Data Protection: Disclosure of mixed personal data

Data Protection: Disclosure of mixed personal data's Tags

Tags related to this article

Data Protection: Disclosure of mixed personal data

Published 6 August 2018

The facts

Dr B was investigated by the General Medical Council (GMC) in relation to his care of a patient, known in the court proceedings as “P”, who was diagnosed with bladder cancer. P considered that Dr B should have diagnosed the cancer earlier, and complained about this to the GMC. The GMC commissioned an independent expert but, on the basis of the report, the GMC examiners decided that there should be no further action. Dr B received a full copy of the expert's report when it was provided to the GMC examiners; however, P only received a one page summary of the report which accompanied the GMC's decision that there should be no further action.

P’s solicitors made a subject access request for (among other things) the full report. The report contained "mixed personal data" i.e. the personal data of both Dr B and P. Where a data controller cannot comply with a subject access request without disclosing information about a third party, that third party’s interests were protected (before GDPR came into force) by the Data Protection Act 1998 ("DPA 1998"), and will now be protected by the Data Protection Act 2018. The data controller is not obliged to comply with the request unless that individual has consented to disclosure of the information, or if it is reasonable in all the circumstances to comply with the request. If the third party does not consent, therefore, the controller has to undertake an exercise balancing the rights and interests of both parties. The DPA 1998 sets out four non-exhaustive factors to be considered in the balancing exercise. These factors include any duty of confidentiality owed to the other individual and any express refusal of consent by the other individual.

The GMC wrote to Dr B and asked for his consent to the disclosure. Dr B did not consent to the report’s disclosure, initially, on the basis that it was his personal data alone, but principally on the basis that the request was being made with a view to litigation against him. The GMC undertook a balance of interests test and concluded that the report contained P’s personal data and should be disclosed to him in order to further the GMC's legitimate aim of ensuring openness and transparency when making decisions that affect an individual.

Dr B applied to the High Court for an injunction preventing the GMC from disclosing the report, and the injunction was granted.

The GMC appealed to the Court of Appeal, which upheld the appeal, in a majority decision. Two particular questions posed in the appeal were:

1.The High Court had made the decision on the basis of a rebuttable presumption against disclosure in cases of mixed personal data. Was it right to have done so?

The Court of Appeal held that it was not right to have done so. The High Court had relied on comments in a previous case (Durant v Financial Services Authority [2004]) that the Court of Appeal did not consider to be binding. The starting point in cases of mixed personal data where the third party does not consent to the disclosure is not therefore a presumption of non-disclosure. The question data controllers should ask is (as set out in the legislation) whether “it was reasonable in all the circumstances to comply with the [subject access] request without the consent of the other individual”? The rights and interests of both parties are equally important. In the unlikely event that a data controller, having undertaken the balance of interests, decides that the considerations for and against disclosure are equal, a presumption against disclosure should be used as a “tie breaker”. In this case, the GMC had given positive reasons why it considered it reasonable to comply with P’s disclosure request. There was therefore no need for a “tie breaker"

2.The High Court had treated the fact that the request was made to obtain information for litigation as an important factor in its decision to refuse disclosure. To what extent was the motive for the request relevant?

As decided last year (please see our alert) , data controllers cannot refuse subject access requests on the basis that the request is “fishing” for information to be used in litigation. The Court of Appeal in this case held that the same applies in cases of mixed data: there is no general principle that the requester’s interests, when balanced against those of the third party (Dr B in this case), should be devalued by the requester’s motivation in seeking to obtain information which might assist the requester in litigation against the objector.

What does this mean for employers?

This case is now the leading case on mixed personal data, and will be relevant to employers faced with subject access requests where the disclosure of mixed personal data is in issue, most often the mixed data of current employees. It is useful to have the clarification given by the Court of Appeal that a) there is no presumption of non-disclosure in cases of mixed data and b) that the motivation of the person requesting mixed personal data will not devalue the request.

The Court of Appeal considered the risk, in cases of mixed data, that the data subject recipient might “use the information obtained for an illegitimate purpose e.g. to post the information on the internet to try to traduce the objector…”. In the majority decision it was suggested that the data controller could invite the requester to give a binding contractual obligation to restrict the use to which the information might be put, and then for the data controller to take this agreement, or lack of it, into account in its balancing exercise. Employers may wish to consider this approach but it is only likely to be appropriate in limited circumstances in the context of DSARs from current or former employees.

B v The General Medical Council

Authors

Ceri Fuller

Ceri Fuller

London - Walbrook

+44 (0)20 7894 6583

Key Contacts

Emma Fuller

Emma Fuller

Newport

+44 (0)844 980 3541

< Back to articles