I’m not a lawyer, yet alone a Scottish lawyer, but a recent judgment, on data protection matters, from Sheriff A Cubie in the Glasgow and Strathkelvin Sheriffdom has significance beyond Scotland (and, of course, data protection law – by which we mean the General Data Protection Regulation (GDPR), or from 1 January 2021, the UK GDPR, and the Data Protection Act 2018 (DPA) – apply across the UK).
The issue before the court was whether data protection obligations, which might in general militate against disclosure of personal data, override disclosure obligations in general court proceedings. The basic answer, and one that most data protection practitioners and lawyers understand, is that they don’t. Article 6(1)(c) of the GDPR makes clear that processing is lawful if it is necessary for compliance with a legal obligation to which a controller is subject. More specifically, paragraph 5 of Schedule Two to the DPA says that the bulk of the GDPR provisions conferring rights on data subjects and obligations on controllers simply “do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.”
The Sheriff was faced with a situation [which sounds like a line from a Western] of possible contempt of court by an unnamed Scottish Council in social work referral proceedings concerning children. Upon receipt of an application (in Scottish law, a “motion for specification of documents”), which it had not opposed, the Council had disclosed social work records to solicitors for the mother in the proceedings, but subjected the records (apparently having received internal legal advice) to substantial redaction of personal data, of the sort which would have taken place if the records had been required to be disclosed under an Article 15 subject access request.
The Sheriff “invited” a senior Council officer and someone from its legal department to answer his enquiries as to how the redactions came to be made. At that hearing, it transpired that the disclosure exercise had been passed to the Council’s Data Protection Officer to deal with – that officer had sought advice from the Council’s legal department, which advised that the exercise should be treated as if it was redaction for the purposes of a subject access request. Before the court, the Council apologised unreservedly, and announced that it had begun an internal investigation into how it had happened.
Nothing earth-shattering, and this post is not to suggest that sometimes it might be necessary to redact personal data during litigation disclosure, but an interesting observation about the risks of confusing or conflating disclosure regimes.
And I end by noting that the Sheriff himself fell into error: he cites at several points, subject access provisions from part 3 of the DPA. Part 3 deals with law enforcement processing under Directive 2016/680, and has no relevance here. The subject access right emanates from, and is full described in, Article 15 GDPR.