What is this about?
Data protection rules (including the GDPR and the UK Data Protection Act 2018) allow for individuals to make so-called “Subject Access Requests” (SARs) where they can seek to obtain copies of the personal data held about them by organisations and certain other related information about how that data is stored and processed.
In the UK there has been a considerable increase in the number of SARs in recent years. Some of these matters have also been litigated and the recent Court of Appeal ruling in the case of Dr DB -v- General Medical Council (which can be found here: http://www.bailii.org/ew/cases/EWCA/Civ/2018/1497.html, which was decided under the previous UK data protection legislation) deals with the particular issue of mixed personal data, which we previously reported on here http://www.corderycompliance.com/subject-access-requests-and-disclosure-in-the-context-of-litigation-recent-case-update/.
What is the background to the case?
In this case a patient made a complaint about his treatment by his doctor (“the GP”) to the UK doctors’ regulatory body the General Medical Council (“GMC”). The GMC undertook a so-called fitness to practice investigation into the GP including commissioning an independent expert’s report. Although the report was critical of the care provided by the GP it nevertheless concluded that the standard of care had not fallen seriously below the expected standard and therefore the GMC took no further action as regards the GP.
In its response to the patient the GMC had included a one-page summary of the independent expert’s report. The patient made an SAR to the GMC to see the full report with (it seems) a view to bringing a possible clinical negligence claim. The GP did not consent to disclosure of the report, arguing in particular that the report constituted the GP’s personal data only and that the SAR was being used as a vehicle for disclosure with a view to litigation or further complaint. The GMC decided that, on balance it would be fair and lawful and not in breach of data protection principles, and, in the interests of transparency, it should disclose the report to the patient. The GP brought legal proceedings to stop disclosure of the report and the High Court granted the GP an injunction preventing disclosure stating that where there was mixed personal data a balancing exercise had to be carried out and where one party objected there was a presumption against disclosure, and in this particular case the GMC had got the balance wrong.
What did the appeal court decide?
The GMC brought an appeal and by a two-judge majority verdict (the third judge dissenting) the UK Court of Appeal decided in the GMC’s favour and over-ruled the High Court.
The court rejected the notion that for SARs relating to mixed personal data (where there was no consent by the other data subject) there was a so-called “rebuttable presumption” against disclosure. The court emphasised that data controllers need to be afforded a wide margin of appreciation in making the evaluation judgements required where there was mixed personal data – according to the court, the GMC, in the balancing exercise, had considered the arguments raised by DB in relation to the impact of disclosure on him and had made a lawful and rational assessment of the points made and the weight to be accorded to them. One of the majority judges also ruled that “[…] a litigation motive is not irrelevant…but nor yet is it a disqualifying factor”. The court decided that the High Court judge had improperly substituted his own views regarding the relevant factors and their weight for that of the data controller and that the GMC’s assessment was rational and lawful.
What are the takeaways?
SARs are being frequently used in the litigation context but this has often been with mixed end-results – here the court came down in favour of disclosure over-ruling a previous ruling of non-disclosure (see also here for our report about the important Gurieva case: http://www.corderycompliance.com/subject-access-requests-and-investigations/).
As mentioned above, the GP and GMC case was decided under the previous UK data protection legislative regime but it is likely that the same result would be arrived at under the new legislative regime (for the current legislative provisions on SARs see Article 15 of GDPR, and, Article 94 along with the general restriction for mixed personal data cases under Schedule 2 paragraph 16 [pages 158-159] of the UK Data Protection Act 2018). Another key takeaway from this case is that there might now be more latitude for personal data being disclosed for use in litigation, an issue which will no doubt continue to be the subject of further litigation.
We report about data protection issues, including SARs, here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our EU Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary
Cordery’s GDPR Navigator includes more resources to help deal with SARs – for more on Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
André Bywater
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com