This is an overview of DB v The General Medical Council (‘GMC’) [2018] EWCA Civ 1497 in the Court of Appeal. It is now the leading judgment in the approach to be taken on disclosure in so-called mixed personal data cases – that is subject access requests where the information requested by the data subject also contains the personal data of another individual. This Court of Appeal judgment will apply to any subsequent consideration under the GDPR and the Data Protection Act 2018 (‘DPA 2018’).

I shall expand on the case in more detail, but to summarise, the important points for data controllers to take away from this judgment are:

• Where one party objects to disclosure of the information this does not create a presumption, or starting point, against disclosure in the balancing exercise;
• Even if the requesting party is seeking legal action, this motive does not diminish his or her right to receive the information, but can be a relevant factor, depending on the circumstances, and the impact, on the other individual’s rights;
• Data controllers are given a wide discretion in the factors to be considered in the balancing exercise, and the weight placed on those factors.

The facts of the case under appeal were as follows. DB is a general medical practitioner who had treated a patient ‘P’. P was a man in his 60s who had difficulties urinating over a period of years. In 2013, he was diagnosed with bladder cancer and complained to the GMC about his treatment by DB.

The GMC instructed an expert to review the matter, which culminated in a report. The report was critical of the care provided by DB in some respects, but ultimately concluded that most reasonably competent general practitioners would not have suspected bladder cancer based on the findings recited in the report.

The GMC decided to take no further action against DB. P was sent a summary of the report, but his solicitors requested more information; this was treated as a subject access request under section 7 of the Data Protection Act 1998 (‘DPA 1998’). DB objected to disclosure on the basis that the report contained his own personal data, and that the clear intention of P in seeking the information was for the purposes of litigation.

The GMC decided to disclose the report and gave DB the following reasons:

• The balancing exercise required under section 7(4) to 7(6) DPA 1998 had been performed and the outcome had favoured P;
• The GMC has a legitimate interest in ensuring openness and transparency when making decisions that affect an individual;
• The report contains data relating to both parties. By not disclosing to one party the GMC could be said to be biased and acting against the interests of one party in contravention of its obligations under the DPA 1998 and the Human Rights Act 1998.

In an internal memorandum the GMC noted:

• That even if P was intent on litigation against DB, that the report was supportive of DB and would not assist P in this respect; and,
• P could seek a ‘Rule 12’ review under the General Medical Council (Fitness to Practise) Rules 2004 (SI 2004/2608) and would be hampered without the report.

DB brought a Part 8 claim to prevent disclosure of the report. At first instance Soole J decided that the report should not be disclosed. The Judge took into account Auld LJ’s judgment in the case of Durant v Financial Services Authority [2003] EWCA Civ 1746: that in the absence of consent there was a rebuttable presumption, or starting point, against disclosure. Soole J considered the purpose of the request and agreed that it was for litigation purposes rather than to check whether the processing of the information was lawful.

The Judge concluded that the GMC should have begun with a perception against disclosure, and had given no adequate weight to DB’s privacy rights. The Judge also highlighted the provisions of CPR part 31 that enable a litigant to seek disclosure of documents. DB’s claim was allowed and the GMC appealed to the Court of Appeal.

There were four grounds of appeal:

1. It was an error to proceed on the basis that in the case of mixed personal data there is a rebuttable presumption against disclosure;
2. Where the sole or dominant purpose of a SAR is to obtain information for the purpose of litigation, that it is a weighty factor in favour of refusal;
3. The court’s reasoning was flawed in finding that the GMC gave inadequate consideration to DB’s privacy rights, and took inadequate account of DB’s refusal of consent; and,
4. The court had affectively substituted its own assessment of the case for disclosure, rather than review the decision of the data controller.

In the Court of Appeal, Lord Justice Sales and Lady Justice Arden allowed the appeal. Lord Justice Irwin dissented.

Lord Justice Sales, with whom Lady Justice Arden agreed, highlighted Article 12 of Directive 95/46/EC that gives a data subject the right to check the accuracy of data about him or her. P therefore had a legal interest to see the detail of the information about him set out in the report, in order to check that the conclusions were based on accurate information. P had a right to seek a review of the decision because materially flawed information, or new information, might have led to a different decision.

The interpretation of the observations of Auld LJ in Durant – that the provisions of sections 7(4) to (6), and 8(7), DPA 1998 “appear to create a presumption or starting point that the information relating to that other [person]…should not be disclosed without his consent” – was that it did not form part of the ratio decidendi of the judgment. And so it follows that there is no presumption or starting point in favour of the objector in a mixed data case.

The objection “is not a significant or substantive presumption to be applied at the outset”, but in a rare case where the factors are in “perfect equilibrium” then the presumption would be applied at the end of the balancing exercise “in order to arrive at a decision one way or another”.[1]

There is also no general principle that the motive of the requester is relevant. Sales LJ cited not only Article 12 of the Directive, section 7 of the DPA 1998, the Information Commissioner’s Subject Access Code of Practice, but also the case law: Durham County Council v Dunn [2012] EWCA Civ 1654 [16]; Gurieva v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB); Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 [105]-[113]; Itthadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121 [104]-[110].

A litigation motive would not diminish the Section 7 DPA 1998 interest in having information communicated to a person, even if the information could be obtained under another route (i.e. CPR Part 31). However, when carrying out the Section 7(4) balancing exercise in a mixed data case “it will be relevant to have regard to the extent to which the interests on either side which are of a kind which are protected by the legislation are engaged and may be prejudiced by a decision one way or the other” [79]. So whilst a litigation motive is not irrelevant, it is not a disqualifying factor.

Aside from the mandatory relevant considerations in section 7(6), data controllers have a wide discretion as to the particular factors that are relevant in the balancing exercise and the weight given to them. They are also under no obligation to consider factors the person objecting could put forward (but hasn’t), other than those that are obvious in the balancing exercise.[2] He concluded that the GMC did give proper and rational consideration to DB’s privacy interests and that the judge had erred in substituting his own assessment of the weight to be given to DB’s privacy rights in the balancing exercise.

DB’s legitimate interest in maintaining his privacy was considered weaker given that it was not in doubt that he was the physician who treated P, and his personal data was not ‘sensitive personal data’ like P’s personal data. There was also no suggestion that P was proposing to release the report in the public domain.

This is now the leading judgment in the approach to mixed personal data cases and will apply to any subsequent consideration under the GDPR and the DPA 2018. Article 15 of the GDPR and Recital 63 set out the relevant provisions in relation to subject access requests. In the DPA 2018, Schedule 2, Part 3 covers the restrictions permitted by GDPR Article 23(1). Paragraph 16 in that Part – “Protection of the rights of others: general” – covers mixed data, and in essence replicates section 7 DPA 1998. Note however that the DPA 2018, unlike the DPA 1998, contains a ‘health data test’ in paragraph 17 that has to be considered in the balancing exercise, which would apply in future cases of this kind.

If you are interested in any further information or advice, please contact my clerks on 020 3179 2023 or privacylawbarrister@proton.me

[1] See paragraph 82 of the judgment.

[2] See paragraphs 71 and 72 of the judgment.