Litigation solicitors often request and disclose too much information about clients when representing them in court cases. The imminent data protection reforms in the GDPR are bringing data protection issues into focus on a daily basis, not least the routine things many businesses and professionals do and have always done which might not be acceptable under the GDPR or even existing data protection law.
Respecting privacy, and the GDPR, requires that we all consider and reconsider what personal data should be collected and what can or should be done with it. Solicitors owe a duty to their own clients, for example, not to unnecessarily disclose personal data.
What is the issue
This often arises when dealing with requests for information or documentation from “the other side” in a case. If you sue someone there is certain information you must provide the other side with, and some information they are entitled to ask for. I’m going to use the example of personal injury cases, as they are the most relevant in this context.
In those cases the injured party (the plaintiff) has to give certain basic information like their name, address, PPSN, details of special damages and negligence alleged. The person being sued (the defendant) can ask the plaintiff for some additional information such as about previous personal injuries, claims and treatments where relevant and, if asked, the plaintiff must answer. These questions are put in what is called a “notice for particulars”, a document sent by the solicitor for the (usually) insurance company defending the claim. If the plaintiff refuses to answer the notice with “replies to particulars”, the defendant can ask for a court order compelling the plaintiff to answer.
That does not, however, mean that all questions must be replied to. The purpose to particulars is so that the defendant knows what case they have to meet at trial and to prevent them being surprised with unexpected allegations. It is not a means of a defendant getting advance details of the evidence that will be presented at trial, nor is it an opportunity for a fishing expedition for information about the plaintiff. It is, however, often treated as just that and defendants often ask all sorts of questions about the plaintiff’s family and domestic circumstances, personal and employment history and medical affairs whether or not they have a bearing on the case.
The (non-data protection) law on particulars
Mr Justice Hogan delivered a significant judgment (Armstrong v. Moffatt) on replying to notices for particulars in 2013. The judgment provides a good run-through of the law on particulars but Hogan J was notably critical of the practices which had developed in recent years of defendants seeking a huge range of information, and of plaintiff solicitors going along with these requests.
Not least in personal injury cases, the particulars sought in many cases had reached something of an art form. Quite often no possible detail or dimension of a [claim] remained unexplored at the hands of pleaders who at times seemed to revel in this glorious new art form. It was by no means uncommon to find notices for particulars stretching to twenty or more paragraphs, often replete with individual sub-paragraphs. Most litigants (or, perhaps more accurately, their solicitors and junior counsel) simply yielded dutifully to these requests, as it was often more convenient and expedient to do so rather than to take a stand on principle. In retrospect, the courts should, perhaps, have been more prepared to strike out many of the pre-rehearsed requests as oppressive and, in some cases, as constituting quite simply an abuse of process … [M]any of the requests in this and similar cases are either irrelevant or not permissible in law as particulars are nonetheless steadfastly advanced shows that many pleaders have simply gone astray in their enthusiasm to interrogate every possible detail of their opponent’s claim.
While the judgment did not mention and was not based on data protection law it was, in effect, a call to action addressed to solicitors on both sides: stop requesting so much information in notices for particulars, and stop acquiescing to excessive requests.
Unfortunately, it has not been heeded. The practice certainly varies from solicitor to solicitor but some insurance defence solicitors continue to issue lengthy notices for particulars, often with very surprising questions about the plaintiff’s personal life and family circumstances that do not appear to have any bearing on the case. Moreover, judges have not always accepted arguments against providing replies to particulars on the basis of Hogan J’s judgment.
A similar issue arises in the context of voluntary discovery, which involves the handing over of full records rather than just replying to questions. I would hope that solicitors are generally more restrictive when it comes to discovery, but solicitor Dervila McGirr quite rightly criticises the reliance on discovery “on the usual terms”, particularly in relation to extensive requests for highly sensitive medical records, and the impact on client privacy. There should be little if any basis for operating “on the usual terms”. Each request for information or documentation should be considered on its own terms.
It is important to note that in these situations, a solicitor acts as the “agent” of her/his client. I won’t digress into the field of agency law but a solicitor acting as agent of the client has a certain amount of latitude to do things on behalf of a client with their authority (whether explicit or implied). Delivering replies to particulars is one of those things, but how far does a solicitor’s authority go? Surely not to hand over personal data wholesale. However, in personal injuries cases at least, the client must swear an affidavit of verification confirming the accuracy of the information in the replies to particulars so the client necessarily has to have reviewed what is in the document. You could, therefore, argue an express authority to hand over the information (after all, the client confirmed the contents), but does it end there?
Which is where data protection comes in
Quite simply, if a defendant is not entitled to certain information in the course of obtaining further and better particulars, what right does a plaintiff’s solicitor have to provide the information? The obligations of the Data Protection Acts (and the GDPR/Data Protection Bill) mean that a solicitor should consider whether the defendant is entitled to the particulars sought. If not, the information (which will often be sensitive personal data) should not be disclosed to the defendant.
A client may have reviewed the contents of replies to particulars and confirmed them in an affidavit of verification, but have they consented to the release of the personal data or expressly authorised it? Consent is notoriously problematic in data protection, and for sensitive personal data (which many replies to particulars in personal injuries cases are) it must be explicitly given. If a solicitor puts draft replies to particulars in front of a client, asks that they be checked for accuracy and that an affidavit of verification be sworn, at what point was the client given a clear explanation of the processing involved (the disclosure to the other side)? The key explanation should involve advice as to whether or not the client is required to disclose the particulars. And this is, I suspect, where many would fall into difficulty.
What is the consequence?
This issue does not appear to have been the subject of a judicial decision or complaint to the Data Protection Commissioner (yet), but this is true of many persistent issues in data protection.
A possible explanation is the lack of serious consequence to date. There has, possibly, been too much deference to exemptions and exceptions in the Data Protection Acts relating to litigation and connected services. And while the Acts (section 7), impose a duty of care to data subjects under the law of torts, the utility of that provision was almost entirely hollowed out by a High Court decision in 2013 (Collins v. FBD). Section 7 was never satisfactory and the Collins decision made it worse, requiring that a plaintiff had to show specific loss in order to claim damages – i.e. the fact that the duty of care owed to them was breached in some way alone was not enough to obtain compensation. Eoin O’Dell’s excellent paper on compensation for GDPR breaches expertly outlines the issues with Collins, forcefully concluding:
the decision … in Collins is quite simply wrong – as a matter of principle, as a matter of national law, and as a matter of European law
In addition, judges sometimes order that replies to particulars be given which should not be ordered – many plaintiff personal injuries solicitors will probably have had this experience in the past. While, under the Acts, this may cure data protection issues for the plaintiff’s solicitor (because there is now a legal obligation to disclose the personal data) the GDPR, again, changes the landscape.
Which is where the GDPR comes in
Mr Justice Frank Clarke (Chief Justice) has recently commented in a number of forums about the challenges the GDPR raises for the judiciary and the need for privacy training among judges. Future disputes about particulars and discovery are likely to involve increased reliance on data protection concerns and the GDPR when before the courts. All of this should mean a more restrictive disclosure regime than has often existed in Ireland, despite the decision in Armstrong v. Moffatt on particulars and the changes in relation to discovery outlined by McGirr.
In the context of voluntary particulars and discovery, while O’Dell points out that the decision in Collins would not survive further challenge, it will be made redundant by the GDPR which requires that someone whose rights under the Regulation have been infringed must be entitled to seek compensation for both material and non-material rights (section 112 of the Data Protection Bill 2018 purports to implement this).
It is difficult to see how a solicitor is fairly processing personal data by unnecessarily disclosing it in these circumstances. This has been the case for many years, but a key change with the GDPR is that breach of data protection rights will no longer be mere technical, regulatory breaches but actionable ones that could give rise to compensation.
And, legal provisions aside, there is a very obvious and natural objection that someone might have to sending out all manner of personal information (including information about other family members or cohabitees) to third parties where it is not necessary to do so. Defence solicitors need to be robustly challenged on notices for particulars, or plaintiff solicitors may find themselves struggling to justify the unnecessary disclosure of their client’s personal data to insurance companies.