However, since the introduction of the EU’s GDPR and other related legal developments, disinterested third parties such as the hostile or inquisitive family member, divorcing spouse or creditor, may have some potential new weapons in their armoury.
These provide significant challenges to settlors' and trustees' ability to keep information out of the hands of others and, in some cases, will necessitate a substantial review of how particular trusts operate.
GDPR is EU legislation relating to the handling and processing of data. It is automatically applicable in EU member states, and the government has committed that it will continue to apply in the UK post-Brexit.
It is primarily designed to protect consumers but has a far wider significance.
There have been pan-European data protection laws for almost 20 years, but GDPR has a number of features that are likely to have a greater affect upon trusts, including its territorial scope and expanded rights to information.
Extra-territorial effect
GDPR’s extra-territorial effect means that large numbers of trusts, foundations and underlying company structures, wherever they are based in the world, may be impacted.
Some jurisdictions have legislated to create special exemptions from some aspects of the GDPR to seek to protect their rules relating to trust information disclosure, but trustees should nevertheless consider how they hold and generate data, which may be more widely circulated in future as the trust fund and beneficial class evolves.
Most at risk are those with EU resident settlors, beneficiaries or assets within the EU and those providing services to anyone in the EU.
But, again, given the international mobility of individuals, trustees would be wise to also review specific trusts where there is a particular emphasis on confidentiality or litigation risk, in addition to their general operating procedures.
Subject Access Request
The GDPR puts an obligation on data controllers to abide by detailed rules on how they process individuals' personal data.
Of particular note is that GDPR also provides rights to any individual to request personal data that a data controller holds about them, known as a Subject Access Request (SAR), together with additional information such as to whom the personal data might be disclosed; how long it will be held for; its source; and the right to request its correction or erasure.
The SAR requestor can be anyone, and is not restricted to trust beneficiaries, or potential beneficiaries.
If data identifying that individual (not only by name but by any identifiable reference) is held, it is potentially within scope of disclosure under GDPR, including:
