IFAs who are holding wills on behalf of their clients are unsure whether they are obliged to send named beneficiaries a privacy notice noting that the practice is holding information about them, or even whether they must tell them they are beneficiaries.
Not many IFAs do hold wills, and mostly this is done in separate will writing companies, but those that do swear it is an ideal way to get investment business.
In principle, the GDPR gives 'data subjects' the right to be provided with all information that a 'data controller' holds about them, subject to certain exceptions. A similar 'subject access request' right already exists in the Data Protection Act 1998, but has very rarely been used in a trust and estate context.
In Dawson-Damer v Taylor Wessing 2017 a trust beneficiary forced trustees of a discretionary trust to reveal details of their proposed appointments. The trustees' defence of “legal professional privilege” was rejected.
Worse still for will writers and trustees of Trusts Data controllers are also obliged to issue 'privacy notices' to individuals whose personal data they hold, and whom they have reason to think may have good reason to see or amend that data. Many worry that they would have to send these notices to the beneficiaries of all the wills they are holding.
The ICO's answer on their website is that a practitioner who stores a will on behalf of a client does not have to contact beneficiaries when the will is written, but only when it comes into effect on the testator's death and the estate begins to be administered. At that point the practitioner ought to send beneficiaries a GDPR-compliant privacy notice to advise them how their data will be stored and processed.
'The ICO confirmed that the situation with beneficiaries while a will is drafted falls under Article 14(5)(d) of the GDPR' states that the data controller need not comply with the request if the personal data concerned 'must remain confidential subject to an obligation of professional secrecy'.
'The will-writer is a data processor and the testator of the will is the data controller. The will writer is therefore holding information on behalf of the controller, and is responsible for the security of that data, but not anything beyond that,' she added. Once the client is dead, the practitioner presumably inherits the role of data controller.
The ICO also pointed out that the testator may not want the beneficiaries to know about their inclusion in the will which is obvious but the point has to be made.
So if you are a trustee for someone else…take care to inform them in line with the legal minimums.