Forsters v Uddin: Inadvertent Disclosures in Responding to Data Subject Access Requests and the Availability of Injunctive Relief

30 January 2026

Forsters LLP v Zia Uddin [2025] EWHC 3255 (KB)

A nightmare scenario unfolds: upon responding to a Data Subject Access Request (‘DSAR’), a data controller realises that their response contained information that goes beyond the requirements of the DSAR, including data exclusively relating to third parties and even information which was subject to legal professional privilege. Forsters LLP may offer solace to unfortunate data controllers who find themselves in this or similar situations of wishing to put the data cat back in the bag by turning to the High Court for injunctive relief under a claim in the tort of confidence.

The case concerns a web of litigation: Forsters LLP (‘the Claimant’) were instructed solicitors for persons involved in proceedings against Mr Zia Uddin (‘the Defendant’). The proceedings concerned a neighbour dispute and a nuisance claim. The Defendant brought related proceedings against two named employees of the Claimant for harassment, breach of their data protection rights and misuse of private information amongst other things. The Claimant denied those allegations and brought a summary judgment application to dismiss the Defendant’s claim against the named persons. The Defendant made a DSAR pursuant to Article 15 UKGDPR and Schedule 2 of the Data Protection Act 2018 seeking a range of disclosures relating to the underlying nuisance claim. The Claimant responded by providing a link to an online platform which inadvertently had uploaded to it the results of a full keyword search meaning it contained more than 50% information that related to third parties in respect of which the Defendant would have no entitlement under UKGDPR, including information that was subject to privilege. The files also contained approximately 95% of the case file for the nuisance claim. The Defendant identified the seriousness of the breach to the Claimant, noting that it was likely a breach of the confidentiality of the Claimant’s clients and data protection law. That same day the Claimant responded accepting the erroneous disclosure and requiring the Defendant to immediately delete the entirety of the disclosed files. The Defendant in turn responded, claiming that the disclosure was relevant to his claim against the Claimant. Thereafter, the Claimant made several requests that the Defendant give undertakings to delete the data and to make no further use of the erroneously disclosed documents, all of which were rebuffed. Finally, the Claimant turned to the High Court, applying for an interim injunction on the basis that the retention of the data was a breach of confidence.

The application for an interim injunction was considered Deputy High Court Judge Vassall-Adams KC. He summarised the typical approach of that the Court would take in cases of inadvertent disclosure of confidential and privileged documents are disclosed to another party in litigation (at [27]):

‘This typically happens when something goes wrong in a disclosure exercise. The touchstone of whether the court will intervene in the situation of inadvertent disclosure of confidential and privileged documents to an opposing party in litigation is whether the receiving party is taking advantage of an “obvious mistake”. In that situation, the Courts will generally compel the return of any confidential and privileged information.’

Applying Fayed v Commissioner of Police of the Metropolis [2002] EWCA Civ 780 Deputy High Court Judge Vassall-Adams KC found that the case before him was one where there had been an ‘obvious mistake’ where equity was served by the granting of an injunction compelling return and destruction of the inadvertently disclosed files. The Court reiterated the position that, so far as privileged materials are concerned, they are a separate class of confidential documents to which special considerations apply and, unlike only confidential documents, there is no balancing exercise to be conducted against the countervailing public interest that a recipient may invoke regarding their proposed use of the documents: the balancing exercise has already been struck and falls squarely in favour of non-disclosure (albeit privilege may be lost if the information becomes public such as to undermine the quality of confidence which underpins the document).

Forsters LLP may provide a welcome solace to unfortunate data controllers who find themselves in a position of having disclosed inadvertently to the maker of a DSAR materials to which they have no entitlement. Whilst this case arose out of litigation that was already underway, there is no requirement for there to be preexisting litigation (and indeed the confidence claim advanced by the Claimant was a standalone cause of action). If any data controller finds themselves in such a position, they should consider the following:

In many circumstances a disclosure of documents to which the maker of a DSAR has no entitlement will be a case of ‘obvious mistake’. However, this is a fact specific assessment and consideration should be given as to whether it is obvious that there was a mistake which caused the documents to be disclosed to the maker of the DSAR.
Consideration must be given as to whether the inadvertently disclosed information is confidential. This will obviously be the case with privileged materials. If the materials are not confidential, there will be no cause of action in confidence to underpin the application for an injunction.
That recourse to an injunction exists does not override a data controllers’ obligations to report data breaches to the ICO and any relevant regulators which may govern the data controller.
A first recourse for the data controller may be to seek an undertaking from the maker of the DSAR. Doing so may improve the prospects of obtaining an injunction in that it will strengthen the arguments on the obviousness of the mistake and refusals may increase the High Court’s willingness to grant the equitable injunction remedy. However, caution should be advised in determining whether to seek an undertaking. For some DSAR makers, this could act as a prompt to publish the inadvertently disclosed information. A prospective applicant for an interim injunction should weigh this decision and be prepared to explain their decisions in evidence before the High Court. Fayed v Commissioner of Police of the Metropolis [2002] EWCA Civ 780 will assist in undertaking this assessment.
The Court in Forsters LLP noted delays in bringing the application for an interim injunction. Whilst not determinative in this case, unexplained or unreasonable delays could impede the seeking of an injunction and so applications should be made expeditiously.
Where a significant tranche of information has been inadvertently disclosed, an applicant for an injunction need not detail the contents of every document. The Court in Forsters LLP commended the approach taken by the Claimant to produce a categorisation summary of the documents. Doing otherwise would in many cases be disproportionate in terms of the costs involved.
Where a mixed disclosure has taken place (i.e. some documents disclosed are those to which a DSAR maker is entitled and others are not), a data controller need not necessarily limit their injunction application to only the portion of the materials to which the DSAR maker is not entitled. In Forsters LLP the injunction application was made for the all the disclosed materials, with the Court noting that there would be some materials captured to which the Defendant was entitled (either under the DSAR or in the course of litigation by way of disclosure). The Court found (at [53]) that the ‘right course is to require the Claimant to deliver up these documents so that the Claimant can discharge its legal obligations in the usual way, under the control of the Court’. This will not always be the case (noting that in Forsters LLP the majority of the files disclosed were in respect of unrelated third parties and many of the relevant files will have been covered by privilege). Whether to apply for return of all the disclosed materials or to limit an application only to those inadvertently disclosed materials will be a fact specific exercise that will be in large part contingent on the ratio of appropriate disclosure to inadvertent disclosure and the practical hurdles in identifying the mistaken disclosure in the injunction application. If a decision is made to seek return or destruction of all the materials, the basis for this decision should be explained in the evidence prepared in support of the application.

As a final word, Forsters LLP is a cautionary tale to all data controllers of the pitfalls that can exist when DSAR processes are reliant on word-search systems and have insufficient safeguards. Whilst this case shows there may be recourse to injunctions, it will of course always be cheaper in costs and less potentially damaging to not allow the proverbial data cat out of the bag in the first place.