Where a data subject access request (DSAR) is made relating to "mixed data" (ie data within a document containing the data of individuals other than the data subject) there must be a careful balancing exercise between the respective privacy rights of the data subjects. In the absence of consent, the rebuttable presumption is against disclosure of information relating to third parties, and an express refusal of consent is a specific factor to be taken in to account. If it appears that the sole or dominant purpose of the DSAR is to obtain a document for the purposes of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the Court procedure under CPR 31: Dr DB v The General Medical Council [2016] EWHC 2331(QB).
An individual (the Data Subject) can make a DSAR to access personal data held about them, under the Data Protection Act 1998 (the DPA). This case concerned a request by a person seeking data contained in a report that included mixed data, ie both his own and a third party’s data. The underlying rationale was to obtain evidence for a claim against the third party. Although in the field of medical professional negligence, the principles apply more broadly.
P (the patient) made a DSAR in relation to an independent expert report commissioned by the General Medical Council (the GMC) to investigate a complaint made by P against his doctor (DB). In accordance with its established practice, upon deciding not to take the complaint against DB further, the GMC had provided P with a summary of the report rather than the full document. P’s DSAR sought the full report. DB refused consent to that request, but the GMC accepted the DSAR and determined that the full report should be disclosed.
DB sought to challenge the GMC’s decision to provide the full report, arguing that the GMC’s decision to do so was unlawful. In allowing DB’s claim, and overturning the GMC’s decision, two key factors in Soole J’s judgment were an individual’s fundamental right to privacy and the purpose of P’s request.
Mixed data requires a balancing exercise
The report contained the personal data of both P and DB. The DPA expressly provides for cases of mixed data, qualifying the right of a data subject to access his personal data where compliance with the request will involve disclosure of information relating to another individual. S7(4) requires that the data controller undertake a balancing exercise and states that he is not obliged to comply with the DSAR unless “(a) the other individual has consented to the disclosure…; or (b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual”.
It was common ground that the court’s review of GMC’s decision to disclose the report was to be more intensive than the traditional Wednesbury test thus, while it was “not for the court to substitute its own view for that of the data controller, the latter’s decision involves an interference with fundamental rights (including data protection and privacy) and is to be subject to "anxious scrutiny"”.
Express refusal means rebuttable presumption against disclosure
It was relevant that DB had expressly refused his consent to disclosure, a factor that the DPA expressly requires be taken in to account in the balancing exercise (s7(6)(d)) and that case law holds gives rise to a rebuttable presumption against disclosure.1 In the absence of consent, the GMC should have started with a presumption against disclosure.
The right to privacy must be part of the balancing act
It was common ground that: (a) the personal data of both P (his medical condition) and DB (his professional competence and reputation) constituted private information; and (b) the right to privacy under both the common law and Article 8 of the European Convention on Human Rights (the right to respect for private and family life) must be taken into account in the balancing exercise.
Soole J found that, despite acknowledging it, the GMC gave no real weight to DB’s privacy right, focusing instead on P’s rights and the GMC’s interest in ensuring fairness and transparency in its procedures. Soole J rejected P’s contention that DB must have had a “reasonable expectation” that the report would be supplied if a request were made, finding instead that DB’s reasonable expectation was that if a request were made the GMC would carry out a lawful balancing exercise, which would include taking into account the fact that the report contained mixed private information. That reasonable expectation was fortified by the GMC’s established practice, when a complaint is not to be taken further, of only providing a complainant with a summary of a report. Soole J also noted that had the GMC’s interest in ensuring transparency in its procedures required provision of a full report in these circumstances, its practice would no doubt have reflected that.
P’s purpose in making DSAR was for use in litigation
The court held that the GMC had reasonably inferred from the coincidence in timing between the DSAR and a letter before action sent to DB, that the purpose of P’s request was to use the report and its information in the litigation he intended to bring against DB. This gave rise to two primary concerns:
-
First, the information was not being sought for the purposes envisaged by EU Directive 95/46/EC. The DPA gives effect to that Directive, the primary objective of which is to protect individuals’ fundamental rights, including the right to privacy and accuracy of personal data held by others (Durant).
-
Secondly, providing the document to P pursuant to a DSAR would deprive DB of the protections that the Civil Procedure Rules would otherwise provide in the context of civil litigation, in particular the restriction on the use of the document (CPR 31.22).
In light of those concerns, a “weighty factor” in the balancing exercise (in favour of refusal) should have been that the sole or dominant purpose for requesting the document appeared to be its intended use in litigation.
The GMC’s decision did not adequately balance these factors so its decision to disclose the full report was therefore unlawful.
Balancing exercise in mixed data cases
While Soole J was reluctant to devise any principles of general application, and stressed that each application must be considered on its merits, he did note that in conducting the balancing exercise in mixed data cases:
-
it is essential to keep in mind that the exercise involves a balance between the respective privacy rights of data subjects;
-
in the absence of consent, the rebuttable presumption is against disclosure, and the express refusal of consent is a specific factor to be taken in to account; and
-
if it appears that the sole or dominant purpose of the DSAR is to obtain a document for the purposes of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the Court procedure under CPR 31.
Comment
The DPA allows DSARs for the purposes of protecting privacy and ensuring the accuracy of personal data. This case highlights the importance a data controller must place upon adhering to those objectives, and the need to carefully balance the rights of a requestor against any other individual whose personal data appears in the document. It also serves as a warning to any party seeking to use a DSAR as a back door to obtaining documents for the purposes of litigation; while the DPA is “purpose blind”, the Courts will not allow it to be used where doing so could circumvent the disclosure regime mandated by the Civil Procedure Rules and render redundant the protections those rules provide. It has long been the position of the Information Commissioner’s Office (ICO), notwithstanding a line of previous case law, including Durant, Eszias2 and Edem3, that it will not look at the motivation behind a DSAR when considering complaints by data subjects. It remains unlikely that this case will cause the ICO to adopt a different approach, but it is increasingly becoming a more difficult position for the ICO to defend.
Footnotes:
1 Durant v FSA [2003] EWCA Civ 1747.
2 Ezsias v Welsh Ministers [2007] All ER (D) 65.
3 Edem v IC & Financial Services Authority [2014] EWCA Civ 92.
