Rupert Paines from 11KBW analyses the Court of Appeal’s judgment in DB v GMC
The recent Court of Appeal judgment in DB v GMC  EWCA Civ 1497 will now be the leading case on the treatment of mixed personal data.
The background to the case, and analysis of the High Court judgment, is set out here. In essence, Dr B was investigated by the GMC in relation to his care of a patient, P, who was diagnosed with bladder cancer. P considered that Dr B should have diagnosed the cancer a year or so earlier and made a complaint to the GMC to that effect.
The GMC commissioned an independent expert GP to produce an expert report into the quality of Dr B’s care. The report was critical in some respects, concluding that the care provided fell ‘below’ but not ‘seriously below’ the standard of care expected, and that most reasonably competent general practitioners would not have suspected bladder cancer. On the basis of that report (which had been shared with Dr B), the GMC case examiners decided that there should be no further action. P received a summary of the report.
P’s solicitors made a subject access request for (among other things) the full report, in response to which the GMC was minded to disclose the report. Dr B applied for an injunction preventing the GMC from so doing. Soole J granted the injunction; as Christopher Knight noted in the blog post linked to above, his judgment was broadly helpful to data controllers looking to limit disclosure.
The GMC appealed to the Court of Appeal on a number of grounds. The Court of Appeal allowed the appeal by majority (Sales LJ and Arden LJ – both of whom have now been appointed to the Supreme Court), with a lengthy dissent from Irwin LJ. The points of wider interest are:
Presumptions in ‘mixed data’ cases
The issue here turned on a comment from Auld LJ’s well-known judgment in Durant v Financial Services Authority  EWCA Civ 1746, where he said that the DPA 1998 provisions on mixed data ‘appear to create a presumption or starting point that the information relating to [the third party – here Dr B], including his identity, should not be disclosed without his consent’. Soole J applied that presumption, and Irwin LJ (dissenting) agreed.
Sales LJ however decided (somewhat bullishly) that the Durant statement was not ratio, so the Court of Appeal did not have to follow it, and proceeded briskly to the conclusion that it was wrong – there was no ‘presumptive starting point or hurdle’, the question (under the DPA 1998, s 7(4)) being simply whether it is reasonable to disclose third-party data without consent. That question was to be determined without giving ‘priority’ either to the requester or the third party. He accepted that if a data controller found the interests balanced equally, at that stage there would be a ‘tie-breaker’ presumption in favour of withholding the data, but that was not the presumption which the judge had applied. Arden LJ agreed.
Sales LJ’s conclusion is helpful in returning attention to the statutory language: the test for data controllers being simply whether disclosure of third-party data without consent is reasonable, entailing a balancing of interests judgement (in which the data controller’s judgement is given a considerable margin of discretion – on which more below). The effect is to give data controllers more freedom to decide as they wish, while removing one weapon from the arsenal generally deployed by third parties seeking to prevent disclosure.
The relevance of a litigation purpose
Dawson-Damer  1 WLR 3255 and Ittihadieh  3 WLR 811 have brought an end to the old (if never particularly venerable) practice of data controllers refusing SAR requests on the basis that the request was ‘fishing’ for the purposes of litigation. That is so at least as regards ‘straight’ personal data requests. Are matters different if the subject-matter of the request is mixed personal data?
Soole J and Irwin LJ thought so, Irwin LJ taking the view that this was a ‘significant matter to be weighed in the balance, as a necessary part of the consideration whether it is reasonable to override the refusal of consent by the data subject who is seeking to protect their personal data’, and that if that was not the case then such requests would be ‘an obvious way to circumvent the requirements of the CPR’.
Again, Sales LJ and Arden LJ disagreed. There was ‘no general principle that the interests of the requester, when balanced against the interests of the objector, should be treated as devalued by reason of such motivation’. Sales LJ made a number of interesting further comments:
Both Sales LJ and Arden LJ were concerned by the possibility that a data subject recipient of ‘mixed’ personal data following a SAR might ‘use the information obtained for an illegitimate purpose, eg, to post the information on the internet to try to traduce the objector’. They suggested that it would ‘be open to the data controller in such a case to invite the requester to consider giving a binding contractual undertaking to the data controller or the objector or both, to restrict the use to which the information might be put’, and then to take the offer (or failure to offer) such an undertaking into account in the balancing exercise. Arden LJ went beyond Sales LJ’s suggestion of a contractual undertaking to suggest the possibility of an undertaking to the court in respect of such data. Both were, however, also keen to emphasise that this would be an unusual course.
Although one can see the concern underlying this suggestion, its practical application is likely to create considerable difficulties – data subject requesters are unlikely to wish to be constrained in their subsequent use of what is, ultimately, their own personal data, while demands for such undertakings will now presumably be a regular feature of the complaints of third party objectors.
The margin of discretion
As already noted, the judgments of the majority took a generous approach to the discretion given to the data controller by the DPA 1998. To quote the key parts of Sales LJ’s judgment:
All of which will be music to the ears of the data controller caught between the Scylla of a requester and the Charybdis of an objector, but less so for the sea monster and whirlpool in question (or for those advising them).
Where to now?
Overall, a clear judgment delivering welcome certainty on the proper approach to ‘mixed data’ questions.
This was a judgment under the DPA 1998. The inevitable question (as always): what about the brave new world of the GDPR? The answer, as is frequently the case: basic continuity.
The subject access right is set out in GDPR, article 15. Schedule 2, para 16 of the DPA 2018 sets up a restriction to the subject access right in ‘mixed data’ cases, subject to consent or to the application of a reasonableness test, and so a scheme functionally very similar to the repealed provisions in s 7 of the DPA 1998. DB will be of direct relevance to that scheme.
Rupert Paines is a barrister at 11 KBW: https://www.11kbw.com/.
This article first appeared as a blog post on the Panopticon blog.