The facts
DB is a GP. A patient of his (P) complained to the General Medical Council (GMC) that DB's incompetence had resulted in a long delay of a diagnosis of cancer. The GMC commissioned an investigation of DB's fitness to practice, and instructed an independent expert to prepare an opinion. The expert's report criticised the care that DB had provided, stating that it fell below "but not seriously below" the expected standard. DB was sent a copy of the report and told that the case would be submitted for decision by case examiners. In due course, the GMC wrote to P and to DB informing them that the case examiners had decided to close the case with no further action, and it provided a one page summary to each of them.
P requested to see the report. This request was considered by the GMC under the Freedom of Information Act (FOIA) and the Data Protection Act (DPA). The patient was told that the request under the FOIA was unsuccessful and that the request for personal information fell under the subject access provisions of the DPA. DB told the GMC that he did not consent to the disclosure of the report. In particular, this was because it was the "personal data" of DB alone, and that the request was being used as a vehicle for disclosure with a view to litigation or further complaint by P, and this was contrary to case law.
The GMC carried out a "balance of interests test" to determine whether the report should be released to P. As a result, a number of conclusions were reached, including that the expert report constituted personal data of both P and DB, that it was being sought to further a potential claim against DB, and that the interests of both parties had to be balanced. It was ultimately decided that it would be fair and lawful, and not in breach of data protection legislation, to disclose the report to P. DB was told of this decision. Following correspondence with DB's lawyers, the GMC agreed not to disclose the report until the issue was resolved by the Court.
The High Court ruled that the expert's report should not be disclosed to P. The High Court recognised that the competing privacy rights of P and DB in the personal data contained in the report were at the heart of the case, and that their personal data was inextricably linked in the report. It said that the Court's role was to perform "anxious scrutiny" of the balancing exercise that had been conducted by the GMC, as the potential interference with fundamental human rights, including data protection and privacy, was involved.
The High Court held that:
- In the absence of DB's consent, the starting point is a presumption against disclosure.
- Insufficient weight had been given to DB's status as a data subject and the privacy rights which he had in the report, including the protection of his personal reputation. While the report did contain P's sensitive data, its main focus was on DB's professional competence. DB had a reasonable expectation of privacy in the report. Interference with privacy rights had to be proportionate to the achievement of a legitimate aim.
- Specific weight had not been given to DB's express refusal to consent to disclosure.
- The decision reached to disclose the report did not take adequate account of the purpose of the request, which was intended litigation against DB. A request made as part of litigation would be protected by Civil Procedure Rules (CPR), which stipulate that documents disclosed can only be used for the purpose of those legal proceedings. This would give DB protection that would not be given were the report to be provided as part of a data subject access request.
What does this mean for employers?
Employers frequently face data subject access requests where disclosure would reveal personal data about another employee, and where the individual requester is effectively seeking early disclosure to give them a head start in litigation. While each request has to be considered on its own merits, employers will find the High Court's three step guidance useful:
- The exercise involves a balance between the respective privacy rights of data subjects.
- In the absence of consent, the starting point is against disclosure. Express refusal of consent is an additional specific factor to take into account.
- If the sole or dominant purpose is to obtain a document for litigation purposes, that is a weighty factor in favour of refusal on the basis that disclosure under the CPR is the appropriate procedure.
When deciding whether or not to disclose information which comprises a mix of the personal data of more than one employee, it will be important to weigh in the balance the data privacy rights of all those employees. Where appropriate, employers should ask employees for their consent to disclosure of their personal data, whether to another employee or to any third party, as specific refusal should be taken into account in the balancing exercise.
We understand that permission to appeal to the Court of Appeal has been sought by the GMC, so this may not be the end of the matter.
