We have previously written about the difficulties of applying the General Data Protection Regulation (the GDPR) in context of trusts and estates law. However, on 14 November the ICO released updated guidance that offers welcomed clarity on the use of special category data by legal advisers and offers potential support to our position that trustees can process such data where doing so is necessary in order to comply with their fiduciary duties.
A reminder of the protections afforded to special category data
By way of background, the GDPR draws a distinction between:
- 'Regular' personal data such as a person’s name, address and phone number (the GDPR does not use the term 'regular' but it is helpful in this context); and
- 'Special categories' of personal data, which include, but are not limited to, information about a person’s racial or ethnic origin, political views, religious beliefs, health and sexual orientation.
The processing of regular personal data is allowed whenever one or more 'lawful bases' [1] applies. We expect that lawyers will generally be processing such data on the grounds that it is necessary for either the performance of their contract with their client [2] or the pursuit of their legitimate interests as a legal services provider [3]. A trustee will generally process regular personal data on the basis that it is necessary for the pursuit of their legitimate interests in properly administering the trust.
In contrast, special categories of personal data may only be processed if both:
- One of the standard 'lawful bases' applies; and
- The processing falls within the scope of one of a limited number of specific exemptions [4].
One of those specific exemptions is the legal claims exemption, which allows the processing of special category data to the extent necessary for the 'establishment, exercise or defence of legal claims' [5]. There have been concerns about the extent to which either lawyers or trustees could rely upon this.
The scope of the legal claims exemption
When the Data Protection Act 1998 was replaced by the Data Protection Act 2018 some worried that the legal claims exemption had been watered down. The old version of the exemption had three separate sub-sections which permitted the processing of sensitive data (the old law’s equivalent of special category data) to the extent:
- 'necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
- necessary for the purpose of obtaining legal advice, or
- otherwise necessary for the purposes of establishing, exercising or defending legal rights.'
The new version of the exemption is much shorter and simply states that the processing of special category data is permitted to the extent it is 'necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity'.
On the face of it, one could argue that the change of wording reduces the scope of the exemption. One could also take the position that the term 'legal claims', if given its ordinary meaning, is narrower than 'legal advice' and in particular might only extend to contentious matters.
We argued in November last year that this would be an overly cautious view and that in fact the new exemption should be construed in exactly the same way as the old one.
It is therefore pleasing to see this position expressly confirmed in the ICO’s new guidance which reads:
'Legal claims
You must show that the purpose of the processing is to establish, exercise or defend legal claims. ‘Legal claims’ in this context is not limited to current legal proceedings. It includes processing necessary for:
- actual or prospective court proceedings;
- obtaining legal advice; or
- establishing, exercising or defending legal rights in any other way.'
In what may well be a response to STEP’s recent submissions on the subject, the guidance also provides a specific example of a trusts and estates practitioner providing advice in relation to a private trust:
'Example
A professional trust and estate practitioner advises a client on setting up a trust to provide for a disabled family member. The adviser processes health data of the beneficiary for this purpose. Although there is no active legal claim before the courts, this is still for the purpose of establishing the legal claims of the trust beneficiary for the purposes of this condition.'
All in all, this is extremely helpful guidance for both legal professionals and their clients. It is now beyond doubt that the processing of special category data is permitted to the extent necessary for obtaining of legal advice.
Reassurance for trustees
The wording of the guidance could also be interpreted as supporting the notion that trustees can rely upon the legal claims exemption to process special category data when required to do so in order to comply with their fiduciary obligations.
Since the GDPR was introduced there has been a degree of uncertainty as to exactly how trustees can justify processing the special category data of beneficiaries if they do not have consent (particularly because the 'substantial public interest' exemption is in practice unlikely to help).
However, we and others have taken the view that the legal claims exemption justifies the processing of such data by trustees to the extent necessary to comply with their fiduciary obligations (including the obligation to take account of all relevant considerations when making decisions). This is on the basis that such processing is required to establish the legal rights of beneficiaries of the trust (which, at their most basic, are to have the trust properly administered). Case law suggests that 'legal claims' and 'legal rights' should be treated as synonymous in this context.
Whilst the ICO’s guidance does not address this point expressly, it does confirm that the scope of the legal claims exemption extends to establishing the legal claims of trust beneficiaries. With this settled, it appears entirely logical that trustees should be entitled to process special category data when taking decisions in relation to the trust. We hope for more targeted guidance for trustees in the future but for now this is very much a step in the right direction.
Disclaimer
This article gives general information only and is not intended to be an exhaustive statement of the law. Although we have taken care over the information, you should not rely on it as legal advice. We do not accept any liability to anyone who does rely on its content. © Burges Salmon 2019
This article was written by John Barnett and Edward Hayes.
[1] Article 6, GDPR
[2] Article 6(1)(b), GDPR
[3] Article 6(1)(f), GDPR
[4] Article 9, GDPR
[5] Article 9(2)(f), GDPR