25 May 2018 came and went but the reform of data protection law is a journey and the GDPR is about embedding data privacy and protection into our everyday practices.
There is still new guidance coming from the Information Commissioner’s Office (ICO) giving us a bit more detail about what is expected. Hopefully that will be assisted by the introduction of the Data Protection Act 2018 which until 23 May 2018 was still a Bill and therefore still in draft form. The new Act (all 399 pages of it) provides the UK law in relation to the 50 or so areas where Members States could derogate from the terms of the GDPR.
The GDPR provides that Member States can restrict the obligations on data controllers and this led to the UK Government providing a restricted application of the transparency principle and the obligation to comply with subject access requests, which I described in my GDPR Guide for the Law Society of Scotland published in May 2018.
Since that guide was written, and in the final weeks of Bill negotiations, this restriction has changed and broadened the definition of ‘legal professional privilege’ in a way that will assist solicitors.
Originally the definition referred to personal data which consisted of ‘information to which a claim of legal professional privilege, confidentiality of communications, could be maintained in legal proceedings’.
This was extended to include personal data that consists of ‘information of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser’.
So the definition is now broader than it was in the Data Protection Act 1998 and, in my view, this will greatly assist solicitors when dealing with subject access request made by third parties who are not their clients.