Court of Appeal on Data Protection and Disclosure

December 13, 2012

In Durham County Council v Dunn [2012] EWCA Civ 1654, the Court of Appeal addressed what it described as important issues about the ambit of disclosure. Maurice Kay LJ, giving the lead judgment, remarked that ‘legal practitioners and District Judges do not all approach the issues in a consistent way. In particular, confusion can arise as to whether the duty of disclosure is primarily one that arises under the Data Protection Act 1998 … or one arising pursuant to the Civil Procedure Rules’. 

The case concerned the disclosure of local authority records relevant to allegations of historic physical or sexual abuse. Some documents had been disclosed in redacted form. 

While the case was decided according to the long-established principles on which the Civil Procedure Rules, part 31 are based, it serves as an important reminder that the disclosure rules and data protection requirements must not be confused. Maurice Kay LJ regretted that the ‘dispute about disclosure has been prolonged and distorted by references to the DPA‘. While acknowledging the possible usefulness to a claimant or potential claimant that a request under the Data Protection Act 1998, s 7 might have, it had its limitations:

‘For one thing, the duty of the data controller under section 7 is not expressed in terms of disclosure of documents but refers to communication of “information” in “an intelligible form”. Although this may be achieved by disclosure of copies of original documents, possibly redacted pursuant to section 7(5), its seems to me that it may also be achievable without going that far. Secondly, if the data subject is dissatisfied by the response of the data controller, his remedy is by way of proceedings pursuant to section 7 which would be time-consuming and expensive in any event. They would also engage the CPR at that stage: Johnson v Medical Defence Union [2005] 1 WLR 750; [2004] EWCH 2509 (Ch).’

He went on to say (at [21]):

‘In my judgment, it is misleading to refer to a duty to protect data as if it were a category of exemption from disclosure or inspection. The true position is that CPR31, read as a whole, enables and requires the court to excuse disclosure or inspection on public interest grounds. In a case such as the present one, it may be misleading to describe the issue as one of public interest immunity (a point to which I shall return). The requisite balancing exercise is between, on the one hand, a party’s right to a fair trial at common law and pursuant to Article 6 of the European Convention on Human Rights and Fundamental Freedoms (ECHR) and, on the other hand, the rights of his opponent or a non-party to privacy or confidentiality which may most conveniently be protected through the lens of Article 8. It is a distraction to start with the DPA, as the Act itself acknowledges. Section 35 exempts a data controller from the non-disclosure provisions where disclosure is required in the context of litigation. In effect, it leaves it to the court to determine the issue by the application of the appropriate balancing exercise under the umbrella of the CPR, whereupon the court’s decision impacts upon the operation of disclosure under the DPA.’

 The case also concerns important guidance from Munby LJ on public interest immunity and disclosure.