The ins and outs of disclosure

The ins and outs of disclosure

Jonathan Barnes runs the rule over CPR disclosure and the right of access to personal information under the Data Protection Act 1998

Standard disclosure and inspection of documents under the Civil Procedure Rules (CPR) is usually the first opportunity for a party to litigation to see what documents other parties hold that are material to a particular dispute.

Each party will inspect and take copies of documents listed by the others, subject only to inspection being denied where a party no longer has a document, on grounds of legal professional privilege or for some other good reason.

'Document' is defined broadly, and may include computer files and records.

By seeing the other parties' documents, a litigant is likely to become far better informed about the merits of a claim.

The CPR recognise additionally, under part 31 and by certain of the pre-action protocols, that in defined circumstances pre-action or early disclosure of documents can be beneficial in saving costs and disposing quickly and fairly of a dispute.

However, CPR disclosure is not the only route by which a litigant or prospective litigant can obtain potentially the bulk of another party's documents concerning an issue.

And there is no reason why an individual (say, a prospective claimant) need even have legal proceedings on foot before finding out what information another party holds.

That is because a data access request under section 7 of the Data Protection Act 1998 (DPA) entitles a natural person to be told by any individual or organisation that holds any personal information about him, on computer or by a structured manual filing system: whether that data controller is processing such personal information; if so, the nature of the personal information concerned, the purpose of the processing and the identity of any onward recipient of such information; and what the personal information is and what was its source.

This right of access to personal data is a statutory privacy right.

It is cheap and simple to make a request.

The current prescribed maximum fee is 10, a request must be in writing, and the data controller is entitled to require sufficient information from the applicant to confirm his identity.

The request is made of a data controller, that is, any natural or legal person who determines the purposes for which and the manner in which any personal information about the applicant is processed.

The data controller must comply with a request promptly, and in any event within 40 days, or explain why he or it is not prepared to do so.

A request will extend beyond computer records, to any paper filing system that is sufficiently structured that specific information relating to the applicant is readily accessible.

That might include office diaries, rollerdex indices, personnel and appraisal files and so on.

The reluctant data controller may argue that a particular manual filing system is not structured, and so not susceptible to a request.

However, in practice any individual or organisation that keeps records may baulk at pursuing this rather double-edged point.

There are several narrowly defined exemptions to the DPA - for example, to protect the interests of national security, commercially sensitive financial information, and confidential references given by the data controller.

Most important, and in common with the CPR right to inspection, material that is protected by legal professional privilege is exempted from disclosure under the DPA.

However, if a specific exemption does not apply, then the data controller has few general fallback defences.

The DPA protects a data controller from a series of requests at unreasonably close intervals.

A data controller may also argue that to supply the information requested would be impossible or would involve disproportionate effort.

However, a court - the High Court and the county courts both have jurisdiction for a disputed data access request - is unlikely readily to come to the aid of a data controller that claims disproportionality.

That is because the DPA, and its privacy principle, gives individuals a basic right to see what information is held about them, which right is not dependent in principle on any form of cost benefit analysis.

Here, the approach of the DPA can be contrasted with CPR disclosure, the latter which regularly involves parties and the courts in balancing exercises of cost, necessity and propor-tionality.

A data controller will have to be careful in complying with any request that might result in the incidental disclosure of information concerning a source of information or some other third party, if such individual does not consent or it is not otherwise reasonable for the data controller to comply without such consent.

CPR disclosure and the DPA are entirely separate regimes, although they have in common that they regulate circumstances in which information of and concerning an individual can be obtained from another party.

The provisions of CPR part 31 and the DPA do not cross-refer.

In the case of CPR disclosure, civil litigation must at least be contemplated and the scope of information that can be obtained is limited to whether or not it is contained in documents that are material or relevant to a particular legal dispute.

The DPA does not require there to be any dispute between the applicant and data controller, an access request can be made at any time whether or not in the context of legal proceedings and there are no 'materiality' or 'relevance' criteria.

Whereas the courts solve CPR disclosure disputes by limiting orders to what is necessary and proportionate, the courts exercising a discretion as to whether to make an order for disclosure under the DPA can only decline to do so safely where the data access request amounts to something approaching an obvious abuse.

There is no suggestion so far that litigants have routinely rushed to the DPA to obtain blanket pre-action disclosure, or otherwise sidestep the spirit of CPR disclosure.

That approach would be unfortunate, disruptive and wasteful in many cases.

However, those advising parties to litigation should remember the increased access rights that citizens now enjoy to information held about them.

The targeted exercise of those rights, to obtain the disclosure of important personal documents and information at an early stage in a dispute, can lead to better focus and decision making at the outset.

That must be better than waiting for CPR disclosure to be triggered by the litigation process.

Used properly, section 7 of the DPA can complement the aims of CPR and their disclosure provisions - early exchange of information leading to the quick, efficient and fair disposal of disputes.

Jonathan Barnes is a barrister at media, entertainment and commercial law specialist at chambers 5 Raymond Buildings.

He is a contributing author (on data protection) to The Law Of Privacy And The Media, (OUP, 2002)