What’s this about?
Under litigation disclosure, also known as “discovery”, parties involved in court proceedings exchange relevant information and evidence so as to enable the parties to understand each other’s case and to try and facilitate resolution or a narrowing of the issues in the proceedings. This information and evidence will likely contain personal information about individuals and so issues may arise as to the interplay between disclosure and data protection/privacy rules, the latter which provide for various justifications along with exemptions for the use of personal data in legal proceedings (and other legal-related purposes).
To date there is little case-law on this issue but the UK High Court case of Anthony Dixon v North Bristol NHS Trust throws a light on some of the issues involved.
What’s the background?
Various medical negligence cases had either been brought or were being threatened against a healthcare organization by ex-patients concerning a doctor who had treated them. The healthcare organization was proposing to disclose to the ex-patients documents that included material about a professional misconduct investigation into the doctor, who the healthcare organization had dismissed.
The doctor applied for an interim injunction to prevent the proposed disclosure, arguing that he would be likely to demonstrate at trial that the proposed disclosure should not be allowed.
The application included claims that disclosure would infringe UK GDPR (“GDPR”) and the UK Data Protection Act 2018 (“DPA 2018”), notably concerning various parts of the GDPR Article 5 data processing principles and the GDPR Article 6 lawful grounds for data processing – the healthcare organization said that processing of the doctor’s personal data under the proposed disclosure would be lawful and also met certain exemptions.
What did the court rule?
The court refused to grant an interim injunction and ruled as follows with regard to the proposed disclosure and UK data protection/privacy law:
- The judge was not persuaded that the analysis of the data protection legislation put forward on behalf of the doctor was correct. For the judge, whilst the analysis of the requirements of GDPR Article 5 might be right, importantly they had to be read together with the provisions of GDPR Article 6;
- According to the judge, the contention made on behalf of the doctor that processing in accordance with a legal obligation must be given a narrow construction was not correct. The judge (Nicklin J) also stated in this context that data protection legislation must be read “purposively not mechanically” and “does not give a data subject a ‘veto’ on what data can be disclosed”;
- In the view of the judge, it was likely that the healthcare organization would succeed in demonstrating that the proposed disclosure is lawful under the GDPR Article 6(1)(c) GDPR grounds (“processing is necessary for compliance with a legal obligation to which the [data] controller is subject”), and/or the GDPR Article 6(1)(e) GDPR grounds (“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the [data] controller”);
- The judge did not accept that the purpose for which the personal data were originally collected excluded the further processing that is involved in the proposed disclosure;
- The judge was also persuaded that the healthcare organization was likely to establish that the proposed disclosure falls within the exemption provided in Schedule 2, Paragraph 5(3) of the DPA 2018. According to the judge, the proposed disclosure is disclosure, including personal data relating to the doctor, which is necessary in connection with prospective legal proceedings and/or is otherwise necessary for the purposes of establishing, exercising or defending the legal rights of the claimants in the negligence matters to whom the proposed disclosure is to be made; and,
- Finally, according to the judge, insofar as the doctor’s data protection challenge was being made on the basis of the alleged inaccuracy of the personal data, the judge did not consider that the doctor would be likely to succeed. According to the judge, “[d]ata are inaccurate if they are incorrect or misleading as to any matter of fact”. Under GDPR Article 5(1)(d) GDPR, personal data are required to be accurate “having regard to the purposes for which they are processed”. According to the judge, “[s]ome records, which contain personal data, must be maintained, intact, because of the nature of the record, notwithstanding that the data may subsequently be shown to be inaccurate”. The judge said that, arguably, one of the proposed disclosure documents fell into this category: “It represents the findings made in respect of the doctor following the misconduct investigation. It is a combination of statements of fact and conclusions (or expressions of opinion)”. According to the judge, “[t]he doctor cannot, by an accuracy challenge under data protection legislation, seek the amendment or rectification of the factual findings” in the proposed disclosure document in question. Finally, the judge said that the doctor “may have other remedies in respect of any alleged inaccuracy, and he may have objections to some forms of processing, but the nature of the document (and the reasons for which it is retained) must properly be recognized when considering the data protection claim.”
As we have said there have not been too many cases looking at the conflicts between disclosure/discovery and data protection. We looked in May at a case in Scotland where the data subject also lost – https://www.corderycompliance.com/sc-gdpr-lit-0523-08/. At an EU level we’ve also looked at the ECJ judgment in the Norra Stockholm Bygg case here https://www.corderycompliance.com/ec-gdpr-0323-1/
What are the takeaways?
Although this case turned on its facts it highlights the importance of getting your ducks in a row when putting forward arguments based on data protection/privacy legislation. Organizations will therefore need to consider data protection issues and disclosure at all stages of any litigation proceedings with regard to the data processing principles, lawful grounds of processing and the exemption concerning information required to be disclosed by law or in connection with legal proceedings.
We write about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
We’ve written about data protection litigation and disclosure issues, such as in the context of Subject Access Requests, for example here: https://www.corderycompliance.com/uk-high-court-rudd-v-brindle-subject-access-request-disclosure-ruling/, and here: https://www.corderycompliance.com/subject-access-requests-and-disclosure-in-the-context-of-litigation-recent-case-update/.
The UK court’s judgment can be found here: https://www.bailii.org/ew/cases/EWHC/KB/2022/3127.html.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 347 2365