Data Protection Updates

Two recent judgments of the civil courts which touch upon data protection concerns warrant brief note. The first concerns the confidential nature of redactions in subject access request disclosures, and the second concerns disclosure obligations in civil litigation attaching to the personal devices of former employees.

The first case is London Borough of Lambeth v AM [2021] EWHC 186 (QB). Lambeth had received a report setting out concerns about the welfare of a child. The referral had been made by the aunt of the child, whose father was AM. AM subsequently made a subject access request, which prompted the disclosure of the child’s social services file, with extensive redactions made to protect the identity of the maker of the referral. The authority did not realise that it was not technically difficult to remove those redactions, which AM did, causing him then to write a pre-action letter to his sister. The claim was brought by Lambeth in breach of confidence, seeking a permanent injunction.

The judgment of Pepperall J briefly addresses AM’s argument that the material redacted was not confidential to Lambeth because it was his personal data. That was rejected as “plainly untenable”. The confidential information in the referral about all those mentioned was confidential to the maker and to Lambeth; if it had been confidential to AM that would fundamentally undermine the important principle of confidentiality in child safeguarding allegations. The public interest in maintaining that confidence is to encourage those with information to come forward and is not restricted to the individual case. There was no doubt that the information was communicated in circumstances importing an obligation of confidence, evidenced by Lambeth’s clear intent not to disclose her identity. AM’s steps to uncover the redacted information was unauthorised and detrimental use, as was his retention and subsequent use to write a pre-action letter. All relatively straight-forward, but an important reminder of the importance of effective redaction and the confidentiality obligations which lie behind it. Much of the judgment was engaged in a factual analysis to reject AM’s argument that confidence was displaced because the referral was malicious; the judge held that it was not.

Julian Milford QC acted for Lambeth.

The second case of brief interest is Phones4U Ltd v EE Ltd & others [2021] EWCA Civ 116. This concerned an order for disclosure in civil litigation under CPR Part 31 attaching to the personal devices of senior current and former employees, where those devices may have been used to send and receive work-related messages or emails. A conspiracy to injure by unlawful means had been alleged, and it was said that much of that conspiratorial behaviour was likely to have occurred on personal devices to evade detection. The judge at first instance had ordered the defendant mobile network operators to request the individuals to provide their devices to an IT consultant engaged by the defendant which had employed them to be searched for work-related communication. The consultant had undertaken not to disclose other material to the defendants or their solicitors, to delete copies and to return the devices. These measures were taken to reduce the acknowledged interference with the individuals’ privacy interests.

The Court of Appeal upheld the order, considering that it had struck a proper balance between the privacy interests of the individuals and the interests of justice. It emphasised that the solution had to be reasonable and proportionate itself, recognising that covert agreements cannot render the court powerless to ensure hidden material is disclosed and justice done. The use of a third party was a proper step to protect privacy interests, and the use of IT consultants was acceptable given that no-one had suggested using solicitors instead. The Court repeatedly noted that it was the choice of the individuals to use their personal devices for work-related reasons. If the individuals refused to comply with the request, as they were entitled to do, some other more approach would have to be adopted; the voluntary approach struck an appropriate privacy balance.

The Court also briefly noted a GDPR objection. It emphasised that the processing by the IT consultant (if they were a controller, on which the Court expressed no decided view) would have the lawful basis of consent because compliance was voluntary, and would in any event be necessary to comply with a legal obligation on the controller. There was no discussion of the basis for processing special category personal data.

Christopher Knight