Data subject access requests: Court of Appeal guidance on "mixed data" cases
1st August 2018
Under data protection legislation, individuals have the right to access their personal data, to find out what data is held and how it is used. This right is exercised by making a data subject access request (or DSAR) to the data controller or processor (responsibility for complying with a DSAR lies with the controller). At a time when individuals are becoming more aware of their rights as data subjects, DSARs are increasingly being used tactically, both prior to and alongside the litigation process.
In a recent decision, the Court of Appeal has provided welcome guidance for data controllers on how to approach DSARs in “mixed data” cases, as Walker Morris data protection specialists Jeanette Burgess and Andrew Northage explain.
Background
In Dr B v The General Medical Council [1], the General Medical Council (GMC) appealed a High Court order in which the judge granted an injunction against it, restraining disclosure of an expert report. The report was produced in relation to a GMC investigation into a doctor’s fitness to practice (Dr B), following a patient’s complaint (P) that Dr B had examined and dealt with him incompetently, leading to an avoidable delay in his diagnosis.
The report was central to the GMC’s decision whether to take action against Dr B. The GMC decided that there should be no further action and sent both parties a short summary of the expert’s comments. P requested disclosure of the full report and the request was treated as a DSAR under section 7 of the Data Protection Act 1998 (DPA) [2]. Dr B opposed disclosure, asserting, among other things, that the clear intention behind the DSAR was to initiate litigation against him.
By the time the case came before the High Court it was agreed that the personal data of P and Dr B were “inextricably mixed” in the report. Section 7(4) of the DPA provided that, where a data controller cannot comply with the DSAR without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with it unless (a) the other individual has consented to the disclosure of the information to the person making the DSAR, or (b) it is reasonable in all the circumstances to comply with the DSAR without the consent of the other individual. Section 7(6) set out a number of factors to which particular regard should be had, including any express refusal of consent.
Having carried out this balancing exercise, the GMC decided to disclose the report. Dr B applied to the High Court to restrain disclosure.
The High Court’s decision…
Importantly, the High Court judge noted the remark of Lord Justice Auld in the Durant case [3] that, in the absence of consent, there was a rebuttable presumption or starting point against disclosure.
The GMC submitted that Dr B did not have a reasonable expectation that the report would be kept from P. His reasonable expectation should have been that it would be disclosed to P if requested under section 7 of the DPA. Dr B disagreed, pointing to the GMC’s practice of providing only a summary of expert reports in cases where it had decided to take no further action, such as this one.
The judge also considered what had been said in earlier cases about the “purpose” of a DSAR under the DPA. The GMC argued that the requester’s intention to use the information in furtherance of litigation was not of itself a reason for refusing a DSAR. It accepted, and the judge agreed, that it was a factor which could be taken into account in the balancing exercise. The GMC submitted, however, that it should be given no significant weight in this case.
The judge concluded that the GMC had “got the balance” wrong. It had failed to begin with a presumption against disclosure, and had given no adequate weight to Dr B’s status as a data subject and to his rights of privacy. The real focus of the report was on Dr B’s professional competence. The judge disagreed with the GMC’s submission that Dr B’s reasonable expectation was that the report would be disclosed to P. Instead, he had a reasonable expectation that a lawful balancing exercise would be carried out. The GMC had focused on P’s rights and the issue of transparency of the GMC’s decision-making process. It had taken no adequate account of Dr B’s express refusal of consent, nor of the intended use of the report for the purposes of litigation, which was the “dominant purpose” behind the DSAR (this was important, even though there was no evidence of any abuse of the report summary already provided to P).
…overturned by the Court of Appeal
The GMC appealed the High Court’s decision on the following grounds:
- There was improper reliance on an alleged presumption that there should be no disclosure in a “mixed data” case.
- There was improper reliance on P’s motive in making the DSAR.
- The Court’s reasoning was flawed in holding that the GMC (a) gave inadequate consideration to Dr B’s privacy rights, (b) took inadequate account of his express refusal of consent, and (c) underestimated the incremental impact of the disclosure of the report over and above the summary.
- The Court (a) “effectively substituted” its own assessment of the case for disclosure, (b) over-estimated the risk of P publishing the report, and failed to consider that Dr B had preventive legal options open to him to block such abuse, and (c) gave inadequate consideration to P’s “fundamental rights…to obtain and understand information about him of a highly sensitive nature”.
In a majority judgment, the Court of Appeal allowed the GMC’s appeal. Key points include:
- The judge was wrong to say that there was a presumption under section 7(4) of the DPA in favour of a person who has not consented to or who objects to disclosure. The Court was not bound to accept or follow Auld LJ’s observation on this point in Durant, as it did not form part of the rationale for the decision in that case.
- Where no consent has been given/an objection has been raised, the outcome of the balancing exercise will inevitably depend on the particular facts and context. Although section 7(6) of the DPA specifies that regard should be had to certain listed matters “in particular”, it does not limit the other matters which may be relevant circumstances; nor does it specify the weight to be given to the listed matters either as between the items in the list or as against other, non-listed relevant circumstances.
- A presumption in favour of withholding disclosure could operate as a “tie-breaker” at the end of a process of analysis, if all other competing factors are otherwise precisely in balance. In this case, there was no scope for applying such a presumption, as the GMC had given positive reasons why it considered it reasonable in all the circumstances to comply with P’s DSAR, notwithstanding that the report also comprised Dr B’s personal data.
- The general position is that subject access rights are not dependent on the requester’s motivation (see, for example, the Court of Appeal’s decision in Dawson-Damer [4], which we considered in an earlier briefing). Section 7(4) of the DPA is a special provision dealing with mixed data, and the role played by litigation motive in respect of mixed data is different from that played by it in relation to other data. Parliament’s instruction to the data controller is that he must consider every aspect of the matter, and that would include any evidence as to the litigation motive of the requester.
- A litigation motive is not irrelevant under section 7(4), but neither is it a disqualifying factor. It is simply a factor to be weighed in the balance by the data controller. There is no general principle that the interests of the requester, when balanced against the interests of the objector, should be treated as devalued by reason of a litigation motive.
- Dr B’s desire to be protected from litigation was peripheral to the main focus of the balancing exercise, which was concerned with weighing the privacy interests of the requester and the objector.
- The judge was wrong to hold that “if it appears that the sole or dominant purpose is to obtain a document for the purpose of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the court procedure under Part 31 of the Civil Procedure Rules”. The GMC plainly took account of Dr B’s allegation that the purpose of the DSAR was to use the report in litigation against him, but treated it as only having limited weight because it was unlikely to assist P very much in any proceedings – that was a lawful and rational assessment. It was by no means clear, in any event, that that was P’s sole or dominant purpose. It is well established that a person making a DSAR is only entitled to disclosure of information, not documents – P could not have known that the report itself would be disclosed as a result of a DSAR made by him.
- Even if part of P’s motive was to try to obtain material which might assist him in litigation against Dr B, that would in no way diminish the legitimacy or force of his interest to have communicated to him under section 7 information about his personal data as processed by the GMC and the expert.
- It was noteworthy that P’s data constituted “sensitive personal data”, while Dr B’s did not have that enhanced status.
- The data controller is the primary decision-maker in assessing whether disclosure is reasonable or not. Apart from the mandatory relevant considerations set out in section 7(6) of the DPA, data controllers generally have a wide discretion as to which particular factors to treat as relevant to the balancing exercise. They also have a wide discretion as to the weight to be given to each factor they treat as relevant. Data controllers come in all shapes and sizes, with widely varying levels of resource to deal with DSARs. The interests of requesters, objectors and data controllers which might be taken into consideration in the balancing exercise are also very diverse.
- The question for the court to ask is whether it was reasonable in all the circumstances for the data controller to refuse/comply with the DSAR. If the controller did not make a reasonable assessment, then the court has a discretion to make the assessment itself. In this case, the GMC gave proper consideration to Dr B’s privacy interests, took account of his express refusal to consent, and considered his arguments in relation to the impact of disclosure of the report. The GMC made a lawful and rational assessment and the weight to be afforded to each of these factors was a matter for the GMC as data controller. The judge improperly substituted his own views regarding relevant factors and their weight for those of the GMC.
- A complainant making a DSAR has a legitimate interest under data protection legislation to check that the personal data used by the GMC and the expert in forming their views are accurate – there was nothing inconsistent in the GMC’s practice of providing only a summary of expert reports in cases where it had decided to take no further action, and then separately considering whether a further disclosure of personal data should be made later on following receipt of a DSAR.
- If Dr B was worried about the possibility of dissemination of the report by P for wholly inappropriate or illegitimate purposes, it was open to him or his advisers to ask the GMC to seek undertakings from P to protect against it (but note that it is unlikely to be appropriate to try to restrict later use of the information in litigation).
WM Comment
The Court of Appeal’s decision provides welcome guidance to data controllers faced with DSARs involving “mixed data”, where the other individual or individuals have not consented to the disclosure. It is clear that, when carrying out this balancing exercise of weighing the privacy interests of the affected parties, the data controller is given a wide discretion. Litigation motive is a factor to be taken into account, but there is no special weight to be attached to it.
It is essential that organisations have policies and procedures in place to deal with DSARs, and that staff across the organisation know how to recognise a DSAR and who to contact if one is received. It is important to remember that a DSAR can be oral – it does not have to be written. Under the GDPR, the time for responding to a DSAR has been reduced from 40 days to one month. In addition, as data controllers have ultimate responsibility for complying with DSARs, they need to ensure that they have in place appropriate contractual arrangements with data processors.
If you require assistance in relation to any of the issues discussed in this briefing, please do not hesitate to contact Jeanette or Andrew, who will be very happy to help.
_______________
[1] [2018] EWCA Civ 1497
[2] The DSAR regime has not changed substantially under the EU General Data Protection Regulation (GDPR) and Data Protection Act 2018, which replaced the DPA on 25 May 2018.
[3] Durant v Financial Services Authority [2003] EWCA Civ 1746
[4] Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74