make any concessions. Seek further advice from data protection specialists who can properly assess the alleged breach, provide guidance on how to respond to such allegations and explain how to continue conducting the litigation proceeding in a manner that will not give rise to any further data protection issues or allegations.
Five top tips
These are our five top tips to consider when handling personal data in litigious matters:
- Be aware of data breaches generally and how they could arise in a litigation setting: Know how to recognise a data breach and your internal reporting processes. Any data breach within a litigation process is now considerably more likely to be identified and result in some form of additional action/claim/complaint being deployed as part of the wider litigation. It is therefore important to have at least a high-level understanding of how data protection interacts with the litigation process.
- Communicate with those responsible for data protection matters so there is a joined-up approach: As mentioned above, it is becoming the norm that claimants submit a SAR before, or during, litigation proceedings. As such, it is vital that any SAR response dovetails into any disclosure exercise. Responsibility for dealing with SARs and litigation proceedings may sit within different teams of an organisation and it is important to join up the dots. Clearly it is unhelpful to disclose documents as part of disclosure that were not provided in response to a SAR and vice versa. For this reason, you should carefully document any decision taken not to disclose an important document in case that decision is later challenged in either the disclosure or SAR process.
- Redacting documents for disclosure: As basic principle, if the personal data contained within a document is truly relevant to the claim, it is likely to be compliant with the data protection regime to leave the information in. However, if the personal data is not relevant, strong consideration should be had as to whether it should be redacted: large amounts of redaction can take an inordinate amount of time, which can result in a huge increase in litigation costs. Litigators may find themselves having to balance competing obligations, namely, ensuring disclosure is undertaken in a reasonable, cost-effective, and proportionate manner balanced against the rights and freedoms of the data subjects who would be affected by the non-redacted disclosure. If disclosure is likely to result in substantive harm and it is not relevant to the case, it should be redacted, and extra consideration should especially be given to any special category personal data.
- Beware of indirect references to individuals: A common misconception is that information only amounts to someone’s personal data if it directly identifies them – i.e., the information includes their name or some other form of identifier. It is important to be aware that information may indirectly identify an individual and therefore still constitutes personal data. You must carefully consider all the means a party is reasonably likely to use to identify an individual to avoid inadvertently disclosing information which, when linked with other information, (inappropriately) identifies an individual.
- Litigation communications and SARs: Potentially any communications or documents sent or received during the course of litigation could fall within the scope of a SAR and therefore may be disclosable to the other side. It is important to correctly label communications and documentation so those responsible for reviewing a SAR can consider all relevant exemptions available under the Data Protection Act 2018 (e.g., privileged communications or communications that discuss settlement negotiations) to legitimately limit what is provided under a SAR.