Blog
Suspension of the UK’s Refugee Family Reunion scheme: an afront to the principle of family unity
Oliver Oldman
Dr B v The General Medical Council [2018] EWCA Civ 1497
Mixed data cases present a particular challenge for data controllers and, as Adam Chapman noted in his previous commentary of this case in the High Court, “in ‘three way’ cases such as these, the data controller is likely to be challenged irrespective of the decision they take”.
Background
This case concerns the General Medical Council’s (GMC) appeal against an injunction granted in favour of Dr B for restraint of the disclosure of an expert report to a patient. The High Court had criticised the GMC for its decision to disclose an expert report to P, in relation to whom the report had been prepared. The report related to the care which P had received from Dr B and in relation to which Dr B had expressly refused consent for the expert report to be disclosed to P. The expert report in question, whilst critical of the care which P had received from Dr B, concluded that the care provided by Dr B was “not seriously below” the expected standard of care.
The GMC took no further action in relation to Dr B’s conduct.
This is known as a ‘mixed data’ case on the basis that the expert report in question contained personal data relating to both P and Dr B. The High Court (Soole J) held that, in deciding to disclose the report to P, the GMC had performed the relevant balancing exercise incorrectly. Soole J determined that the report should not have been disclosed to P and granted an injunction accordingly.
The GMC’s appeal
The GMC advanced four grounds of appeal, summarised as follows:
- It was an error to proceed on the basis of a rebuttable “presumption against disclosure” for mixed data cases
- It was an error to hold as a ‘weighty factor of refusal’ that the sole or dominant purpose of a Subject Access Request (SAR) was to obtain information relevant to litigation
- The court’s reasoning was flawed in holding that the GMC:
- gave inadequate consideration to Dr B’s privacy rights
- took inadequate account of Dr B’s express refusal of consent
- underestimated the incremental impact of the disclosure of the report over and above the summary
- That the court:
- rather than review the decision of the data processor (the GMC), the court “effectively substituted” its own assessment of the case for disclosure
- failed to consider that Dr B had legal options in order to prevent P from publishing the report and in doing so ‘”over-estimated” the risk in P doing so
- gave inadequate consideration to P’s “fundamental rights…to obtain and understand information about him of a highly sensitive nature”.
The GMC’s appeal was allowed by majority (Sales LJ and Arden LJ) with Irwin LJ dissenting.
The significance of this case lies predominantly in the decision of Sales LJ in relation to the so-called “presumption against disclosure” for mixed data cases and the consideration of a data subject’s motive, particularly in contemplation of litigation.
The alleged “presumption against disclosure” for mixed data cases
Soole J considered the position put forward in the case of Durant v Financial Services Authority (Disclosure) [2003] EWCA Civ 1746, [2004] F.S.R. 28. in which Auld LJ commented that “the provisions appear to create presumption” in favour of the objecting party in a mixed data case. Sales LJ determined that this was not binding on the basis that Auld LJ’s comment did not form part of the rationale for the decision. Sales J emphasised the importance of returning to the spirit of the disclosure regime (section 7(4)-(6) Data Protection Act 1998 (DPA)) which “seeks to strike a balance between competing interests of the requester and the objector, both of which are anchored in the right to respect for private life” (in accordance with ECHR Article 8 and Directive 95/46) and further highlighted the test for reasonableness in accordance with s7(4)(b) DPA. Given that there was no sound basis upon which to favour the rights of the objector, it was held that Soole J had been incorrect to apply a substantive presumption in Dr B’s favour and to have criticised the GMC’s approach.
The reliance placed on the data subject’s motive (in this case, a litigation purpose) for making a SAR
Sales LJ made plain his decision that Soole J had erred on this point in a number of respects but importantly, the relevant part of the judgment (paras 75-80) has wider application in relation to the question as to the importance of the motivation behind a mixed use case SAR. Sales LJ held that “the rights of subject access to personal data under Article 12 of the Directive and section 7 of the DPA are not dependent on appropriate motivation on the part of the requester” (citing, amongst others, Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74; [2017] 1 WLR 3255 , [105]-[113] (Arden LJ); and Itthadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121; [2017] 3 WLR 811 , [104]-[110] (Lewison LJ).
Soole J and Irwin LJ disagreed, suggesting that the approach should be different for mixed data cases so as to protect against the risk of parties circumventing the Civil Procedure Rules, a risk which warranted consideration in respect of the test for reasonableness.
Importantly for data controllers, Sales LJ deemed it to be “noteworthy” that P’s data constituted “sensitive personal data” in accordance with the legislation and therefore merited “enhanced protection”. Sales LJ also stated that Dr B’s desire to be protected from litigation was “peripheral to the main focus” of the relevant balancing exercise. Sales LJ also held that “where a person has two rights to obtain something (here, access to information), the usual position is that he is entitled to rely on whichever right is the more effective from his point of view” and, for mixed data cases, “it will be relevant to have regard to the extent to which the interests on either side which are of a kind which are protected by the legislation are engaged and may be prejudiced by a decision one way or the other”.
Commentary - this case in the new legal context
Whilst this case provides data controllers with some clarity in respect of decision-making in mixed data cases under the DPA 1998, they will undoubtedly be anxious to see how this is translated under the new law. Individuals have a ‘right of access’ in accordance with, primarily, Article 15 of the General Data Protection Regulation (GDPR). In terms of the restriction for mixed data cases, the scheme as set out at Schedule 2 paragraph 16 of the DPA 2018 largely mirrors the now repealed provisions of section 7 of the DPA 1998. And so, in summary, whilst data controllers can be relatively confident about the application of this judgment, it is accepted that a degree of uncertainty will remain not least until the first of the GDPR and DPA 2018 cases start to trickle through the courts. Given their important role in balancing complex data protection considerations, the rights of individuals and also the public interest, healthcare regulators remain at particular risk of a challenge to their decision making as data controllers.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
Data Protection Team
Latest blogs & news
Top five takeaways from the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
Requesting Medical Records after a death
Losing a loved one when you think it may be because they received poor medical care is incredibly stressful at a time when family and friends are grieving their loss. Often, people want to see a written record of the final days of their loved one and what happened to them, or they might want to go through years of records to ascertain whether there was diagnosis that may have been missed, such as cancer.
Are personal details in asylum claims kept confidential? Protecting the privacy of asylum seekers and safeguarding confidentiality
Asylum seekers often find themselves in a vulnerable position, sharing sensitive and confidential information with the Home Office to support their asylum claims. Their cooperation is required to substantiate their claim and they rely on the understanding that this information will remain confidential and, most crucially, will not be shared with the authorities of their country of nationality.
The evolving challenge of data protection laws
Emily Carter explores anticipated developments in the realm of data protection.
The UK-US Data Bridge: A Shift in Transatlantic Data Sharing
On 12 October 2023, the UK-US Data Bridge (the “Data Bridge”) came into force, transforming the way both nations handle the flow of information across their borders. In this blog we explore the position before and after the introduction of the Data Bridge, looking at the key implications, benefits and challenges associated with the transatlantic data-sharing initiative.
Data Subject Access Requests: Should organisations expect the burden of responding to ease?
Emily Carter asks whether the proposed reforms within the Data Protection and Digital Information (No. 2) Bill (‘the Bill’) are likely to simplify the challenges of responding to Data Subject Access Requests (‘DSARs’) or whether this is an area which is only going to get more complicated and time consuming.
UK data protection reform: Some much needed clarity
After many months waiting for further clarity, Emily Carter outlines what we now know about the direction of data protection reform in the UK following publication of the Data Protection and Digital Information (no. 2) Bill.
After the Government’s consultation in September 2021 and publication of the Data Protection and Digital Information Bill in July 2022, the data reform process was paused last Autumn following the country’s change in prime minister to enable ministers to consider the legislation further. Since this time, with Michele Donelan appointed as the responsible secretary of state, there have been mixed messages with respect to how significant the further amendment to the draft bill would be. In her speech at the Conservative party conference in October, Donelan stated that the GDPR would be ‘replaced’ with a business and consumer friend data protection system, raising the prospect of an entirely new approach to data protection.
ICO regulatory update: The only constant is change Spring 2023
The Information Commissioner’s Office (ICO) regulates every organisation which deals with personal data and official data in the UK (and sometimes overseas). Its remit extends across the public and private sector, including multinationals, SMEs, public authorities and charities.
A new police approach is needed to tackle overwhelming delays to digital forensics
A damning report published by His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) has found police forces to be “overwhelmed and ineffective” in relation to digital forensics. The HMICFRS found that there were more than 25,000 devices waiting to be examined – and this is without taking into account all the devices already in the system.
Data Protection reform: A new direction for charities?
Following the UK’s departure from the EU, the Government wishes to reform the data protection legislation within this country in order to ‘unlock the power of data.’ For charities, does this mean the painful prospect of reworking their existing GDPR compliance regime or the promise of a lighter regulatory load?
Data: A New Direction - Research, Re-use and Responsibility
High on the Government’s wish list for data protection reform is the reduction of legislative barriers to ‘responsible innovation,’ particularly within the field of scientific research. Due to perceived complexity and lack of clarity, it is feared that organisations either choose not to conduct research at all or rely on unnecessarily burdensome consent processes. This blog considers the likely impact of the Government’s ideas
Consultation on ICO Powers Shows the Breadth of the Regulator’s Powers
On 20 December 2021 the ICO launched a consultation seeking views on three documents, which together demonstrate its wide-ranging powers to undertake investigatory, regulatory and enforcement action.
Data: A new direction - Access to personal data
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way
Data: A New Direction - Unleashing the transformational power AI?
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
Data protection law reform: A new direction?
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
We begin with the Government’s proposals for creating a ‘whitelist’ of legitimate interests which always provide a lawful basis for processing under the UK GDPR.
The UK’s Data Protection Reform Consultation – Good News for Employers?
On 10 September 2021 the UK Government launched a Consultation on proposed changes to data protection law with the aim to “create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards”. The proposals are designed to build on the UK’s existing data protection regime (contained in the General Data Protection Regulation (as it applies in the UK post-Brexit) (UK GDPR) and the Data Protection Act 2018).
What is Next for GDPR in the UK, is Change on the Horizon?
The General Data Protection Regulation (known to everyone as the GDPR) is probably the most famous piece of legislation to come from the EU. It was and is incredibly ambitious in its scope, and shapes the way we engage with organisations both online and in the real world. When the UK formally withdrew from the EU, GDPR became retained EU law and continued to apply as before. The government have recently announced that they want to reform data protection legislation, but substantial deregulation might be an unrealistic ambition.
ICO enforcement action – key considerations for charities in the GDPR era
It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.
COVID-19 and contact tracing apps: A test of public confidence in data privacy?
Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.
ICO enforcement – key considerations for businesses and organisations in 2020
On 23 May 2020, it will be two years since the Data Protection Act 2018 came in to force. The Act was brought in to compliment and supplement GDPR, and significantly increased the ICO’s enforcement powers. In the build-up to its commencement, there was a flurry of speculation about how these new powers would be used. We now look at the how the ICO has used its enforcements powers in 2019 and highlights key considerations for businesses and organisations in 2020.
You may also be interested in:
We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.
You may also be interested in:
Blog
Disclosure in pre-nuptial agreements – full and frank, or fraudulent?
Charlotte Daintith
Blog
HSSIB contributes to the national investigation into maternity and neonatal services – but will change ever be implemented?
Sharon Burkill
Share insightLinkedIn X Facebook Email to a friend Print