Kerry Underwood

MIXED DATA CASES AND DISCLOSURE

with 2 comments


Kerry is undertaking a 10 city Autumn Tour with his new course – Getting the Retainer Right.

For full details and to book click here

 

MIXED DATA CASES AND DISCLOSURE

 

Mixed data is data which relates to someone else, as well as the person making the request for data.

In the case dealt with below it was an independent expert’s report obtained by the General Medical Council, which dealt not only with the medical treatment of the person making the request, but with the conduct of the GP who had treated him.

The principles relating to this case were contained in section 7(4) of the Data Protection Act 1988, which has now been repealed, but similar provisions are now contained in section 94(6) to (10) of the Data Protection Act 2018:

 

“(6) Where a controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, the controller is not obliged to comply with the request unless—

 

(a) the other individual has consented to the disclosure of the information to the individual making the  request, or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

 

(7)  In subsection (6), the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request.

 

(8)  Subsection (6) is not to be construed as excusing a controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

 

(9) In determining for the purposes of subsection (6)(b) whether it is reasonable in all the    circumstances to comply with the request without the consent of the other individual concerned, regard must be had, in particular, to—

 

(a)  any duty of confidentiality owed to the other individual,

(b) any steps taken by the controller with a view to seeking the consent of the other     individual,

(c)  whether the other individual is capable of giving consent, and

(d)  any express refusal of consent by the other individual.

 

(10) Subject to subsection (6), a controller must comply with a request under subsection (1)—

 

(a) promptly, and

(b) in any event before the end of the applicable time period.

 

Section 7(4) of the Data Protection Act 1988 read:

“(4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—

 

(a)  the other individual has consented to the disclosure of the information to the person making the request, or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.”

 

 

In B v General Medical Council [2018] EWCA Civ 1497, 28 June 2018

 

the Court of Appeal allowed an appeal by the General Medical Council against a High Court decision preventing the disclosure of an independent expert’s report concerning a GP’s fitness to practice.

The patient who was the subject of the report had sought disclosure of the full expert report following his complaint that his doctor had examined him and failed to make a bladder cancer diagnosis resulting in a delay in treatment.

 

The Court of Appeal held that:

 

  • the High Court had wrongly relied on

 

Durant v Financial Services Authority (Disclosure) [2003] EWCA Civ 1746,

 

which identified a basic presumption or starting point in favour of the objector and therefore against disclosure in a “mixed data” case, but here the Court of Appeal, which is not bound by its own previous decisions, held that that case was wrong on this point, and in any event was obiter, that is it did not form part of the basis of its finding.

 

“70. Contrary to the view of Auld LJ and the judge below, I do not think that the balancing regime in section 7(4)-(6) of the DPA includes any presumptive starting point or hurdle which either the requestor or the objector has to overcome. The circumstances in which the balancing exercise has to be carried out from case to case will be many and varied, and where no consent has been given for disclosure (or where objection has been raised, as in this case) the outcome of the exercise will inevitably depend on the particular facts and context. The question is simply whether “it is reasonable in all the circumstances to comply with the [SAR] without the consent of the other individual” (section 7(4)(b)). Although section 7(6) specifies that regard should be had to certain listed matters “in particular”, it does not limit the other matters which may be relevant circumstances; nor does it specify the weight to be given to the listed matters either as between the items in the list or as against other, non-listed relevant circumstances. There is no sound basis for saying that one should load the exercise at the outset in favour of either the objector or the requester. The rights and interests engaged on each side are both rooted in Article 8 of the ECHR and in specific protective provisions in the Directive. Both sets of rights and interests are important and there is no simple or obvious priority as between them which emerges from consideration of their nature or their place in the legislative regime. In that regard I note that the Information Commissioner, in her guidance, does not recognise or endorse any presumption of the kind referred to by the judge: see her Subject Access Code of Practice (version 1.1, February 2014, at pp. 30-34; version 1.2, June 2017, at pp. 36-40).

 

  1. It is conceivable, but in practice I think unlikely, that a data controller who carries out the balancing exercise in section 7(4)-(6) in a mixed data case might be left with factors for and against disclosure which are found to be in perfect equilibrium with nothing to choose between them. In that situation there would be a need to apply a presumption at the end of the exercise, in order to arrive at a decision one way or the other. In my view, the presumption to be applied at this stage would be in favour of withholding disclosure. I emphasise that this would be a presumption of the weak, tie-breaker type referred to above. It is not a significant or substantive presumption to be applied at the outset.

 

  1. My reason for saying that the tie-breaker assumption operates in favour of the third party data subject, rather than the requestor in this situation is that, although section 7(1) of the DPA creates a right for the data subject as against the data controller to have his personal data disclosed to him upon making a SAR, by virtue of section 7(4) the data controller is relieved of that obligation where information comprising those personal data cannot be disclosed “without disclosing information relating to another individual who can be identified from that information”, unless either of sub-paragraphs (a) or (b) is satisfied. As regards sub-paragraph (b), it must appear that it is “reasonable in all the circumstances to comply with the request without the consent of the other individual”; that is to say, having regard to the strength of the interest of the requester (as reflected in the legislative regime set out in the Directive and the DPA) in obtaining disclosure, to the strength of the interest of the objector in maintaining his privacy in relation to the information in question and to any further public interest factors which may be relevant. If the considerations for and against disclosure really are precisely balanced, the data controller (or anyone else applying the test in section 7(4)) cannot positively say that it is reasonable to comply without the consent of the other individual. This indicates that the tie-break presumption should operate in this residual sense against disclosure.”

 

  • There was no general principle that the patient’s interests, when balanced against the doctor’s, should be devalued because he was seeking information which might assist him in litigation.

 

Even if the patient intended to obtain material which might help him in litigation, that in no way diminished the legitimacy or force of his interest to have communicated to him, under section 7 of the Data Protection Act 1998 (DPA 1998), information about his personal data as processed by the GMC and the independent expert.

  • The High Court had erred in its criticisms of the General Medical Council’s consideration of the doctor’s privacy rights, his express refusal of consent and in its assessment of the incremental impact of disclosure on the doctor.

 

It had also substituted its own views regarding relevant factors and the weight that should be accorded to them for those of General Medical Council as controller.

 

The Court of Appeal also said that it would be reasonable in appropriate cases for a data controller to make disclosure conditional upon there being no wider dissemination of the information.

 

“83.Thirdly, in view of the wide-ranging submissions we heard on this appeal, I should mention a possible half-way house which may be open to data controllers which conduct a balancing exercise under section 7(4). In some cases, the balance between the legitimate protected interests of a requester and those of an objector may be more finely balanced than in this. For example, it might appear that the requester has good reasons for wishing to check on the accuracy of his personal data used in processing by the data controller whilst at the same time there are objective grounds to think that he wishes to use the information obtained for an illegitimate purpose, e,g, to post the information on the internet to try to traduce the objector. In such a case it might be reasonable (within the meaning of section 7(4)(b)) to make disclosure of the information to the requester if there can be appropriate assurance that no wider inappropriate dissemination of the information will occur, whilst it might not be reasonable to make disclosure in the absence of such assurance. In my view, it would be open to the data controller in such a case to invite the requester to consider giving a binding contractual undertaking to the data controller or the objector or both, to restrict the use to which the information might be put. In conducting the balancing exercise under section 7(4), the data controller would then be entitled to take into account whether such an undertaking had been proffered, or not, when deciding whether it was reasonable to make disclosure. To be clear, I do not think that this would usually be an appropriate course to try to restrict a requester from using information sought by means of a SAR in litigation thereafter. Later use in litigation is not something which is illegitimate in itself, so far as the subject access regime is concerned.”

 

 

It appears that neither of the parties, nor the court, considered Section 35 of the Data Protection Act 1998, which reads:

 

“35. Disclosures required by law or made in connection with legal proceedings etc.

 

(1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

 

(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary –

 

(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

 

(b) for the purpose of obtaining legal advice,

 

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”

 

That would appear to have made the whole case unnecessary, but perhaps I am missing something.

 

The Data Protection Act 2018 has repealed the Data Protection Act 2018. It is virtually unintelligible. The Act has to be cross read with the Schedules and the General Data Protection Regulations, but essentially Schedule 1 Paragraph 33 maintains this exemption:

 

“33. This condition is met if the processing-

 

(a)          Is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b)          Is necessary for the purpose of obtaining legal advice, or

(c)           Is otherwise necessary for the purposes of establishing, exercising or defending legal rights. “

 

 

 

Underwoods Solicitors are the solicitors for the Joint Administrators in The Cambridge Analytica case.

 

Advertisements

Written by kerryunderwood

August 13, 2018 at 1:40 pm

Posted in Uncategorized

2 Responses

Subscribe to comments with RSS.

  1. Dear Kerry

    I haven’t looked at the decision (sorry under the cosh rather) but did the parties raise Sect 35 (restrictions don’t apply for litigation or intended litigation) and did the Court consider the effect of this in the context of disciplinary proceedings?

    Nigel

    Nigel Adams

    Nigel Adams

    August 13, 2018 at 2:02 pm

    • Nigel

      Very good question – and no, it appears that neither of the parties, nor the court, considered Section 35 of the Data Protection Act 1998, which reads:

      “35. Disclosures required by law or made in connection with legal proceedings etc.

      (1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

      (2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary –

      (a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

      (b) for the purpose of obtaining legal advice,

      or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.”

      That would appear to have made the whole case unnecessary, but perhaps I am missing something.

      The Data Protection Act 2018 has repealed the Data Protection Act 2018. It is virtually unintelligible. The Act has to be cross read with the Schedules and the General Data Protection Regulations, but essentially Schedule 1 Paragraph 33 maintains this exemption:

      “33. This condition is met if the processing-

      (a) Is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
      (b) Is necessary for the purpose of obtaining legal advice, or
      (c) Is otherwise necessary for the purposes of establishing, exercising or defending legal rights. “

      Thanks for bringing this to my attention.

      Kerry

      kerryunderwood

      August 20, 2018 at 12:56 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: