18: Seeking the silver bullet – when is it appropriate to access personal data?
We all know that litigation is expensive. Court issue fees are being increased on a regular basis. Some would say that they are now prohibitively high. Moreover, the risks of bringing a claim and then losing can be high. The starting point in most forms of litigation is that the loser pays the winner’s legal costs. In the circumstances, it is not uncommon for potential claimants to try and use imaginative means of obtaining evidence which will assist their case. In recent years, one avenue that has been alighted upon is the use of a subject access request under the Data Protection Act 1998 (DPA).
Under Section 7(1) of the DPA, a “data subject” is given the right of access to his personal data held by a “data controller”. This right can be an important tool but it is not absolute right and is qualified by the balancing exercise where compliance with the request will involve disclosure of information relating to another data subject. It is commonplace for personal data to become mixed and this can cause complications. A recent example of an attempt to obtain information under the DPA is the decision of Dr DB v The General Medical Council. In this case, the person making the request, P, was keen to obtain a copy of an expert report obtained by the GMC for the purpose of investigating P’s complaint concerning the professional competence of Dr DB.
P’s contention against Dr DB was that, had he examined him and dealt with him competently, there would have been an earlier diagnosis of bladder cancer. The GMC commenced an investigation of DB’s fitness to practice and for this purpose instructed an expert to review the matter and prepare an opinion (the Report). It is easy to see how P thought this Report could assist his case when the GMC decided to take no action against DB. DB did not want to disclose the Report to P.
So, the competing privacy rights of P and DB in the personal data contained in the Report, were at the heart of this case. It was common ground that their personal data was inextricably mixed within the Report.
As there was a dispute over the production of the report, an application was made to the court for an appropriate declaration as to what should happen.
The judge who heard the case explained that the starting point was an EU Directive to which the DPA gave effect. Its primary objective was to protect individual’s fundamental rights, notably the right to privacy and accuracy of their personal data held by others.
In situations where data has become mixed and a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless:
a. The other individual has consented to the disclosure of the information to the person making the request, or
b. It is reasonable in all the circumstances to comply with the request without the consent of the other individual.
A person making an application under Section 7 has no need to state the purpose of his request. However, the judge explained that there was controversy as to whether and if so to what extent the purpose or purposes (as known or reasonably inferred by the data controller) may be taken into account in the balancing exercise that needs to be undertaken before a decision is made as to whether to require disclosure.
The judge decided that in conducting the balancing exercise in mixed data cases of this type:
- It is essential to keep in mind that the exercise involves the balance between the respective privacy rights of data subjects;
- In the absence of consent, the rebuttable presumption or starting point is against disclosure. Furthermore, the express refusal of consent is a specific factor to be taken into account;
- If it appears that the sole or dominant purpose is to obtain a document for the purpose of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the court procedure under CPR 31 (a process to obtain disclosure within the framework of court proceedings). The judge was therefore not prepared to direct disclosure of the report.
There will be cases where making a data subject request for information will be a legitimate and helpful step to take prior to commencing proceedings. However this case shows that, if the other date subject seeks to frustrate production and litigation is contemplated, the data controller may decide not to comply with the request.
11 October 2016