The recent Court of Appeal judgment in DB v GMC [2018] EWCA Civ
1497 will now be the leading case on the treatment of mixed personal data.
The background to the case, and analysis of the High Court
judgment, is set out here.
In essence, Dr B was investigated by the GMC in relation to his care of a
patient, P, who was diagnosed with bladder cancer. P considered that Dr B
should have diagnosed the cancer a year or so earlier and made a complaint to
the GMC to that effect.
The GMC commissioned an independent expert GP to produce an
expert report into the quality of Dr B’s care. The report was critical in some
respects, concluding that the care provided fell ‘below’ but not ‘seriously
below’ the standard of care expected, and that most reasonably competent
general practitioners would not have suspected bladder cancer. On the basis of
that report (which had been shared with Dr B), the GMC case examiners decided
that there should be no further action. P received a summary of the report.
P’s solicitors made a subject access request for (among
other things) the full report, in response to which the GMC was minded to
disclose the report. Dr B applied for an injunction preventing the GMC from so
doing. Soole J granted the injunction; as Christopher Knight noted in the blog post
linked to above, his judgment was broadly helpful to data controllers looking
to limit disclosure.
The GMC appealed to the Court of Appeal on a number of
grounds. The Court of Appeal allowed the appeal by majority (Sales LJ and Arden
LJ – both of whom have now been appointed to the Supreme Court), with a lengthy
dissent from Irwin LJ. The points of wider interest are:
- ·
whether the High Court was right to apply a
rebuttable presumption against disclosure on the basis that there was ‘mixed
personal data’ (of Dr B and of P); - ·
the relevance of the fact that the request was
made to obtain information for the purposes of litigation (which Soole J had
considered as a weighty factor in favour of refusal); and - ·
whether the High Court had inappropriately
substituted its judgement (and so the question of the breadth of the data
controller’s margin of discretion when considering mixed data).
Presumptions in ‘mixed data’ cases
The issue here turned on a comment from Auld LJ’s well-known
judgment in Durant v Financial Services
Authority [2003] EWCA Civ 1746, where he said that the
DPA 1998 provisions on mixed data ‘appear to create a presumption or starting
point that the information relating to [the third party – here Dr B], including
his identity, should not be disclosed without his consent’. Soole J applied
that presumption, and Irwin LJ (dissenting) agreed.
Sales LJ however decided (somewhat bullishly) that the Durant statement was not ratio, so the
Court of Appeal did not have to follow it, and proceeded briskly to the
conclusion that it was wrong – there was no ‘presumptive starting point or
hurdle’, the question (under the DPA 1998, s 7(4)) being simply whether it is
reasonable to disclose third-party data without consent. That question was to
be determined without giving ‘priority’ either to the requester or the third
party. He accepted that if a data controller found the interests balanced
equally, at that stage there would be a ‘tie-breaker’ presumption in favour of
withholding the data, but that was not the presumption which the judge had
applied. Arden LJ agreed.
Sales LJ’s conclusion is helpful in returning attention to
the statutory language: the test for data controllers being simply whether
disclosure of third-party data without consent is reasonable, entailing a
balancing of interests judgement (in which the data controller’s judgement is
given a considerable margin of discretion – on which more below). The effect is
to give data controllers more freedom to decide as they wish, while removing
one weapon from the arsenal generally deployed by third parties seeking to
prevent disclosure.
The relevance of a litigation purpose
Dawson-Damer [2017] 1 WLR 3255
and Ittihadieh [2017] 3 WLR 811
have brought an end to the old (if never particularly venerable) practice of
data controllers refusing SAR requests on the basis that the request was
‘fishing’ for the purposes of litigation. That is so at least as regards
‘straight’ personal data requests. Are matters different if the subject-matter
of the request is mixed personal data?
Soole J and Irwin LJ thought so, Irwin LJ taking the view
that this was a ‘significant matter to be weighed in the balance, as a
necessary part of the consideration whether it is reasonable to override the
refusal of consent by the data subject who is seeking to protect their personal
data’, and that if that was not the case then such requests would be ‘an
obvious way to circumvent the requirements of the CPR’.
Again, Sales LJ and Arden LJ disagreed. There was ‘no
general principle that the interests of the requester, when balanced against
the interests of the objector, should be treated as devalued by reason of such
motivation’. Sales LJ made a number of interesting further comments:
- ·
That it was material that P was requesting his sensitive
personal data; Sales LJ saw the status of SPD as being of ‘special sensitivity
and significance and as generally meriting enhanced protection’ as justifying
additional weight under a SAR request, given the interest of the data subject
in ‘checking the accuracy’ of the data; - ·
That it was hard to see ‘what legitimate privacy
reason Dr B had for objecting to the disclosure to P’: Dr B had no proper
interest in P ‘proceeding on the basis of false information’. This is
questionable; it is always possible to say that privacy has no intrinsic value
(‘do you have something to hide?’), but the intrinsic value of privacy rights –
including those of third parties in a ‘mixed data’ situation – is a basic tenet
of the data protection legislation; - ·
That the desire of a third party objector to
avoid litigation is not a privacy-related interest, and so ‘is peripheral to
the main focus of that balancing exercise, which is concerned with weighing the
privacy interests of the requester and the objector’. This may well be true
where the litigation would concern the public actions of a professional, such
as Dr B; it is less obviously right where the litigation would itself involve
the disclosure of private information; - ·
That the data controller, when considering an
objection to disclosure in a mixed data situation, ‘will generally be entitled
to focus on the objector’s arguments in evaluating his interest in having
disclosure withheld’, at least where other matters are not obvious. This will
be of obvious help to data controllers dealing with such objections.
Both Sales LJ and Arden LJ were concerned by the possibility
that a data subject recipient of ‘mixed’ personal data following a SAR might ‘use
the information obtained for an illegitimate purpose, eg, to post the
information on the internet to try to traduce the objector’. They suggested
that it would ‘be open to the data controller in such a case to invite the
requester to consider giving a binding contractual undertaking to the data
controller or the objector or both, to restrict the use to which the information
might be put’, and then to take the offer (or failure to offer) such an
undertaking into account in the balancing exercise. Arden LJ went beyond Sales
LJ’s suggestion of a contractual undertaking to suggest the possibility of an
undertaking to the court in respect of such data. Both were, however, also keen
to emphasise that this would be an unusual course.
Although one can see the concern underlying this suggestion,
its practical application is likely to create considerable difficulties – data
subject requesters are unlikely to wish to be constrained in their subsequent
use of what is, ultimately, their own personal data, while demands for such
undertakings will now presumably be a regular feature of the complaints of
third party objectors.
The margin of discretion
As already noted, the judgments of the majority took a
generous approach to the discretion given to the data controller by the DPA
1998. To quote the key parts of Sales LJ’s judgment:
- ·
‘It is the data controller who is the primary decision-maker
in assessing whether it is reasonable or not [to disclose]’. - ·
‘the legislature contemplated that individual
data controllers should be afforded a wide margin of assessment in making the
evaluative judgments required in balancing the privacy rights and other
interests in issue under section 7(4)’. - ·
‘data controllers generally have a wide
discretion as to which particular factors to treat as relevant to the balancing
exercise’.
All of which will be music to the ears of the data
controller caught between the Scylla of a requester and the Charybdis of an
objector, but less so for the sea monster and whirlpool in question (or for
those advising them).
Where to now?
Overall, a clear judgment delivering welcome certainty on
the proper approach to ‘mixed data’ questions.
This was a judgment under the DPA 1998. The inevitable
question (as always): what about the brave new world of the GDPR? The answer,
as is frequently the case: basic continuity.
The subject access right is set out in GDPR, article 15.
Schedule 2, para 16 of the DPA 2018 sets up a restriction to the subject access
right in ‘mixed data’ cases, subject to consent or to the application of a
reasonableness test, and so a scheme functionally very similar to the repealed
provisions in s 7 of the DPA 1998. DB
will be of direct relevance to that scheme.
Rupert Paines is a barrister
at 11 KBW: https://www.11kbw.com/.
This article first appeared
as a blog post on the Panopticon blog.