Have Data Protection laws changed trust law on disclosure?

The claimant, Mrs Dawson-Damer, along with her children (the “Claimants”), were beneficiaries of a number of Bahamian law governed trusts. The trustees of those trusts had previously made significant appointments to other beneficiaries. The Claimants sought to challenge the validity of the appointments through litigation in the Bahamas. Taylor Wessing LLP (“TW”) had acted as adviser to the trusts and as such, the Claimant’s considered, may have advised the trustees in respect of those distributions. It was highly likely that the trustees would have sought advice in respect of the Claimant’s interest under the trusts when making such appointments.

Under data protection laws, there is a fundamental right to access personal data held by organisations about you, which includes “…any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual” (section 1(1) of the UK Data Protection Act 1998 (“UK DPA”)) which is replicated under the Isle of Man Data Protection Act 2002 (“IOM DPA”).

The Claimants served a subject access request, under section 7(2) of the UK DPA, on TW, seeking personal data relating to themselves held by TW as solicitors for the Bahamian trustees of which they were or had been beneficiaries. Even though the trusts were governed by Bahamian law, and the litigation was taking place in the Bahamas, TW were based in the UK and were therefore subject to the UK DPA. The Claimants considered that TW had not complied with the requests, and so they applied for a declaration that TW had not complied with the requests and an order compelling TW to comply with them. An identical procedure is set out under section 5(2) of the IOM DPA which closely follows the UK DPA.

A subject access request (“SAR”) is simply a written request made by or on behalf of an individual for information which he or she is entitled to ask for under data protection legislation. The SAR obliges the individual holding the information, ‘the data controller’ to provide the individual with the personal information which is held by them and is caught by the SAR.

As a matter of trust law, the type of information being requested by the Claimants goes to the exercise of the trustees' discretion and would not be information that a discretionary beneficiary would ordinarily be entitled to receive, as well-established by the leading Manx case of Schmidt v Rosewood Trust Ltd (Isle of Man) [2003] UKPC 26.

There are various exemptions under the data protection legislation, which includes information that is subject to legal professional privilege (“LPP”). TW sought to rely on the LPP exemption on the basis that it should be interpreted so as to include documents of which a trustee could refuse to disclose under Bahamian trust law. This argument was rejected. The main principles deriving from the Court of Appeal decision are as follows:

1. English laws firms are not outside of the scope of the UK DPA and must therefore comply with a SAR requesting information which is not found to be exempt under LPP; and
2. The statutory entitlement to information created by the UK DPA overrides a beneficiary’s entitlement to information as a matter of trust law.

As Isle of Man data protection legislation and trust law follows the UK closely, an Isle of Man trustee and/or their legal advisers may find themselves the subject of an SAR from a disgruntled beneficiary. With no statutory exemption under Isle of Man trust law to narrow and restrict the widening scope of data protection there may be scope for a beneficiary to attempt to gain information by use of the IOM DPA. Given the limited local case law in this area, the Isle of Man Courts are likely to look to the decision of the Court of Appeal in the Dawson-Damer case for guidance.

Further reading: DPA, SARs and the GDPR: Why you should be paying attention to these acronyms.