SRA to undertake AML audits as enforcers keep focus on “professional enablers”
Dr B v The General Medical Council  EWCA Civ 1497
Mixed data cases present a particular challenge for data controllers and, as Adam Chapman noted in his previous commentary of this case in the High Court, “in ‘three way’ cases such as these, the data controller is likely to be challenged irrespective of the decision they take”.
This case concerns the General Medical Council’s (GMC) appeal against an injunction granted in favour of Dr B for restraint of the disclosure of an expert report to a patient. The High Court had criticised the GMC for its decision to disclose an expert report to P, in relation to whom the report had been prepared. The report related to the care which P had received from Dr B and in relation to which Dr B had expressly refused consent for the expert report to be disclosed to P. The expert report in question, whilst critical of the care which P had received from Dr B, concluded that the care provided by Dr B was “not seriously below” the expected standard of care.
The GMC took no further action in relation to Dr B’s conduct.
This is known as a ‘mixed data’ case on the basis that the expert report in question contained personal data relating to both P and Dr B. The High Court (Soole J) held that, in deciding to disclose the report to P, the GMC had performed the relevant balancing exercise incorrectly. Soole J determined that the report should not have been disclosed to P and granted an injunction accordingly.
The GMC advanced four grounds of appeal, summarised as follows:
The GMC’s appeal was allowed by majority (Sales LJ and Arden LJ) with Irwin LJ dissenting.
The significance of this case lies predominantly in the decision of Sales LJ in relation to the so-called “presumption against disclosure” for mixed data cases and the consideration of a data subject’s motive, particularly in contemplation of litigation.
Soole J considered the position put forward in the case of Durant v Financial Services Authority (Disclosure)  EWCA Civ 1746,  F.S.R. 28. in which Auld LJ commented that “the provisions appear to create presumption” in favour of the objecting party in a mixed data case. Sales LJ determined that this was not binding on the basis that Auld LJ’s comment did not form part of the rationale for the decision. Sales J emphasised the importance of returning to the spirit of the disclosure regime (section 7(4)-(6) Data Protection Act 1998 (DPA)) which “seeks to strike a balance between competing interests of the requester and the objector, both of which are anchored in the right to respect for private life” (in accordance with ECHR Article 8 and Directive 95/46) and further highlighted the test for reasonableness in accordance with s7(4)(b) DPA. Given that there was no sound basis upon which to favour the rights of the objector, it was held that Soole J had been incorrect to apply a substantive presumption in Dr B’s favour and to have criticised the GMC’s approach.
Sales LJ made plain his decision that Soole J had erred on this point in a number of respects but importantly, the relevant part of the judgment (paras 75-80) has wider application in relation to the question as to the importance of the motivation behind a mixed use case SAR. Sales LJ held that “the rights of subject access to personal data under Article 12 of the Directive and section 7 of the DPA are not dependent on appropriate motivation on the part of the requester” (citing, amongst others, Dawson-Damer v Taylor Wessing LLP  EWCA Civ 74;  1 WLR 3255 , - (Arden LJ); and Itthadieh v 5-11 Cheyne Gardens  EWCA Civ 121;  3 WLR 811 , - (Lewison LJ).
Soole J and Irwin LJ disagreed, suggesting that the approach should be different for mixed data cases so as to protect against the risk of parties circumventing the Civil Procedure Rules, a risk which warranted consideration in respect of the test for reasonableness.
Importantly for data controllers, Sales LJ deemed it to be “noteworthy” that P’s data constituted “sensitive personal data” in accordance with the legislation and therefore merited “enhanced protection”. Sales LJ also stated that Dr B’s desire to be protected from litigation was “peripheral to the main focus” of the relevant balancing exercise. Sales LJ also held that “where a person has two rights to obtain something (here, access to information), the usual position is that he is entitled to rely on whichever right is the more effective from his point of view” and, for mixed data cases, “it will be relevant to have regard to the extent to which the interests on either side which are of a kind which are protected by the legislation are engaged and may be prejudiced by a decision one way or the other”.
Whilst this case provides data controllers with some clarity in respect of decision-making in mixed data cases under the DPA 1998, they will undoubtedly be anxious to see how this is translated under the new law. Individuals have a ‘right of access’ in accordance with, primarily, Article 15 of the General Data Protection Regulation (GDPR). In terms of the restriction for mixed data cases, the scheme as set out at Schedule 2 paragraph 16 of the DPA 2018 largely mirrors the now repealed provisions of section 7 of the DPA 1998. And so, in summary, whilst data controllers can be relatively confident about the application of this judgment, it is accepted that a degree of uncertainty will remain not least until the first of the GDPR and DPA 2018 cases start to trickle through the courts. Given their important role in balancing complex data protection considerations, the rights of individuals and also the public interest, healthcare regulators remain at particular risk of a challenge to their decision making as data controllers.
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
Skip to content Home About Us Insights Services Contact Accessibility