Subject Access Requests
When the personal data (in respect of a third party) is being held by you, as a data controller, you are required to consider if it comes under Legal Professional Privilege (LPP), if so, it is exempt from being disclosed via a subject access request. Your client may waive their right to the professional privilege.
Paragraph 10 of Schedule 7 of the Data Protection Act (DPA) states; “Personal data is exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege…could be maintained in legal proceedings.”
If the information does not fall under LPP and falls within the DPA and is the type of information requested by the third party, which you would usually be expected to disclose, you should do so. You would not have to do so if it falls under one of the other exemptions in the Act. If in doubt you should seek assistance from the Information Commissioner’s Officer on 0303 123 1113 or seek independent legal advice.