xClient confidentiality, legal privilege and limited exemptions

The forthcoming UK Data Protection Act contains provisions which mean that, in some circumstances, solicitors are exempt from certain duties of the GDPR when dealing with personal data that is subject to client confidentiality/contained within communications that are legally privileged.
The provisions limit:

• The requirement to provide fair processing information; and
• The information that is required to be disclosed in response to a subject access request

These exemptions exist to ensure that the obligations under the GDPR do not prejudice the confidentiality of the work that law firms are carrying out for their clients. They do not apply to all the processing of personal data that is carried out by the firm.

Client confidentiality/legal professional privilege in Scotland

It can sometimes be challenging to identify what information client confidentiality attaches to. It will not apply to all your client matters and it will not apply to all the information contained in your client files. You should consider this matter carefully.

Legal professional privilege can be claimed by a client to avoid disclosure of documents. Broadly speaking, there are two main categories of documents to which privilege can attach:

• Confidential communications between a client and solicitor, where the client seeks, and the solicitor gives, legal advice (legal advice privilege).
• Confidential communications between a client and solicitor in contemplation of litigation (legal litigation privilege). This extends beyond communications solely between solicitors and clients to cover communications with third parties (eg experts and witnesses), but only applies where the overarching, dominant purpose of the communication is for use in actual, pending or reasonably contemplated litigation.

The exemption

Our interpretation of the exemption is that, where personal data is being processed by solicitors and it is personal data to which a claim of legal privilege attaches, then the exemption should be taken into account. The exemption means that in certain circumstances:

• There is no requirement to provide fair processing information to other individuals involved in the matter; and
• Information does not require to be disclosed in response to a subject access request involving the personal data of you client

In each case, you should consider whether the provision of such information would prejudice your advice or your client’s interests.

In practice, you will need to provide fair processing information to your client. However, if your client provides information about their spouse while giving instructions to you in relation to a divorce, you would not need to send fair processing information to the spouse. The same would apply to the beneficiaries of, or executors appointed under, a will prior to the death of the deceased.

However, in another example, if a client was getting financial assistance from his/her parents to buy a property, you should provide the parents with fair processing information about what will happen to their personal data.