The High Court recently dismissed a claim for damages by a surgeon, Mr Johnson, against The Medical Defence Union (the MDU) who claimed that the MDU had unfairly processed his personal data in breach of the Data Protection Act 1998 (the DPA) when terminating his membership, thereby causing damage to his professional reputation.
Readers will be aware of some of the preliminary issues which arose in this case on the way to trial. There had already been two interlocutory judgments from Mr Justice Laddie in 2004. First, Mr Johnson’s application under s 7(9) of the DPA for an order that the MDU comply with his request for access to outstanding information was rejected on the grounds that that outstanding information did not amount to personal data. Secondly, it was held that the court’s refusal under the DPA did not preclude Mr Johnson’s entitlement to disclosure of the same documents under the Civil Procedure Rules.
The Facts
The claimant, David Paul Johnson, was a consultant orthopaedic surgeon and a former member of the defendant organisation, the MDU. Membership of the MDU provides benefits to surgeons such as Mr Johnson; in particular, professional indemnity cover. During his membership, Mr Johnson had never been the subject of a professional negligence claim although he had sought advice and assistance from the MDU in relation to professional problems, including complaints made against him, which had resulted in the MDU opening 17 files on him over the last 10 years. The MDU resolved to terminate Mr Johnson’s membership following a risk-assessment of his case history. The MDU reviewed case summaries of each of the 17 incidents reported to them, whether by Mr Johnson or a third party, during his membership as well as some of the files themselves. The case summaries and some files were computerised although other files were manual. Further case summaries and recommendations were created on the MDU’s standard forms, among which was a score sheet to numerically rate Mr Johnson’s risk to the MDU’s funds before a decision was made. It is important to note that this risk assessment methodology did not involve any assessment as to whether any claim or complaint in a case had any merit; the MDU set up a system which was based on the principle that the fact a claim was made was predictive of whether a particular member might cause a drain on MDU funds. It was noted by the MDU that highly competent but brash doctors with no bedside manner are more likely to find themselves receiving a claim (albeit one which might fail) than the most incompetent but extremely charming doctors.
As a result of the review of the case summaries, Mr Johnson’s professional indemnity cover provided by the MDU automatically terminated with his membership in March 2002, when his then current subscription expired. Mr Johnson alleged that the defendant had unfairly processed his personal data in breach of the first data protection principle (data must be processed “fairly and lawfully”) and sought compensation under s 13 of the DPA, claiming, amongst other things, that the termination of his membership had caused damage to his professional reputation. Mr Johnson accepted that the MDU had, as a matter of contract law, an absolute discretion to terminate his membership, but his case was that, but for the unfair processing, the decision to terminate it would not have been made.
The Issues
On 3 March 2006, the judge, Mr Justice Rimer, dismissed Mr Johnson’s claim, and in doing so made some findings of general interest on the following issuue:
- Was there actually any “processing” of personal data?
- If so, was that processing fair within the first data protection principle?
- Did any unfairness cause the decision to terminate or would the result have been the same in any case?
- What compensation was in fact recoverable under s 13; and in particular, was it in principle possible to recover for reputational damages?
- What damage did Mr Johnson suffer here?
Was there any processing of personal data?
This issue was raised by the MDU as its first line of defence: s 13 did not give rise to a claim for compensation as there was in fact no “processing” of personal data within the DPA. Rimer J had to engage in a linguistic analysis on the interpretation of what he considered to be the less than clear provisions of the DPA (with much reference to Directive 95/46/EC (the Directive)).
“Data” is defined in s 1(1) of the DPA to include information which (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system. “Processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including, inter alia, disclosing the information.
The MDU’s argument was founded on the fact that the “processing” was their manual selection of data from Mr Johnson’s files and its input into a computerised record system (including the score sheet) as part of the review process. As such, the processing which took place on the manual files relating to Mr Johnson was done on information which was not “data” within the meaning of s 1(1) of the DPA (and therefore not personal data) because the manual files were not part of a “relevant filing system”. It followed that the definition of “processing” of data in the DPA should be interpreted as referring only to various types of operations in relation to “data” within the meaning of s 1(1) and, therefore, there was no data capable of being “processed” by the MDU.
Similarly, in relation to the MDU’s selection of information from Mr Johnson’s computerised files, the MDU also argued that there was no “data” capable of being “processed”, because it is only data that is (or is intended to be) processed automatically in response to relevant instructions that amounts to “data” within the meaning of s 1(1) of the DPA. They argued that they had not engaged in any “automatic” processing of Mr Johnson’s data because they had applied their own, non-automatic judgement to the selection of information from Mr Johnson’s files.
Rimer J nonetheless thought that it was enough that the information manually selected by the MDU, whether from the manual or computerised files, was then held on a computer having been inputted into the MDU’s computer-created forms. Whilst “information” only becomes “data” when it is first recorded with the intention of being put into an automatic system or when it is in fact put into an automatic system, the definition of “processing”, as expanded by s 1(2), shows that the “obtaining” of information intended to be contained in, and which is in fact entered into, such an automatic system, will be “processing”. The MDU’s selection of data and completion of the forms therefore amounted to “processing”.
Was the processing fair?
Mr Johnson alleged that the processing of his data breached the first data protection principle which requires personal data to be processed fairly and lawfully. Part II of sch 1 to the DPA sets out, at para 2, a requirement which must be fulfilled before any processing can be considered fair, that certain information is provided to the data subject (the “fair processing information”). Mr Johnson argued that, whilst he was informed of the identity of the data controller and representative for the purposes of para 2(3)(a) and (b), he was not informed of “the purpose or purposes for which the data was intended to be processed” as required by para 2(3)(c) or given the “further information” necessary under para 2(3)(d).
These paragraphs draw a distinction between the information which needs to be provided when the personal data at issue was obtained from the data subject himself and that which was obtained from a third party. Rimer J accordingly considered the files containing data from Mr Johnson and those containing reports from third parties separately.
The MDU’s review of data supplied by Mr Johnson
The MDU argued that it had fulfilled its responsibilities under para 2(3)(c) by sending its members annual renewal invitations (“Processing Agreements”), which stated : “I agree that by renewing my membership I consent to the MDU processing information about me, including sensitive personal data, for … risk management …. purposes …. and I acknowledge that I have the right to apply for a copy of my personal data … and to have any inaccuracies corrected”. The argument here concerned what in fact was meant by “risk management”. Rimer J agreed with the MDU that it meant the management of risk to MDU funds rather than Mr Johnson’s interpretation that it referred to giving assistance to its members to manage the members’ risks in medical practice. Accordingly, Mr Johnson had indeed been made aware of, and had consented to, his personal data being processed for the purpose for which it was used (ie risk management).
As regards para 2(3)(d), Mr Johnson alleged that the MDU had not fulfilled their obligation because, under the MDU’s risk assessment policy, the fact that an allegation had been made, and a file opened, was regarded as predictive by the MDU in terms of future risk to its funds. Mr Johnson believed that the “further information” he was entitled to was a chance to check that the MDU’s facts were correct and to offer his observations on their findings. Mr Johnson further believed that the scoring system on the MDU’s score sheet was irrational and arbitrary and that its application was likely to lead to an arbitrary and irrational result, if he was not given this opportunity. Rimer J found that neither the wording of the DPA nor the Directive supported the proposition that compliance with the fair processing requirements of the first data protection principle entitled Mr Johnson to a consultation with the MDU following their processing exercise. Paragraph 2(3)(d) was intended to provide data subjects with further information having regard to the specific circumstances in which the data is to be processed, such as their rights of access to and rectification of the data (which Mr Johnson had been informed of in the Processing Agreement). Furthermore, Rimer J did not consider the suggested consultation would form part of the MDU’s “processing” exercise – this had already been completed by this stage and, therefore, Mr Johnson’s argument amounted to no more than a complaint that he was not entitled to make representations to the MDU about his case.
The MDU’s review of data supplied by third parties
Rimer J emphasised that these files contained data which Mr Johnson did not know existed and, therefore, he could not be taken to have been informed of the processing of this data for risk management purposes. As a result, the MDU were obliged to inform Mr Johnson of its existence at the time of or promptly after its processing under para 2(3) of Part II of Sch 1 and (at least) of the purpose for which it was being or had been processed and his right of access and rectification of such data. As a result, in respect of the personal data which been processed by the MDU from 2 of the 17 files, there was unfair processing in breach of the first data protection principle.
Did any unfairness cause the decision to terminate or would the result have been the same in any case?
On the evidence, the files in relation to which there had been unfair processing, as a result of the failure to provide the fair processing information, had played an immaterial part in the making of the MDU’s decision to terminate Mr Johnson’s membership. Rimer J felt that, on the balance of probabilities, the MDU’s decision would have been the same even if there had been no unfair processing of the data in these files.
What compensation was in fact recoverable under section 13?
Mr Johnson claimed that he had suffered pecuniary loss and distress from losing his professional indemnity cover from the MDU upon the termination of his membership. Mr Johnson also claimed that his expulsion caused him wider damage, in that he had to disclose it to hospitals where he had since sought employment which had damaged his professional reputation as it had reflected that he was regarded by MDU as a serious risk to their funds.
Rimer J took this opportunity to clarify the heads of compensation available under s 13 of the DPA; although given his earlier findings it was strictly unnecessary. He held that s 13(1) entitles an individual who has suffered “damage” by reason of a contravention of the DPA to “compensation” for that damage. Section 13(2)(a) provides that an individual who suffers “damage by reason of the contravention” is also entitled to compensation for any “distress” that such contravention may have caused him. Rimer J, therefore, held that the reference to “damage” in s 13(2)(a) must be a reference to damage within the meaning of s 13(1), and that proof of s 13(1) damage was a gateway to the recovery of additional compensation for “distress” caused by the contravention. “Distress”, however, does not give rise to pecuniary loss and is to be compensated by a general award of damages. As a result, Rimer J concluded that s 13(1) covers pecuniary damage and s 13(2)(a) covers distress, as s 13(2)(a) would have no purpose if distress was brought within s 13(1). (Rimer J noted that if a case is brought within s 13(2)(b), there is no need for a claimant to prove, as a gateway to recovery of compensation for distress, a separate head of pecuniary damage within s 13(1)). Rimer J held that there was no provision made in this scheme for recovery of general compensation for alleged harm to reputation. If compensation of this nature is to be claimed, it can only be recovered in a defamation action. However, a claimant could obtain compensation under s 13(1) for pecuniary damage which flows from any damage to his reputation.
What damage did Mr Johnson suffer here?
On the facts here, had Mr Johnson prevailed on liability and causation, he would have been entitled to pecuniary damages (although all that could be proved was £10 or so, as he had actually found it relatively easy to replace the indemnity cover). This finding would have also been his gateway to recovery of damages for distress under s 13(2); but all he would have won here was a sum of £1,000. In addition, Rimer J also made a finding that if he had been wrong that compensation for damage to reputation was not available under s 13(1), he would have found that the compensation appropriate here was only £5,000 since Mr Johnson could not show any evidence that his work actually suffered as a result of his terminated membership.
Commentary
Whilst the interlocutory judgments of Laddie J in 2004 were particularly useful in further extending the Durant analysis of what constituted personal data and in explaining how the subject access request regime sits in parallel to the civil disclosure rules, the judgment in the full trial also gives some useful analysis of other aspects of the DPA. (The actual result following the legal findings turns very much on its facts.) Lawyers may well feel some sympathy for Mr Johnson that the decision-making process which led to the termination of his membership was of a “score card” nature and did not have, within the process, an opportunity for Mr Johnson to put forward his point of view (in other words, elements of a fair hearing which, if the MDU were a public authority, would be necessary to avoid scrutiny in judicial review). Whilst in this lay sense the process might be seen as unfair, it is not something which can be considered in an analysis of what constitutes “fair” for the purpose of the first data protection principle. The MDU is a commercial body, and it can set its own rules as to who it allows to be members.
It is interesting to note in relation to the one point where Mr Johnson prevailed, that Rimer J found that there had been unfair processing in relation to data supplied by third parties to the MDU because Mr Johnson was unaware of its existence and, therefore, could not have been provided with the necessary fair processing information relating to it. It seems, therefore, that the MDU may have been able to avoid liability if their Processing Agreement had read “I consent to the MDU processing information about me, including information which may be obtained from third parties,…..for risk management purposes…”. In these circumstances, Mr Johnson would have been aware of the possible existence of data obtained from third parties and would also have been provided with the same fair processing information relating to it as Rimer J had deemed sufficient for the fair processing of the data supplied by Mr Johnson.
Also of interest in this case is the finding that the actual act of taking information from something which is not personal data (ie the manual files which were not part of a relevant filing system and the computerised files which were not intended to be processed automatically) and putting it into an electronic form is nonetheless “processing”; as was the case with the manual selection of information and completion of various reports during the review process. That act of selection can therefore be subject to an analysis under the first (and presumably then also the other) data protection principles, and as such this ruling might be seen as somewhat widening the perceived scope of the DPA.
Lastly, the explanation Rimer J gave in relation to s 13 will be of interest. He found that reputational damage is not recoverable and compensation for distress can be recovered only if it is accompanied by some form of pecuniary damage, no matter how small, within s 13(1).
Renzo Marchini is Counsel in the London office of Dechert LLP, specialising in IT, outsourcing and data protection.