The Court of Appeal has considered the correct approach to dealing with mixed personal data. Rupert Paines analyses its ruling.
The Court of Appeal judgment in DB v GMC  EWCA Civ 1497 will now be the leading case on the treatment of mixed personal data.
The background to the case, and analysis of the High Court judgment, is set out in Chris Knight’s (dreadfully-titled) piece here. In essence, Dr B was investigated by the GMC in relation to his care of a patient, P, who was diagnosed with bladder cancer. P considered that Dr B should have diagnosed the cancer a year or so earlier and made a complaint to the GMC to that effect.
The GMC commissioned an independent expert GP to produce an expert report into the quality of Dr B’s care. The report was critical in some respects, concluding that the care provided fell ‘below’ but not ‘seriously below’ the standard of care expected, and that most reasonably competent general practitioners would not have suspected bladder cancer. On the basis of that report (which had been shared with Dr B), the GMC case examiners decided that there should be no further action. P received a summary of the report.
P’s solicitors made a subject access request for (among other things) the full report, in response to which the GMC was minded to disclose the report. Dr B applied for an injunction preventing the GMC from so doing. Soole J granted the injunction; as Chris noted, his judgment was broadly helpful to data controllers looking to limit disclosure.
The GMC appealed to the Court of Appeal on a number of grounds.
The Court of Appeal allowed the appeal by majority (Sales LJ and Arden LJ – both of whom have now been appointed to the Supreme Court), with a lengthy dissent from Irwin LJ. The points of wider interest are:
- Whether the High Court was right to apply a rebuttable presumption against disclosure on the basis that there was ‘mixed personal data’ (of Dr B and of P);
- The relevance of the fact that the request was made to obtain information for the purposes of litigation (which Soole J had considered as a weighty factor in favour of refusal); and
- Whether the High Court had inappropriately substituted judgment (and so the question of the breadth of the data controller’s margin of discretion when considering mixed data).
Presumptions in ‘mixed data’ cases
The issue here turned on a comment from Auld LJ’s well-known judgment in Durant  FSR 28, where he said that the DPA 1998 provisions on mixed data “appear to create a presumption or starting point that the information relating to [the third party – here Dr B], including his identity, should not be disclosed without his consent”. Soole J applied that presumption, and Irwin LJ (dissenting) agreed.
Sales LJ however decided (somewhat bullishly) that the Durant statement was not ratio, so the Court did not have to follow it, and proceeded briskly to the conclusion that it was wrong – there was no “presumptive starting point or hurdle”, the question (under s. 7(4) DPA) being simply whether it is reasonable to disclose third party data without consent. That question was to be determined without giving ‘priority’ either to the requester or the third party. He accepted that if a data controller found the interests balanced equally, at that stage there would be a ‘tie-breaker’ presumption in favour of withholding the data, but that was not the presumption which the Judge had applied. Arden LJ agreed.
Sales LJ’s conclusion is helpful in returning attention to the statutory language: the test for data controllers being simply whether disclosure of third party data without consent is reasonable, entailing a balancing of interests judgment (in which the data controller’s judgment is given a considerable margin of discretion – on which more below). The effect is to give data controllers more freedom to decide as they wish, while removing one weapon from the arsenal generally deployed by third parties seeking to prevent disclosure.
The relevance of a litigation purpose
Dawson-Damer  1 WLR 3255 and Ittihadieh  3 WLR 811 have brought an end to the old (if never particularly venerable) practice of data controllers refusing SAR requests on the basis that the request was ‘fishing’ for the purposes of litigation. That is so at least as regards ‘straight’ personal data requests. Are matters different if the subject-matter of the request is mixed personal data?
Soole J and Irwin LJ thought so, Irwin LJ taking the view that this was a “significant matter to be weighed in the balance, as a necessary part of the consideration whether it is reasonable to override the refusal of consent by the data subject who is seeking to protect their personal data”, and that if that was not the case then such requests would be “an obvious way to circumvent the requirements of the CPR”.
Again, Sales LJ and Arden LJ disagreed. There was “no general principle that the interests of the requester, when balanced against the interests of the objector, should be treated as devalued by reason of such motivation”. Sales LJ made a number of interesting further comments:
- That it was material that P was requesting his sensitive personal data; Sales LJ saw the status of SPD as being of “special sensitivity and significance and as generally meriting enhanced protection” as justifying additional weight under a SAR request, given the interest of the data subject in ‘checking the accuracy’ of the data;
- That it was hard to see “what legitimate privacy reason Dr B had for objecting to the disclosure to P”: Dr B had no proper interest in P “proceeding on the basis of false information”. This is questionable; it is always possible to say that privacy has no intrinsic value (‘do you have something to hide?’), but the intrinsic value of privacy rights – including those of third parties in a ‘mixed data’ situation – is a basic tenet of the data protection legislation;
- That the desire of a third party objector to avoid litigation is not a privacy-related interest, and so “is peripheral to the main focus of that balancing exercise, which is concerned with weighing the privacy interests of the requester and the objector”. This may well be true where the litigation would concern the public actions of a professional, such as Dr B; it is less obviously right where the litigation would itself involve the disclosure of private information;
- That the data controller, when considering an objection to disclosure in a mixed data situation, “will generally be entitled to focus on the objector’s arguments in evaluating his interest in having disclosure withheld”, at least where other matters are not obvious. This will be of obvious help to data controllers dealing with such objections.
Both Sales LJ and Arden LJ were concerned by the possibility that a data subject recipient of ‘mixed’ personal data following a SAR might “use the information obtained for an illegitimate purpose, e,g, to post the information on the internet to try to traduce the objector”. They suggested that it would “be open to the data controller in such a case to invite the requester to consider giving a binding contractual undertaking to the data controller or the objector or both, to restrict the use to which the information might be put”, and then to take the offer (or failure to offer) such an undertaking into account in the balancing exercise. Arden LJ went beyond Sales LJ’s suggestion of a contractual undertaking to suggest the possibility of an undertaking to the Court in respect of such data. Both were, however, also keen to emphasise that this would be an unusual course.
Although one can see the concern underlying this suggestion, its practical application is likely to create considerable difficulties – data subject requesters are unlikely to wish to be constrained in their subsequent use of what is, ultimately, their own personal data, while demands for such undertakings will now presumably be a regular feature of the complaints of third party objectors.
The margin of discretion
As already noted, the judgments of the majority took a generous approach to the discretion given to the data controller by the DPA 1998. To quote the key parts of Sales LJ’s judgment:
- “It is the data controller who is the primary decision-maker in assessing whether it is reasonable or not [to disclose]”.
- “the legislature contemplated that individual data controllers should be afforded a wide margin of assessment in making the evaluative judgments required in balancing the privacy rights and other interests in issue under section 7(4)”.
- “data controllers generally have a wide discretion as to which particular factors to treat as relevant to the balancing exercise”.
All of which will be music to the ears of the data controller caught between the Scylla of a requester and the Charybdis of an objector, but less so for the sea monster and whirlpool in question (or for those advising them).
Where to now?
Overall, a clear judgment delivering welcome certainty on the proper approach to ‘mixed data’ questions.
This was a judgment under the DPA 1998. The inevitable question (as always): what about the brave new world of the GDPR? The answer, as is frequently the case: basic continuity.
The subject access right is set out in art 15 GDPR. Schedule 2 paragraph 16 DPA 2018 sets up a restriction to the subject access right in ‘mixed data’ cases, subject to consent or to the application of a reasonableness test, and so a scheme functionally very similar to the repealed provisions in s. 7 DPA 1998. DB will be of direct relevance to that scheme.