Navigating trusts in a data-driven world: Data privacy and data subject access requests

• Trustees need to consider both trust and data protection principles in the context of the trusts they administer. 
  
  
• Trustees need to be mindful of data protection principles when creating documents, using email, and recording minutes.
  
  
• Trustees need to know how to respond to a data subject access request.

We explore what trustees need to be aware of when dealing with data and complying with their obligations under the Data Protection (Bailiwick of Guernsey) Law, 2017 and related legislation (the "DP Law").

The first article in the series (available here) covered the key terms and concepts to keep in mind when applying the DP Law in the context of trusts, including the definition of 'personal data'. 

This article sets out the steps a trustee needs to take in relation to the personal data it holds, and how a trustee can respond to data subject access requests.

Providing privacy notices

Data subjects have a range of rights over their personal data, these include the rights: 

1. to have access to the personal data held about them;
   
   
2. to have inaccuracies corrected;
   
   
3. to have information erased; and
   
   
4. to prevent direct marketing.

Trustees, as controllers, – (for more information about this term please refer to the first article in the series) have obligations to provide data subjects with certain information in relation to their personal data. In practice this is usually done by way of a privacy notice. However, there is often a tension between the inherent confidentiality of private trusts and the transparency which comes with data protection law. There are many situations in which providing beneficiaries (or related parties) with certain information about how their data is used might not be in the interests of a trust or might undermine the purpose of the trust.

The following examples highlight some of the difficult situations trustees might face:

1. A testator called Kim establishes a discretionary trust via her will. Her letter of wishes lists two of her more remote relatives, Scott and Richard, as beneficiaries. The letter asks the trustees to add Scott and Richard as beneficiaries in the event that none of the Kim’s immediate family survives her. To facilitate this, the letter is likely to include the names and addresses of Scott and Richard, which is their personal data. However, if at the time of Kim’s death she has living descendants, then Scott and Richard will effectively be irrelevant to the administration of Kim’s estate. Sending privacy notices to them will involve additional time and cost and may cause confusion by raising false hopes about their entitlement to the estate and/or lead to disputes within the family.
   
   
2. A trust is established for the settlors’ children including a minor child called Paris. Paris is not aware of the trust because the settlors do not want to disincentivise her from pursuing her studies or a career. If the trustees have to send Paris a privacy notice, the existence of the trust will be revealed, which could lead to further questions and ultimately have the disincentivising effect that was feared by her parents.

Fortunately, the DP Law offers some flexibility here, in that it offers a number of exceptions and exemptions to the exercise of data subject rights. In practice these may include not disclosing certain information to a data subject about how their data is used to the extent that doing so is likely to make it difficult to achieve the objectives behind the data processing, or if the personal data must remain confidential because of professional secrecy. 

Furthermore, notifying beneficiaries who are unlikely to ever benefit from the trust of how their data is used may involve disproportionate effort, which is another exemption the DP Law recognises.

Dealing with data subject access requests

Data subjects have the right to ask an organisation what personal data it holds about them, but how does this affect trustees?

Illustrative case study:

Taylor is the beneficiary of a trust with significant value. Taylor discovers that the trust is now worth substantially less and that a number of distributions have been made by the trustee to another of the beneficiaries. Taylor therefore wants to find out more information.

Under trust law, beneficiaries wouldn’t usually expect trustees to disclose copies of letters of wishes, minutes of meetings showing the trustees' deliberations or material on which deliberations have been based. The English court has said that the disclosure of such information is often likely to “cause infinite trouble”.¹

Instead, Taylor might decide to attempt to find out why the trustee made those distributions by making a Data Subject Access Request ("DSAR") under the DP Law.

On receiving a DSAR, the trustee (as controller) has to confirm to the data subject what personal data it holds in relation to them, subject to a small number of exemptions and/or exceptions provided by the DP Law. If the trustee fails to comply, the data subject may make a complaint to the Office of the Data Protection Authority who will decide whether to investigate.

In this example, the trustee will need to review the relevant filing system and identify every mention of Taylor. The trustee will then need to decide, in relation to each item of Taylor’s personal data, whether:

1. there are exemptions that would avoid the need to disclose the personal data to Taylor; and
   
   
2. if not, how that personal data should be provided to Taylor.

It is common practice to carefully prepare trustee minutes to demonstrate a proper decision-making process. However, as data protection law develops, trustees also need to be mindful of the fact that a beneficiary will potentially be able to access references to them in trustee minutes or emails, by making a DSAR. 

It is important to note however that a trustee only ever needs to provide the relevant personal data in response to a DSAR: they don’t need to provide the beneficiary with the whole document. For example, references to individuals contained in minutes can constitute those individuals’ personal data, but this does not mean the beneficiary can demand to see the entire minutes – they are likely only to be entitled to see the part that refers to them, or even just a list of the personal details the trustee holds.

Turning back to the case study and Taylor’s DSAR, the trustee might decide to provide her with copies of redacted versions of the minutes to preserve the confidential information of other family members.  However, there are a number of issues which arise with that approach:

1. Would data containing references to Taylor within the settlor's letter of wishes be provided or might disclosure be withheld on the basis of the duty of confidentiality owed by the trustee to the settlor? 
   
   
2. Would emails between Taylor’s mother and the trustee be exempt from disclosure on the basis of confidentiality, despite clearly containing Taylor’s personal data? 
   
   
3. Might a person be readily identifiable given the context, even with their name redacted?

A DSAR gives a beneficiary the right to obtain their personal data but not to find out about why the trustees have made particular distributions from the trust. Furthermore, the right of a data subject to obtain a copy of their personal data under a DSAR must not adversely affect “the rights and freedoms of others”. Therefore, in practice, trustees may wish to simply provide a list of the personal data that is held, or redacted sections of documents, rather than whole documents.

It is useful to note that under the DP Law trustees are not obliged to disclose trustee minutes or similar in response to a DSAR. The DP Law provides a specific exemption which permits personal data to be withheld if it can lawfully be withheld under the Guernsey trusts law. This exemption extends to disclosure of personal data prohibited or restricted under any rule of law, whether statutory or customary, of Guernsey. 

Trust principles relating to disclosure to beneficiaries

There was a recent case similar to the case study, in which the claimants were beneficiaries of trusts in the Bahamas. A number of substantial distributions amounting to over $400m were made by the trustees to one side of the family. The claimants sought disclosure of certain documents in relation to those distributions.

Under Bahamian law, Bahamian trustees facing hostile litigation can refuse to disclose any trust documents and the Bahamian court cannot order disclosure by a trustee. The claimants therefore made DSARs to the trustees' London advisers. The London advisers refused to comply with the DSARs and the claimants applied to the English court for enforcement of the disclosure requests. 
The Court of Appeal found that fairly extensive efforts to provide the disclosure would need to be made, and the fact that complying with a DSAR will be expensive and time-consuming does not entitle a controller to refuse to comply.

The Court of Appeal also held that a controller can't usually refuse to comply with a DSAR on the basis of the data subject's intentions. Controllers can refuse DSARs which amount to an abuse of process, but the mere fact that the data subject has a collateral purpose (such as getting hold of documents to use for litigation) is not sufficient.

Closer to home, the Office of the Data Protection Authority regularly receives complaints by data subjects following a failure by a controller to properly or adequately respond to a DSAR. In its Annual Report for 2023, it reported that (i) it had received a total of 27 complaints from data subject who were "unhappy with the response" to their DSAR; and (ii) it found there had been 2 breaches of a data subject's right of access. 

Helpfully, the DP Law lists various factors a controller should take into account when determining whether it is reasonable to refuse to give information to a data subject.

Conclusion

The key takeaway point here is that it is sensible for trustees to take an approach to trust administration which considers both trust and data protection principles. This should extend to the creation of documents, the use of email and the recording of minutes.

The next article in this series is titled "Developments in Guernsey's regulatory landscape" and considers Guernsey’s relatively recent registration and levy regime in addition to the Office of the Data Protection Authority’s findings in its 2024 Quarter 1 and 2 report.