A recent case in the Court of Appeal (Dawson-Damer v Taylor Wessing LLP) considered whether paper files held by a law firm constituted a ‘relevant filing system’ under data protection laws.
The judgement is significant because if paper files were deemed to be a ‘relevant filing system’, then manual (or paper) files would have to comply with complex compliance and regulatory procedures for data protection. Whilst the case concerns solicitors’ files, the principles considered in the judgement also apply to any data controllers that maintain paper files.
Under the Data Protection Act 1998 (which governed the case), a ‘relevant filing system’ includes any set of information held (i) not by electronic means and which is (ii) structured in such a way (regarding the individuals) that information relating to them is readily accessible.
Previous case law had established that the Act did not to apply to paper files unless they were of an equivalent structure or referencing mechanism (allowing similar ease of access and retrieval of data) to that of an electronic filing system. This was a pragmatic approach by the court, particularly as concerns were raised about the logistical implications for professional firms if paper files were to be caught by data protection laws.
In this case, which was decided following the introduction of the GDPR in 2018 but was still concerned with the Data Protection Act 1998, the Court of Appeal reviewed a relevant judgement of the Court of Justice of the European Union. The judgment provided further guidance for assessing whether manual (or paper) files were to be considered as a relevant filing system, and the practical considerations for whether data can be easily retrieved.
The Court of Appeal held that the European Court’s judgement was to be preferred to previous UK case law. However, rather than just considering whether data can be easily retrieved (in determining whether paper files constituted a relevant filing system) the Court of Appeal found that there are three principal considerations:
- The data in the file must be structured by reference to specific criteria;
- The criteria must be related to individuals; and,
- The specific criteria must allow the data to be easily retrieved.
The Court of Appeal found that the first two limbs of the test were satisfied in this case. In relation to the third, the Court of Appeal made reference to guidance provided by the Information Commissioner’s Office (‘the ICO’). The ICO had issued guidance by way of a hypothetical question (to determine if paper files would constitute a relevant filing system) known as the ‘temp test’. If a temporary assistant was able to extract specific information relating to an individual (from the paper files), with little or no knowledge of the area of law in which the documents were held, then the paper files should be considered as a relevant filing system.
It was on this third limb that the Court of Appeal found that the files held by Taylor Wessing were not a relevant filing system. The court stated that it required both a trainee solicitor and a senior associate solicitor to extract personal data from the files and therefore the structure of the files did not facilitate ready access to the personal data being held. The court noted that the files were not organised or structured in any form, save for the fact that they were compiled chronologically.
Whilst a decision based on the Data Protection Act 1998, the concept of a `filing system’ survives in the GDPR and, in our assessment, similar considerations are likely to apply. A `filing system’ under the GDPR is anything containing personal data which is structured and where the data can be accessed according to specific criteria.
In this case the judgement found the paper files held by Taylor Wessing to not be a relevant filing system. However, it serves as a reminder as to the need to carefully consider how clients’ personal data is held, the way storage is structured and whether it is readily accessible, to avoid inadvertently breaching or being bound by the most onerous provisions of the Data Protection Act.
For more information on this topic, please contact: