Witness the Fitness (to Practise): Mixed Personal Data and Section 7 DPA

The medical profession is only too used to the occasional outbreak of SARS. It is perhaps a little less used to an influx of SARs, as made under section 7 of the Data Protection Act 1998. In the case of the General Medical Council, requests for personal data will involve very sensitive data and just as sensitive issues of balance and extraction of the data of different parties. So it was in Dr DB v General Medical Council [2016] EWHC 2331 (QB).

P was a patient of Dr DB, who believed said doctor had failed to diagnose him competently. He had complained to the GMC, which had commenced a Fitness to Practise investigation into the matter, which progressed as far as the production of an independent expert report into DB’s care of P. That report concluded that the care was below the applicable standard in some respects but not seriously below, and it did not accept the particular diagnosis complaint P had raised. The GMC concluded that FTP proceedings would not be pursued and provided to both DB and P a one page summary of the report.

Perhaps unsurprisingly, P made a subject access request for that report. Before releasing it to him, the GMC wrote to Dr DB asking for his views, on the basis that it was mixed personal data of both of them. DB strenuously objected to disclosure. Following a lengthy too-ing and fro-ing of correspondence, the GMC concluded that the report should be disclosed to P. The case was, accordingly, a rather unusual one in which Dr DB was seeking to prevent the GMC disclosing the report under section to the (or one of the) data subject(s), arguing that it had incorrectly balanced the interests of the two data subjects under section 7(4)-(6). Everyone accepted that the privacy interests of both P and DB were engaged, which includes the professional reputation of DB. As a result, the judgment is well worth reading as an interesting example of data protection concerns from the other end of the telescope.

Soole J accepted, at [34] and at [86], that the balance was for the data controller and not the Court, subject to anxious scrutiny review. Readers may, when considering the analysis which follows (despite the express recognition at [67] that the GMC had gone about the exercise conscientiously), wonder at how easy it is to distinguish between standing in someone’s shoes and carefully scrutinising those shoes by means of putting them on one’s feet. Still, that is hardly a problem unknown across all areas of law. At [67]-[89], Soole J concluded that the GMC had got the balance wrong and that the report ought not to be disclosed to P.

The reasons will be of interest to all data controllers considering mixed personal data. He accepted that an absence of consent means a presumption of non-disclosure: at [68] (applying Durant on this point, which was up to this case the most detailed consideration of how one approached a mixed data case). Indeed, the express refusal of consent was held to be a further additional factor: at [76]. Adequate weight must be given to the privacy interests of the other affected data subject: at [69]. A further relevant factor was that the purpose of the request could reasonably have been inferred (from the timing of it) to have been to use the report in litigation against DB, meaning that it was not being used to protect privacy concerns (Soole J here appearing to accept that the section 7 right is constrained by purpose; a point which is less than uniformly accepted in the authorities: at [58]) and it would deprive DB of limitations on use of disclosed material found in CPR r.31.22: at [77]. The GMC had accepted this was a relevant factor to the balance, but the Judge thought it was a weighty one. The principles of transparency and equality were outweighed, and no GMC policy made clear that P should be entitled to the full report even where no further FTP action was to be taken: at [82].

Are there wider lessons to be drawn for mixed data cases? Certainly there are some and they are broadly helpful to data controllers looking to limit disclosure. Give the joint data subject the opportunity to expressly refuse consent and object to disclosure on privacy grounds, and those points should weigh heavily in the balance. Even if the Durant dicta around purpose are under challenge as justification for a full-blown denial of the section 7 right, they remain of use in a balancing exercise, and purpose can be inferred from the circumstances. Soole J certainly gave guidance that a sole or dominant purpose of use in litigation was a “weighty factor” in favour of refusing to disclose (at [88]). But Dr DB is also a good example of how diligent data controllers can get bogged down in litigation when trying to do the right thing in response to a SAR: if they refuse to disclose they may get sued by the requestor and if they offer to disclose they may get sued by the third party data subject wishing to restrain disclosure. It all makes work for the working lawyer, which is nice, but hardly makes life easier for the data controller (or indeed all data subjects). Such are the nature of balancing exercises.

Anya Proops QC appeared for Dr DB and Robin Hopkins appeared for the GMC.

Christopher Knight