1 Case Studies relating to privilege and solicitors Downloaded from the website of the Data Protection Commissioner on 26 th July, /2001 CASE STUDY 6/01 Legal firm identification of source of personal data lack of co-operation issue of enforcement notice This case study provides a useful example of a matter which could have been disposed of easily at the outset, but which was protracted due to lack of cooperation from a data controller in this case a solicitor. The case also demonstrates that, where I consider that an important issue is at stake, I am prepared to have full recourse to my legal powers until I reach a satisfactory conclusion. The complainant had been involved in a car collision. The complainant and the other party involved had exchanged phone numbers but not addresses. The complainant subsequently received a phone call from a solicitor, acting for the other party involved, seeking her car registration number and address. The complainant declined to provide these details, since she had understood the matter to have been informally resolved, and that no recourse to legal action had been contemplated. In any event, some weeks later the complainant received a letter at her home address from the solicitor. The complainant asked how the solicitor had obtained these details, but this information was not forthcoming. The complainant raised the matter with me, as she suspected that her personal details had not been fairly obtained by the solicitor, as required under the Data Protection Act. On raising the matter with the solicitor, she explained that her client had noted the registration number of the complainant s car, and that the Motor Registration Bureau had used this information to supply the solicitor with the complainant s address, in accordance with the provisions of the Road Traffic Acts. However, the complainant contested this assertion., since the solicitor and the complainant had declined to supply this information. Why would the solicitor have requested the car registration number during their initial phone call, the complainant asked, if the solicitor s client already had this information? The complainant argued forcefully that the solicitor must in fact have obtained the data from another source. My Office put these points in writing to the solicitor, who declined to provide any further explanation, maintaining simply that the details had been obtained from the Motor Registration Bureau. I was not satisfied with the completeness or frankness of the solicitor s response and so, after repeated refusals from the solicitor to furnish additional information, I decided to issue a formal Information Notice under section 12 of the Data Protection Act. An Information Notice obliges the recipient to furnish such information in relation to matters specified in the notice as is necessary or expedient for the performance by the Commissioner of his functions. It is an offence not to comply fully with the information sought; and in general, I only resort to
2 issuing such a Notice if I consider that necessary information will not be provided voluntarily. In response to the Information Notice, the solicitor stated that the details were obtained from its client and the Motor Registration Bureau. My Office then wrote once more to the solicitor expressing dissatisfaction with her reply. My Office had established that the Motor Registration Bureau had not been contacted by the solicitor until five months after the incident, while the complainant s home address was known to the solicitor within weeks of the incident. The solicitor was advised that, unless full particulars were forthcoming immediately, I would commence proceedings in accordance with section 30 of the Data Protection Act, 1988 for failure to comply with the Information Notice. The solicitor responded with an explanation that the complainant s address details had, in fact, been obtained from her client, and only subsequently confirmed by the Motor Registration Bureau. This belated explanation, had it been provided at the outset, would have obviated the need for the protracted and time-consuming investigation of this matter. It concerns me that, in this case, a member of the legal profession was reluctant to provide the straightforward information which I considered necessary to bring the complaint to a conclusion. It took seventeen months and the full use of my statutory powers to get the information in question. I can ill afford the time my staff had to devote to delaying tactics but where I feel an important issue is at stake I am prepared to pursue matters fully to reach a satisfactory conclusion. From my general experiences with legal practitioners to date, I consider this to have been an isolated case and not representative of the legal profession in general. However, should a similar type case arise in future from any source, I will have no hesitation in publicly naming the party involved, and in vigorously pursuing proceedings for any offences under the Act. 1/2004 Case Study 1 of 2004 Employment matters claim of legal privilege and access to medical data in the workplace An employee of a major national company had been requested to attend a doctor nominated by the employer in the context of his on-going sick leave. His employment was subsequently terminated and he made an access request under section 4 of the Data Protection Acts for a copy of the medical report. The company refused him access on the grounds that the employee had initiated legal proceedings against the company and that the report was privileged and that it did not have to be released as section 5(1) (g) applied. This section provides that the right of access under section 4 of the Acts does not apply to personal data "(g)in respect of which a claim of privilege could be maintained in proceedings in a Court in relation to communications between a client and his
3 professional legal advisers or between those advisers." I pointed out that there are two main categories of legal professional privilege recognised by Irish Courts: Confidential communications between a person and his lawyer seeking or giving legal advice and documents created by either party to provide or to obtain such advice are privileged. Documents created by either lawyer or client in anticipation or furtherance of litigation are also privileged. Therefore, communications between a person and his lawyer which provide legal advice or assistance and documents created to obtain or produce such advice or assistance are privileged if given or created in anticipation or furtherance of litigation. In deciding whether privilege could be claimed, I considered the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice or whether the purpose was to determine fitness for work. The complainant stated that he had been requested by letter to attend the doctor to have his condition assessed due to his on-going sick leave no reference was made to attendance being requested in connection with any court proceedings. The company however sought to claim to my Office that the report had been sought on legal advice and in anticipation of possible future legal proceedings. I found that while there may indeed have been a possibility of legal proceedings in relation to other matters, the first formal notification of court proceedings was sent by the data subject s solicitors many months later. I further found that the purpose of the medical examination should be clear to the data subject at the time that he attends the doctor. The employee in this case was clearly under the impression that the referral was related to assessing his fitness for work only. It is an important Data Protection principle that another purpose cannot be introduced retrospectively. Furthermore, information about the purpose is required to be provided to the employee (data subject) pursuant to section 2(D)(i) and (ii) of the Acts, otherwise personal data is not treated as "fairly processed". Privilege is an important feature of court proceedings but it should not be used as a veil to seek to restrict access where it cannot be justified. As section 5(1)(g) relates to personal data in relation to communications between a client and his professional legal advisers or between those advisers, I took the view in this case that a copy of a medical report prepared for a specific personnel purpose could not be considered as such a "communication" which would attract privilege. Also, there are very limited restrictions on an individual's right of access to his or her medical data. The Data Protection (Access Modification)(Health) Regulations, 1989 provide that restrictions on access must be based on opinion by a medical professional that allowing access would cause serious harm to the individual's physical or mental health. As "harm" was not an issue, I therefore concluded that section 5(1)(g) of the Data Protection Acts,
4 1988 and 2003 could not be relied upon by the company to restrict his access to a copy of the medical report in question. I was pleased that the company accepted my view. In another employment related case, I established that a data controller cannot avoid dealing with an access request for an employee s medical report on the premise that it has been returned to the author of the report. To deal with such requests, organisations should have a clear procedure in place. The request may be for (1) the report itself and/or (2) the data on the medical file. When an access request for medical data is received, the Company Doctor/Medical Officer should be immediately advised and should make the data available unless it is considered harmful to do so. On a related question, it is sometimes considered that the employee s consent is needed for referral to a company doctor. Generally, an employer will have the right under the contract of employment to refer an employee for a medical report. Processing of personal data in a medical report involves sensitive data and section 2(B)(i) of the Acts provides that a data controller must obtain "explicit" consent from a data subject before sensitive data may be processed. Alternatively, section 2B(ii) provides for processing which "is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.". Relying on freely given consent implies that an employee has a right to refuse referral. Given the employer's rights under the contract of employment, this may not fully reflect the entirety of the rights and obligations involved. Therefore when the employee agrees to attend the doctor, what is important is that the employee clearly understands that s/he is required to attend the medical assessment for a particular purpose e.g. to determine whether s/he is fit to return to work and attends on that basis alone. On the other hand, if the purpose is connected with anticipation of or defence of legal proceedings then the employee should know that this is the basis for the referral. Privilege is an important feature of court proceedings but it should not be used as a veil to seek to restrict access where it cannot be justified- generally, an employer will have the right under the contract of employment to refer an employee for a medical report 2/2005 Case Study 2 - Life assurance company and medical reports - access request denied I received a complaint from a data subject who had not been given copies of medical reports, commissioned from independent specialists by a life assurance company in connection with her on-going income continuance claims the Company had discontinued her claims on the basis that she was no longer fulfilling the definition of disability, as required under her policy.
5 In investigating this complaint, I reiterated that the Data Protection Acts give people a statutory right of access to their data, including their medical records, and that this right can only be limited or set aside in very specific and narrow circumstances. The Company had cited the exemptions in section 5(1)(f) and 5(1)(g) as a basis for denying access to certain reports. Section 5(1)(f) of the Acts provides that the right of access to personal data does not apply to personal data: "(f) consisting of an estimate of, or kept for the purpose of estimating, the amount of liability of the data controller concerned on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of the section would be likely to prejudice the interests of the data controller in relation to the claim." I considered that medical reports commissioned by a life assurance company are for the purpose of assessing a claim. I found that the exemption in section 5(1)(f) permits a data controller, who puts on file an estimate of the amount of money that may be needed to meet a claim for compensation, to plead an exemption if the release of that estimate would be prejudicial. The contents of the medical reports at issue in this case did not relate to estimating liability per se. Rather, they related to whether or not there is a disability and opinions about capacity to work. It was therefore my view that this exemption cannot be claimed in respect of medical reports. The company also proposed to withhold other reports on the basis of legal privilege as provided in section 5(1)(g), as they believed that they would seriously prejudice (their) defence in any action. Section 5(1)(g) provides that the right of access to personal data does not apply in respect of data : (g) in respect of which a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers. In assessing whether privilege could be claimed, it is necessary to look at the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice. My staff outlined to the Company that it is important when a life assurance company commissions a report that the claimant fully understands the purpose of the examination e.g. the purpose being for the company to assess and to come to a decision on a claim. Whether the reports were commissioned in anticipation or furtherance of litigation and thus attract privilege, falls to be determined on a case by case basis. It was understood that the decision in this case might ultimately be challenged in court and the Company indicated that in their opinion there was a high likelihood of this. The exemption refers to a potential situation where a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers. In this case, my staff considered that it was conceivable that such a claim could be maintained in a court.
6 Therefore, it was held that certain medical reports specified by the company may be withheld pursuant to section 5(1)(g) pending any court proceedings. This case shows how the balance between a data subject s right of access to personal data must be balanced with the legitimate interests of a data controller in this case one who may possibly be facing litigation. In the event of litigation not taking place, the data controller would be required to review its decision. 13/2007 Case Study 13: Dairygold - Failure to comply in full with an Access Request In June 2006, I received a complaint from a firm of solicitors acting on behalf of a client regarding alleged non-compliance with a subject access request. The data subject had made an access request to her employer, Dairygold Co-Operative Society Limited/ REOX, in March 2006 but it had not been complied with within the statutory forty day period. My Office wrote to the data controller and we subsequently received a reply to the effect that the material sought in the access request had now been supplied. However, following examination of the documents received, the solicitor for the data subject communicated further with my Office and identified certain documents omitted by the data controller. Particular reference was made to documents in relation to a workplace accident in which the data subject was involved in October My Office contacted Dairygold/Reox seeking an explanation for the missing documents. While it responded by providing observations on a number of the missing documents, it also stated that it was obtaining legal advice regarding the release of the documents relating to the workplace accident. After the exchange of detailed correspondence between my Office, Dairygold/Reox and its legal representatives, an index of all of the personal information which had been released was provided to my Office. In relation to the documents concerning the workplace accident, the solicitors for the data controller confirmed that their client was in possession of both an Internal Accident Report and a Consulting Engineer s Report. It stated that both documents were prepared in contemplation of a personal injury claim and were therefore privileged. To satisfy ourselves that there was a sound basis for the legal privilege claim in relation to these documents, my Office sought information from the data controller regarding the dates on which the two reports were created. It was confirmed that the Internal Accident Report Form was created in the days immediately following the workplace accident and the Consulting Engineers Report was created some nineteen months later in May My Office pointed out to the data controller s solicitor that the claim of legal privilege related only to communications between a client and his professional legal advisers or between those advisers and that this provision could not be applied to the internal accident report created shortly after the incident. In light of the information available to my Office, we accepted that the claim of legal privilege could be applied to the Consulting Engineer s Report. The data controller continued,
7 however, to claim legal privilege on both documents. In an attempt to bring closure to this matter, my Office requested a confidential sighting of the Internal Accident Report. Regrettably, the data controller refused to comply with this request and I had no option but to serve an Information Notice requiring that a copy of the Internal Accident Report be furnished to me. The Internal Accident Report was supplied to me in response to the Information Notice. On examining the Report I was satisfied that it contained personal data of the data subject and I was further satisfied that the limited exemptions to the right of access set down in the Acts did not apply to this document. The document also contained some limited personal data of third parties and non personal information which we advised the data controller to redact with the balance to be released voluntarily to the data subject. The Report was subsequently released in accordance with our advice. There is a tendency for data controllers in some cases to claim non-relevant exemptions under Sections 4 or 5 of the Acts to restrict the right of access. With increased frequency, accident reports in relation to workplace incidents are being withheld with data controllers claiming legal privilege on such reports. I do not accept that legal privilege applies to such reports. It is standard procedure for an accident report to be compiled by an employer in the aftermath of a workplace accident and such reports clearly do not fall into the category of personal data in respect of which a claim of legal privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers. Any data controller who is reported to me as having restricted a data subject s right of access to reports of this nature will face an investigation by my Office involving a close scrutiny of the grounds for applying the restriction. I will have no hesitation in using my full enforcement powers to ensure the rights of the data subject are upheld in relation to such cases. 9/2008 Case study 9: An access request and a successful claim of legal privilege by a Data Controller In May 2007 I received a complaint from a solicitor acting on behalf of a client regarding the alleged failure of a data controller to respond to an access request. The solicitor had submitted an access request on behalf of his client to her former employer in February The data controller failed to respond to the access request within the statutory forty-day period. My Office commenced an investigation by writing to the data controller about the complaint. We received a reply from the data controller s solicitor confirming that a response had issued to the access request. The reply included a number of documents containing personal data. However, the data controller's solicitor informed my Office that their client was claiming privilege in respect of two specific documents and was therefore not releasing them. These documents were a handwritten account by the store manager of the data subject's period of employment with the data controller and a handwritten account by the store manager relating to the data subject's alleged personal injuries suffered as a result of a workplace accident in July The
8 solicitors for the data controller informed my Office that both documents were created by their client for the benefit of legal advisers and in anticipation of litigation following receipt of two solicitor's letters on behalf of the data subject. There are some very limited exemptions within the Data Protection Acts to a data subject s right of access. These are set out in Sections 4 and 5 of the Acts. One of the restrictions to the right of access is set out in Section 5(1)(g). This states:- Section 4 of this Act does not apply to personal data in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers. The data subject's solicitor subsequently informed my Office of his dissatisfaction with the data controller's claim of privilege. It was necessary for my Office to be satisfied that the data controller's claim of privilege in relation to these documents was properly founded. For that purpose I requested the data controller to confirm to my Office the date(s) on which the documents were created and the purpose or purposes for which the documents were created. In response, we were informed that the relevant documents were created on two separate dates in the second half of February 2007 after the data controller received letters dated 6 February, 2007 from solicitors for the data subject. The data controller's solicitors informed my Office that the letters from the data subject's solicitors had intimated personal injuries and employment claims on behalf of the data subject. The claim of legal privilege under the Acts relates only to communications between a client and his professional legal advisers or between those advisers. The date of creation of the documents, on which the data controller was claiming privilege, when compared with the dates of its receipt of communications from the data subject s solicitors, satisfied my Office about the purpose of these documents. We accepted that the claim of legal privilege could be applied to both documents as it fell into the category of a communication between a client and his professional legal advisers. There are limited exemptions under the Acts to a data subject's right of access. When a data controller claims an exemption, my Office may request additional information from the data controller to be satisfied that the withholding of the documentation is properly founded. Such matters are dealt with by my Office on a case by case basis. 18/2008 Case study 18: A civil summons is served on the wrong person In February 2008 I received a complaint from a data subject who had received a District Court civil summons from a firm of Solicitors acting on behalf of a property management company. The civil summons named a male and a female as the defendants in the matter. The data subject shared the same full name as that of the male named on the summons. The data subject phoned the solicitors concerned to inform them that he did not know anything about the matter referred to on the summons, that the female named on the summons was not known to him and that she
9 did not reside at his address. When he asked the solicitors where they had sourced his address he was told that their enquiry agent had given it to them. My Office commenced its investigation by contacting the solicitors concerned to establish if, as alleged, the complainant had been mistakenly served with a summons which was proper to another man of the same name. The solicitors subsequently responded and confirmed that they accepted that the person who received the summons in this matter was not the person with whom their clients had contracted. They informed my Office that they had relied on information provided by an agent. They also asked my Office to convey their sincere apologies to the data subject for any inconvenience that may have been caused to him. My Office informed the data subject of the response of the solicitors and sought his views about how his complaint against the solicitors might be resolved to his satisfaction. He indicated that this could be achieved by the data controller agreeing to cover the legal and medical costs incurred by him as a direct result of being wrongly served the civil summons. The data subject informed my Office that on receipt of the civil summons it was necessary for him to engage a solicitor to deal with the matter as he had been summoned to appear before the District Court on an appointed date. He also stated that he suffered considerable distress as a result of receiving the summons and that he had attended his doctor as a direct result. The data subject was also concerned that the summons served on him was now a matter of public record in the courts system and he said that it was incumbent on the solicitors to have this matter rectified by requesting the Courts Service to clear his good name. The solicitors immediately indicated their willingness to resolve this matter as sought by the data subject and confirmed that there was no public record of the proceedings in this matter. In the solicitors view, the issue arose as a direct result of the actions of its agent. For this reason, it had been agreed that the agent would make a payment directly to the data subject's solicitor in settlement of the matter and confirmed that this had taken place. Unfortunately, the agent had not made any contact with the data subject or his solicitor on this matter. Soon afterwards the solicitors sent my Office, on their own behalf, a cheque made payable to the data subject to cover the full costs incurred by him in this matter. They stated that they had been misled by the agent who had indicated that the matter had been resolved with the data subject's solicitor. They indicated that, as a result, they had dispensed with the services of the agent with immediate effect. The data subject expressed his satisfaction with the outcome and thanked my Office for helping to bring this matter, which had caused him great distress, to a satisfactory conclusion. This case highlights the distress and inconvenience that can be caused to an innocent individual as a result of the processing of inaccurate personal data. The serving of a summons is a significant action and it can be a matter of great anxiety for an individual to receive a summons, even when that individual is not the legitimate subject of the summons. Greater care should have been taken by all involved in the process of serving this summons.
10 21/2008 Case study 21: Access is wrongly denied in respect of an accident report I received a complaint from a data subject who had been involved in an accident at work. The data subject had made an access request, under section 4 of the Data Protection Acts, to their employer for a copy of all information held about them, including the accident report form. The employer had not responded to the request within the forty day timeframe specified in section 4 of the Acts. My Office contacted the data controller to enforce compliance with the terms of the access request. The data controller stated that they had passed the request on to their insurance company who were dealing with legal proceedings arising from the accident. My Office pointed out that the obligation to comply with an access request was on the data controller and not on the insurance company. My Office informed the data controller that we were investigating its failure to respond to an access request. The data controller then provided certain documents containing personal data to the data subject. However, it failed to provide a copy of the accident report form. My Office contacted the data controller again to request that the outstanding documents be furnished to the data subject. The data controller responded by claiming a restriction on the right of access under section 5(1)(g) of the Acts based on an assertion that the documents were exempt from disclosure due to legal privilege. This provision restricts the right of access with regard to personal data in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers. My Office rejected this claim because in this case the accident report was prepared on foot of the legal requirement for an accident report to be created if a workplace injury results in at least three days absence from work. This is set out in Regulation 59 of Statutory Instrument No. 44 of My Office also rejected claims by the data controller that, as the accident report form was created with the assistance of their legal adviser, it could be withheld on the basis of legal privilege. As a result, the data controller provided a copy of the accident report form to the data subject. While the Data Protection Acts provide for limited, narrow restrictions to the right of access by a data subject to their personal data, this case highlights the fact that my Office will rigorously examine complaints of this nature to establish whether the restriction asserted by a data controller can be legitimately relied upon.