A court ordered the return of files accidentally disclosed to a litigating party after a data subject access request (DSAR) gave too much in reply, including information about unconnected persons. The court then ordered erasure of the copies held and prohibition of future use by the recipient.
The dispute and DSAR
The law firm acted for people involved in litigation with the subject access requester. The dispute concerned nuisance (noise) and interference with rights of way. The requester issued a claim against two named employees of the law firm, making allegations of harassment, breach of data protection rights, and misuse of private information, among other things. The firm denied those allegations and the requester then made a DSAR, pursuant to Article 15 GDPR and Schedule 2 to the Data Protection Act 2018. The DSAR sought surveillance recordings of his property, audio files regarding noises from his property, expert reports relating to the alleged nuisance, and other documents relevant to the defence of the nuisance dispute.
The law firm responded to the DSAR by email with a URL link for accessing the information, along with a user name and password, to download documents. However, the repository had more that it should. The requester found the files contained a significant volume of emails unrelated to him. This correspondence involved third parties and clients of the firm and was a significant breach of duties.
A dispute arose as to what should be done with the disclosed files. The law firm instructed another law firm to deal with the matter. The parties failed to reach an agreement on what to do with the files. Ultimately the law firm made an application for an injunction, seeking orders for delivery or destruction of the documents.
The disclosed documents – Lesson 1
The documents disclosed were wide-ranging and summarised in witness evidence. The range and disclosure of the entirety of documents suggests the law firm did not focus on the personal data and just assembled documents and provided them. We would have recommended focus on the personal data in a document – that is what a DSAR concerns.
The disclosed documents – Lesson 2
Most of the documents in the file were both confidential and protected by legal professional privilege. Many documents had no connection with the underlying dispute or requester. The evidence was that the documents were responsive to a search term of a common surname and resulted in documents dating back many years. This suggests to us that the search was not properly carried out and was simply automated without proper thought.
The court’s concerns
The judge found that it was clear and undisputed that the requester made use of some of the disclosed documents that were not related to him. It appeared they may also have sought to get news coverage of the content of the documents.
Legal framework
- Confidential information – The court noted a duty of confidence may arise in equity, citing Lord Goff in his judgment in AG v Guardian Newspapers 1 AC [1990] 1 AC 109 p281, namely “when confidential information comes to the knowledge of the person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others.”
- Privileged information – Solicitors are under a duty to keep their client’s affairs confidential. As Lord Millett put it in Prince Jefri Bolkiah v KPMG [1999] 2 WLR 215: “Whether founded in contract of in equity, the duty to preserve confidentiality is unqualified. It is a duty to keep the information confidential, not merely to take all reasonable steps to do so.” This is reflected in the Solicitors Regulation Authority guidance on the duty of confidentiality.
In this case, there was a real issue with a loss of privilege. A precondition for privilege is that the information in question is confidential, so privilege may be lost if it becomes public. Here, the requester had exhibited confidential and privileged documents to his witness statements in response to the application, so some of the documents would become public if the defendant was allowed to deploy them at the public hearing listed for 18 December 2025.
The court also considered how the inadvertent disclosure, retention, and use contravene the rights of a range of data subjects under Article 5(1) UK GDPR. The requester submitted that the disclosure was not a mistake, but arose from a lawful DSAR response. Further, the requester submitted there was no evidence of dissemination or intent to misuse.
Judgment
It was found that this was a case of ‘obvious mistake’ and that the requester knew this. The judge accepted that the vast majority of the documents were likely to be privileged.
The starting point, in the judge’s view, was that a court will intervene by injunction.
The judge considered it would be wrong and disproportionate to require examination of all of the 3,300 documents individually and to provide information about each of their contents. We would observe that where the initial search was done so poorly and without at least a sample checking of the results that presumably could have spotted the error, the approach should have had more criticism.
The judge was rightly concerned to do what he could to put the genie back in the bottle in regard to privileged documents. He recognised that privileged documents are a class apart. In this respect, the law has already struck the balance between privilege and truth in favour of privilege. The judge helpfully noted:
“The exceptionally strong public interest in members of the public being able to consult lawyers in confidence makes privileged documents an exception to the general rule that all relevant documents must be provided to the opposing party in litigation. This is why the courts have consistently held that it is no answer to a claim for delivery up of privileged documents that they might establish the truth as the receiving party sees it. The Defendant would never have been aware of the contents of any of these privileged documents were it not for the Claimant’s obvious mistake. To the greatest extent practically possible, the Claimant should be put back in the position it would have been in had this obvious mistake not occurred.”
Consequently, injunctive relief was granted. The requested had to deliver up all the 3,300 documents in his possession, had to delete any copies, and was injuncted against using the documents, or any information from the documents.
Takeaways
This was embarrassing for the law firm and potentially had serious consequences for data subjects. If you receive a DSAR, a reasonable and proportionate response does not mean ignoring the results of a search; you should check the search returns are appropriate and responsive. The law firm was lucky that the regulator did not get involved. This case highlights the risk of outsourcing your replies with insufficient oversight.
If you have questions or concerns about data subject access requests, please contact James Tumbridge.