We all know that litigation is expensive. Court issue fees are being increased on a regular basis. Some would say that they are now prohibitively high. Moreover, the risks of bringing a claim and then losing can be high. The starting point in most forms of litigation is that the loser pays the winner’s legal costs. In the circumstances, it is not uncommon for potential claimants to try and use imaginative means of obtaining evidence which will assist their case. In recent years, one avenue that has been alighted upon is the use of a subject access request under the Data Protection Act 1998 (DPA).
Under Section 7(1) of the DPA, a “data subject” is given the right of access to his personal data held by a “data controller”. This right can be an important tool but it is not absolute right and is qualified by the balancing exercise where compliance with the request will involve disclosure of information relating to another data subject. It is commonplace for personal data to become mixed and this can cause complications. A recent example of an attempt to obtain information under the DPA is the decision of Dr DB v The General Medical Council. In this case, the person making the request, P, was keen to obtain a copy of an expert report obtained by the GMC for the purpose of investigating P’s complaint concerning the professional competence of Dr DB.
P’s contention against Dr DB was that, had he examined him and dealt with him competently, there would have been an earlier diagnosis of bladder cancer. The GMC commenced an investigation of DB’s fitness to practice and for this purpose instructed an expert to review the matter and prepare an opinion (the Report). It is easy to see how P thought this Report could assist his case when the GMC decided to take no action against DB. DB did not want to disclose the Report to P.
So, the competing privacy rights of P and DB in the personal data contained in the Report, were at the heart of this case. It was common ground that their personal data was inextricably mixed within the Report.
As there was a dispute over the production of the report, an application was made to the court for an appropriate declaration as to what should happen.
The judge who heard the case explained that the starting point was an EU Directive to which the DPA gave effect. Its primary objective was to protect individual’s fundamental rights, notably the right to privacy and accuracy of their personal data held by others.
In situations where data has become mixed and a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless:
A person making an application under Section 7 has no need to state the purpose of his request. However, the judge explained that there was controversy as to whether and if so to what extent the purpose or purposes (as known or reasonably inferred by the data controller) may be taken into account in the balancing exercise that needs to be undertaken before a decision is made as to whether to require disclosure.
The judge decided that in conducting the balancing exercise in mixed data cases of this type:
There will be cases where making a data subject request for information will be a legitimate and helpful step to take prior to commencing proceedings. However this case shows that, if the other date subject seeks to frustrate production and litigation is contemplated, the data controller may decide not to comply with the request.