Data protection legislation in the UK and its impact on the confidentiality of trustee decision-making

Article by Edward Sawyer, 2^nd February 2024

To read or download this article as a PDF, please click here. 

Introduction

1. The UK’s data protection legislation has been in the news recently with the introduction last autumn of a US-UK data bridge facilitating the transfer of personal data from the UK to the USA. So it seems timely to look again at the impact of UK data protection law on trusts.
2. This article considers the extent to which, in the context of private family trusts, the UK General Data Protection Regulation (“GDPR”) has made inroads into the right of trustees to keep aspects of trust administration confidential from the beneficiaries.

The traditional approach

3. Starting with the traditional approach of English trust law:

• In relation to private family trusts, the traditional approach of English trust law is that trust administration is an “inherently confidential” process and that the trustees are entitled to withhold from the beneficiaries the reasons for their discretionary dispositive decisions: see Re Londonderry’s Settlement [1965] Ch 918, affirmed in more recent times by Breakspear v Ackland [2009] Ch 32.
• The rationale for this approach is that it is in the interests of beneficiaries of family discretionary trusts for the exercise of the trustees’ dispositive powers to be a confidential process. It is said that this enables the trustees to enquire discreetly into potentially sensitive personal details about the beneficiaries (e.g. financial circumstances, health, family situation etc.) and to take such information into account, without causing family strife or offence, and it shields the trust from unnecessary controversy (see e.g. Breakspear at [54]).
• This coheres with the principle, confirmed in Schmidt v Rosewood Trust [2003] 2 AC 709, that beneficiaries do not have an absolute right against the trustees to information and disclosure about the trust. Rather, questions as to the provision of information and disclosure are resolved under the court’s inherent jurisdiction to supervise and if necessary intervene in the administration of the trust.  The trustees, and ultimately the court, have a discretion as to whether to provide information/documents, to be exercised in the interests of the sound administration of the trust and the best interests of the beneficiaries.

4. The question addressed in this article is whether the traditional approach has survived the UK’s data protection legislation, in particular in its most recent form: the UK GDPR. Data protection and its relationship with trusts is of course an extensive subject.  This article simply introduces some key issues and is by no means an exhaustive treatment.
5. In one sense, the whole thrust of the data protection regime is at odds with the “inherently confidential” process of trust administration described in cases like Londonderry and Breakspear. As we will see, the data protection legislation requires personal data to be processed in a “transparent” manner in relation to the data subject, yet the essence of the Londonderry principle is that trustee decision-making need not be transparent to the beneficiaries.  Does this mean, therefore, that the UK’s data protection rules have fundamentally altered the confidential nature of trustee decision-making?

Current UK data protection legislation – overview

6. Before considering this question, some basic data protection concepts need to be explained. Post-Brexit, the main piece of UK data protection legislation is the “UK GDPR”, which is the version of the EU’s General Data Protection Regulation retained by the UK.[1]  The UK GDPR is supplemented by the Data Protection Act 2018.  The regime is regulated by the Information Commissioner and his Office (the “ICO”).  As defined in the UK GDPR:[2]

• “Personal data” is any information relating to an identified or identifiable natural person (the “data subject”).
• The “processing” of personal data means any operation performed on personal data, i.e. any forms of use including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination, erasure or destruction. The legislation protects data which are processed by automated means (i.e. electronically) or in a “filing system”.[3]
• The data “controller” means the natural or legal person/body who determines the purposes and means of the processing of personal data.
• A data “processor” is a natural or legal person/body who processes data on behalf of the controller.

7. Broadly speaking, the UK GDPR applies to data processors and controllers with an “establishment” in the UK, whether or not the processing takes place in the UK (UK GDPR art 3(1) – there are also limited extensions in art 3 applying the UK GDPR to processors and controllers established outside the UK).
8. Art 5 of the UK GDPR sets out the “principles” relating to the processing of personal data. These require, among other things, that personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject;
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• accurate and, where necessary, kept up to date;
• processed in a manner that ensures appropriate security of the personal data.

9. It will almost certainly be the case that the UK trustees of a trust will be data controllers (at least where they act in a professional capacity[4]). Professionals acting on their behalf may also be joint data controllers with the trustees or data processors on their behalf.  Most of the obligations under the UK GDPR fall on the data controller.
10. It can readily be seen that where a UK-based trustee of a trust makes discretionary dispositive decisions about the beneficiaries, the trustee will in many cases be a data controller processing personal data about data subjects. The UK GDPR “principles” set out above will be engaged.  Most of the principles are broadly in line with what domestic trust law would already require of trustees (e.g. that the trustees maintain information about the beneficiaries that is accurate and kept securely etc.), but the first principle – lawfulness and transparency of data processing – may differ from what trust law has historically required.

Requirements for processing

11. The requirement that processing be lawful means that one of the six conditions in art 6(1) of the UK GDPR must be satisfied. In the trusts context, the most relevant of these conditions are likely to be:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person [“vital interests” is narrowly construed – the ICO takes the view that it means interests that are essential to someone’s life, generally only applying to matters of life and death[5]];
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

12. The first of these grounds, consent, may be problematic for trustees to rely on, as their information about the beneficiaries may derive from sources other than the beneficiaries themselves, e.g. the settlor, and so have been obtained without the data subject’s consent. And if beneficiaries give consent to the processing of their personal data, they have the right to withdraw it (UK GDPR art 7(3).  It may also be impossible to obtain consent in the case of children and unborn beneficiaries.  As noted above, the “vital interests” ground is narrowly construed, so trustees may have limited scope to rely on it.  The ambit of the “legitimate interests” ground is potentially vague and is also liable to be overridden by the rights of the data subject, so is again not necessarily safe for the trustees to rely on.
13. That leaves the “necessary for compliance with a legal obligation” ground as the most likely one for trustees to rely on. The trustees can say that their obligations to administer the trusts and inform themselves of relevant considerations justify the processing of personal data in relation to the beneficiaries.

Special category data

14. But that is not the end of the story, because the types of personal data likely to be processed by the trustees may include “special category” data within art 9(1) of the UK GDPR. This is personal data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and … genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” The trustees may well need to consider information about a beneficiary touching on some of these matters, in particular health.
15. The processing of special category data is prohibited unless one of the conditions in art 9(2) of the UK GDPR is satisfied.[6] Most relevantly for trustees, the conditions include:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

16. The problems with relying on the “consent” and “vital interests” exceptions have already been mentioned above. That leaves the “establishment, exercise or defence of legal claims” as the most likely contender for justification.  On the face of things, this does not sound like a particularly close fit with trustees exercising a dispositive discretion to distribute a trust fund.  However, the ICO’s guidance suggests that the exception covers processing special category personal data for establishing or exercising legal rights in any way, and the guidance offers the example of a trust and estate practitioner advising a client on setting up a trust for a disabled family member.[7]  This would suggest that on a (very) broad reading of the “establishment, exercise or defence of legal claims” exception, the ICO would regard a trustee using special category personal data in order to create entitlements under a trust (e.g. by exercising a dispositive discretion in favour of a beneficiary) as permissible.  STEP has issued Professional Standards Guidance dated 24 January 2020 suggesting that practitioners can rely on this exception.  It would be prudent to obtain the data subject’s explicit consent too where possible.

Privacy notices and subject access requests

17. Another set of difficulties posed by the data protection legislation is that data subjects are to be issued with privacy notices when data is collected from the data subject or otherwise obtained about them (arts 13 and 14 of the UK GDPR[8]) and they are entitled to access data held about them (art 15 – known as a “subject access request”). They have a range of other rights such as (depending on qualifying circumstances) rights to rectification, erasure or to restrict processing.
18. The width of arts 13-15 is limited by Part 4 of Schedule 2 to the Data Protection Act 2018, which provides exemptions for information which is the subject of legal professional privilege or a duty of confidentiality owed by a professional legal adviser to his client (para 19 of Schedule 2). However, where the data controller is the trustee and the confidential information is non-privileged as against the beneficiary, the exemptions will be of little assistance.
19. Thus on the face of the legislation, art 15 of the UK GDPR seems to represent a significant erosion of the Londonderry non-disclosure principle, as a data subject (the beneficiary) could make an application requiring the data controller (the trustee) to give him access to the personal data being processed, together with (among other things) confirmation of the purpose of the processing, the source of the information and a copy of the personal data undergoing processing (art 15(1) and (3)). The prior version of this legislation has already been used by trust beneficiaries in an attempt to gain access to information about them held by offshore trustees’ UK solicitors (see Dawson-Damer v Taylor Wessing [2017] 1 WLR 3255, CA, and its sequel at [2020] Ch 746, CA).  Although the purpose of the legislation is to enable the data subject to check that his personal data is being processed lawfully,[9] it is no objection to a subject access request that the data subject also has the purpose of bringing other litigation: see the first Dawson-Damer CA judgment at [105]-[113].
20. However, there are limits to what a subject access request can achieve. The UK GDPR contains a new provision, not present in the earlier version of the legislation considered in Dawson-Damer, to the effect that a data subject’s right in art 15(3) to obtain a copy of his personal data “shall not adversely affect the rights and freedoms of others” (art 15(4) of the UK GDPR).  According to the Hansard debates on the Data Protection Bill, the Government took the view that this means that information subject to the Londonderry non-disclosure principle cannot be obtained via a subject access request (the Government having rejected an amendment which would have expressly made this clear).  The rationale was that compelling production of information falling within the Londonderry principle would adversely affect the right of the trustees to preserve the confidentiality of the reasons for their dispositive decisions. Thus it can be argued that art 15(4) prevents a data subject applying for a copy of the personal data in question.  The STEP guidance mentioned above takes this view.  However, the point remains to be tested in court, and even if the argument is a good one, it only stops the data subject applying for a copy of the personal data; his other rights to be informed of the processing (art 15(1) and (2)) remain unaffected.
21. Subject access requests are also subject to the exceptions in Schedule 2 para 19 of the Data Protection Act 2018, mentioned above, i.e. protecting information which is the subject of (a) legal professional privilege or (b) a duty of confidentiality owed by a professional legal adviser to his client. The two Dawson-Damer decisions considerably limit the scope of exception (a), holding that they refer to information subject to legal professional privilege as a matter of English law and that as the trustees’ legal advice is generally subject to joint privilege with the beneficiary, the trustees cannot invoke the privilege as against the beneficiary (see further below).  The decision of the New Zealand Supreme Court in Lambie Trustee v Addleman [2021] NZSC 54 also emphasises the limited scope for a trustee successfully to assert privilege against a beneficiary as the “joint interest” exception to privilege will often apply. Exception (b) may limit the effect of the Dawson-Damer decisions so far as they concern subject access requests against UK lawyers of non-UK trustees, but it probably provides little assistance to UK trustees directly faced with a subject access request.

Conclusion

22. Thus, at least for UK trustees, the data protection regime does erode to a material extent their power to withhold information from a beneficiary so far as that information contains the beneficiary’s personal data. However, there is a credible argument based on art 15(4) of the UK GDPR that a beneficiary cannot make a subject access request for a copy of the personal data itself insofar as it would fall within the Londonderry non-disclosure principle. Further, nothing in the data protection regime requires trustees to disclose the reasons for their dispositive decisions to the extent that the decisions do not refer to personal data.

For more information:

• Our Trusts, probate and estates: contentious expertise.
• Our Trusts, probate and estates: non-contentious expertise.

The views expressed in this material are those of the individual author(s) and do not necessarily reflect the views of Wilberforce Chambers or its members. This material is provided free of charge by Wilberforce Chambers for general information only and is not intended to provide legal advice. No responsibility for any consequences of relying on this as legal advice is assumed by the author or the publisher; if you are not a solicitor, you are strongly advised to obtain specific advice from a lawyer. The contents of this material must not be reproduced without the consent of the author.

[1] The GDPR was introduced by the EU on 25 May 2018 pursuant to EU Regulation 2016/679.  In very brief summary, pursuant to s 3 of the European Union (Withdrawal) Act 2018, EU Regulations were retained as in force prior to Brexit.  Regs 2 and 3 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations, 2019/419, modify the retained GDPR to create the “UK GDPR”.

[2] Art 4 of the UK GDPR.

[3] Art 2(5) of the UK GDPR.  In Dawson-Damer v Taylor Wessing [2020] Ch 746, CA, solicitors’ paper files were held not to be such a filing system under the predecessor legislation.  This is fact-sensitive and will depend on precisely how the files are organised and how accessible data about an individual is.

[4] There is an exception in the legislation for individuals acting in a purely personal or household capacity (UK GDPR art 2(2)), which might arguably exclude lay persons acting as trustees of private trusts.

[5] See ICO guidance “What are the conditions for processing?”, section (c).  See also recital (46) to the UK GDPR.

[6] See also the further provisions in ss 10-11 and Sch 1 of the Data Protection Act 2018.

[7] See ICO guidance “What are the conditions for processing?”, section (f).

[8] Though the STEP guidance referred to above suggests that the exceptions in art 14(5) may help avoid the need to provide a privacy notice in the case of personal data obtained otherwise than from the data subject.  In particular, art 14(5)(c) provides an exemption from the art 14 privacy notice requirement where “obtaining or disclosure is expressly laid down by a provision of domestic law which provides appropriate measures to protect the data subject’s legitimate interests”.  It can be argued that domestic trust law already adequately caters for when a beneficiary may have access to information (Schmidt v Rosewood Trust) so that the further requirements in art 14 do not apply.

[9] UK GDPR recital (63).