Do new data protection rules mean beneficiaries have the right to be told if they’re named in a will?
Since the General Data Protection Regulation (GDPR) came into force earlier this year, will-writers across the country have been questioning what this means to them. For example, whether the GDPR requires firms to destroy wills held if they can’t secure consent to keep them (it doesn’t).
But the Information Commissioner’s Office (ICO) has clarified one uncertainty; on its website, the regulator has shed light on whether practitioners holding wills on behalf of clients are required to tell beneficiaries that they are keeping information about them.
Under the GDPR, individuals have a legal right to be provided with all data that an organisation holds about them. As such, many will-writers are understandably worried that they are now obligated to send a privacy notice to beneficiaries. Such notices would tell heirs about the personal data they hold, how the personal data will be used, and for what purposes. Something that many clients would not want to be known.
However, while the ICO has not yet dealt with this matter formally, it has replied to a question from a probate practitioner on its website.
The ICO has stated that lawyers who store wills on behalf of clients do not have to contact beneficiaries when a will is written. Primarily because the personal data concerned must remain confidential due to professional secrecy obligations.
Furthermore, while a data processor is responsible for processing data on behalf of the controller, it is the data controller that determines the purpose and means of processing this information. So, in this scenario, the will-writer is a data processor and the testator is the data controller. What this means is that the “will writer holds information on behalf of the controller, and is responsible for the security of that data, but not anything beyond that”.
So, while will-writers must ensure they have robust security measures in place to keep the data safe, they only become a data controller once the client has passed. At this stage – when a will comes into effect and the estate starts to be administered – they are obligated to send a GDPR-compliant privacy notice to any beneficiaries. This notice must make clear how their data will be stored and processed.
Of course, in Dawson-Damer v Taylor Wessing, UK solicitors were ordered to disclose details of private decision making after receiving a Subject Access Request (SAR) by a beneficiary under the Data Protection Act. However, this decision was made on a particular set of circumstances. Furthermore, while some practitioners were predicting that the introduction of the GDPR could increase the likelihood of such requests, there is no evidence of this happening as yet.