In June 2018, in B v General Medical Council [2018] EWCA Civ 1497, a majority of the Court of Appeal reversed the earlier decision of the English High Court and permitted General Medical Council, as data controller, to disclose an expert medical report to a patient pursuant to a data subject access request.

This was notwithstanding that, besides the patient’s data, the report contained the personal data of Dr. B, the treating doctor, and the patient wished to use the report to support a claim for malpractice against the doctor. By the time of the appeal decision, the U.K. had enacted a new data protection law (the Data Protection Act 2018, implementing the GDPR), but the case arose and was decided on the basis of the rules on DSARs contained in the U.K. Data Protection Act 1998.

The history of the case unfolded in several stages: Dr. B, carried out an examination on a patient, referred to in the proceedings as "P," in which he failed to diagnose P’s medical condition (cancer of the bladder). This led P, whose condition had worsened by the time the disease was eventually diagnosed, to make a professional misconduct complaint against Dr. B to the GMC. As part of investigating the complaint, the GMC commissioned a report by an independent expert on the standard of medical care provided by the doctor. The expert concluded that, while the care offered was substandard in some respects, the diagnosis was not straightforward and might well also have been missed by other doctors taking all proper care.

In the light of this, the GMC decided to drop the misconduct investigation and informed Dr. B and P accordingly, attaching a one page summary of the report for their information. Subsequently, P made a DSAR under Section 7 of the Data Protection Act, requesting disclosure of the full report. The GMC, having considered the matter, advised Dr. B that, while recognizing that the report contained his personal data as well as P’s, it proposed to agree to this request. However, Dr. B objected and the High Court ruled that the GMC had erred by failing adequately to consider his privacy interests in the matter, and restrained the disclosure. The present Court of Appeal judgment concerned the determination of the GMC’s appeal against that High Court ruling.

As in the High Court, it was accepted by both parties that the personal data of P and Dr. B were “inextricably mixed” in the expert report, and that in such circumstances the Data Protection Act 1998 required a balancing exercise under Section 7(4)-(6). According to section 7(4):

“Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless –

1. the other individual has consented to the disclosure of the information the person making the request, or
2. it is reasonable in all the circumstances to comply with the request without the consent of the other individual.”

In the High Court judgment, Soole J had suggested (based on dicta from the earlier Court of Appeal decision of Durant v. Financial Services Authority) that the effect of these provisions was to create a rebuttable presumption against disclosure where the other individual does not consent. He further found that in this instance, the GMC had failed to rebut this presumption, in particular by according inadequate weight to Dr. B’s express objection to disclosure together with the likelihood that P’s main reason for requesting the full report was that he hoped to rely on it in litigation against Dr. B. This, he suggested, was not part of the rationale for giving data subjects the right to make DSARs under data protection law; to obtain evidence for litigation purposes, they should instead make use of a separate mechanism, known as disclosure, under the English rules of civil procedure, which also provide for safeguards, notably non-disclosure agreements, to ensure the litigant keeps the disclosed document confidential and uses it purely for litigation. (By contrast, there is no formal safeguard where a data subject obtains documents under the DSAR procedure.)

In the Court of Appeal, this reasoning was broadly upheld by Lord Justice Irwin, who for his part would have dismissed the GMC’s appeal. However the two other appeal judges (Lord Justice Sales and Lady Justice Arden) disagreed, with the result that the appeal was allowed and the report may now be disclosed to P. In particular, the majority took the view that there was no presumption against disclosure where one subject referred to in the data objects to this. As Lord Justice Sales commented (at paragraph 70 of his judgment):

“… I do not think that the balancing regime in section 7(4)-(6) of the DPA includes any presumptive starting point or hurdle which either the requestor or the objector has to overcome. The circumstances in which the balancing exercise has to be carried out from case to case will be many and varied, and where no consent has been given for disclosure (or where objection has been raised, as in this case) the outcome of the exercise will inevitably depend on the particular facts and context.”

In this regard, it was desirable that significant latitude in weighing the particular factors should be accorded to the data controller rather than a court seeking to second guess the outcome. As Lord Justice Sales continued (at paragraph 86):

“… The class of persons who qualify as data controllers under the DPA is a very wide one. They come in all shapes and sizes, across a very wide range in terms of resources available to them to deal with SARs which may be made to them. The legislation confers rights on the whole population. The potential number of SARs is huge. In this context, the legislature contemplated that individual data controllers should be afforded a wide margin of assessment in making the evaluative judgments required in balancing the privacy rights and other interests in issue under section 7(4).”

On the facts of the particular case there were, in the majority’s view, no grounds for impugning the reasonableness of the GMC’s decision in favor of disclosure. The GMC had noted Dr. B’s objection, but also that the overall interest in being transparent with patients who complained regarding suspected malpractice by a given doctor would be served by allowing P to see the full report. As the Court of Appeal majority noted, it had been established in other recent U.K. cases dealing with DSARs (where ‘mixed data’ was not at issue), that the data subject’s desire to obtain evidence to use for litigation was not in itself a valid reason for refusing such a request (see, e.g., Deer v. University of Oxford); indeed, in the present case the majority felt that disclosure to P was entirely appropriate. As Lord Justice Sales noted at paragraph 80:

“… it appears that a material part of P's object in making a SAR was to check that accurate personal data of his had been used by the GMC and the expert in their consideration of how to react to his complaint about Dr B's conduct. That is an object which is squarely within the purpose for which subject access rights are conferred by Article 13 of the Directive and section 7 of the DPA. Even if part of P's object was to try to obtain material which might help him in litigation against Dr P, that in no way diminishes the legitimacy or force of his interest …”

Similarly, Lady Justice Arden commented in her concurring judgment (at paragraph 99) that:

“… in the usual case the fact that the person requesting the data has it in mind that he may bring litigation should not disqualify him from receiving the mixed data. It is simply a factor to be weighed in the balance by the data controller. There could be exceptional cases where the data controller concludes that the litigation motive outweighs every other consideration, as where the person requesting mixed data is a vexatious litigant …”

At the same time, in the case of mixed data, the majority suggested a potential safeguard, responding to the concern that the requester might misuse the information by publishing it more widely to the detriment of the other data subject. This was that disclosure might sometimes be made conditional on an undertaking from the access requester not to engage in such misuse. As Lord Justice Sales stated this could apply in a case where:

“… the requester has good reasons for wishing to check on the accuracy of his personal data used in processing by the data controller whilst at the same time there are objective grounds to think that he wishes to use the information obtained for an illegitimate purpose, e,g, to post the information on the internet to try to traduce the objector…. In conducting the balancing exercise under section 7(4), the data controller would then be entitled to take into account whether such an undertaking had been proffered, or not, when deciding whether it was reasonable to make disclosure.”

The Court of Appeal decision in this case now represents the leading U.K. judgment on how DSARs should be resolved in "mixed data" cases. Though, as noted, the court applied the rules from the Data Protection Act 1998, the same approach will apply to consideration of such cases under the U.K.’s new Data Protection Act 2018, which implements the GDPR, where the relevant rules have been re-enacted in more or less identical terms.

Photo credit: sjiong Royal Courts of Justice, London via Flickr license