GDPR breach exemption -v- ethical obligations
‘ello, ‘ello, ‘ello. just give us your client’s address – it’s GDPR exempt!
I recently heard from one of my clients who sent me a request he’d received from Police Scotland. It was to provide an address for one of his clients. Interestingly, they pointed out the disclosure was exempt from the GDPR.
The word “OFFICIAL” – BOLD, UPPERCASE and in RED! – was at the top of the email. The email went on to say: “Please can the attached enquiry be progressed and any information you have forwarded to PC….”. The “Response Inspector” sent the email. It seems to me that if there is an official position of “Response Inspector” there must be a lot of these requests being made!
The email contained an official Police Scotland Form as an attachment. The title of the form was “Request for Disclosure of Personal Data from External Organisations”. The form contained a paragraph confirming that the GDPR would not apply when the data was disclosed to Police Scotland. They cited the exemption contained in Schedule 2, Part 1 (2) of the Data Protection Act 2018.
The form narrated the reason why the police were seeking the information. It said that a motor vehicle registered to the client had been involved in a road traffic accident. They said they needed to locate the owner of the vehicle to establish who the driver was on the date of the incident. They had gone along to the address they had for the client and discovered the property was empty and that my client was the estate agent dealing with the sale of the property. The police reckoned that since my client was the estate agent, they could ask for the information they needed.
What about professional obligations?
Police Scotland completely ignored the fact that the estate agency was a solicitor estate agency. Solicitors are bound by a code of ethics and Police Scotland clearly didn’t understand that. A duty of confidentially owed to the client is one of the key elements of this code of ethics. Police Scotland can’t defeat this duty through a simple request for information. Whilst the extent of the duty of confidentiality has been eroded over the years – it hasn’t been eroded to this extent. It doesn’t matter that the disclosure wouldn’t fall foul of the Data Protection Act and the GDPR!
My client quite rightly refused to supply the information, citing client confidentiality. My client contacted the Law Society of Scotland. The emailed response confirmed they’d made the right decision. The Law Society of Scotland said: “Having reviewed this for you we are of the opinion that this request would not be sufficient for you to breach your clients confidentiality by providing this information. GDPR does not overcome client confidentiality however if Police Scotland wished to provide you with a Production Order or a Warrant then you would be able to assist with this.”
Remember your professional obligations
If you receive a requests from Police Scotland to provide client information, please remember your professional obligations. If you provide the information, you’re likely to fall foul of the professional practice rules. It doesn’t matter that you would be be exempt from any breach of the GDPR. You duty of client confidentiality takes precedence over any exemption from your GDPR obligations in these circumstances.
If you want to know more about GDPR for law firms, you can read our latest article by clicking here. We’ve helped dozens of firms with their GDPR compliance requirements. If you need any help with your GDPR needs, please get in touch.
Author: Brian O’Neill
Visit Brian’s LinkedIn Profile here.
Click here to email Brian