Last year, the High Court found against a surgeon, Mr Johnson, in his action against the MDU (see David Paul Johnson v The Medical Defence Union Limited [2006] EWHC 321). Mr Johnson had claimed that the MDU had unfairly processed his personal data in breach of the Data Protection Act 1998 when terminating his membership, thereby causing damage to his professional reputation. The claim was founded on s 13 of the DPA (which, broadly, corresponds to Article 23 of the Directive 95/46/EC which the DPA sought to implement). In March of this year, the Court of Appeal dismissed Mr Johnson’s appeal.
The principal issue in this case was to what extent decisions made on information before it is recorded in a computer is nonetheless ‘processing’ of data within the meaning of the DPA, and therefore justiciable under European data protection rules. Like the well-known case of Durant v FSA [2003] EWCA Civ 1746, it highlights how courts can struggle to give meaning to terms which are fundamental to the understanding of both the DPA and the Directive.
The Facts
The claimant, David Paul Johnson, was a consultant orthopaedic surgeon and a former member of the defendant organisation, the MDU. Membership of the MDU provides benefits to surgeons such as Mr Johnson; in particular, professional indemnity cover. During his membership, Mr Johnson had never been the subject of a professional negligence claim although he had sought advice and assistance from the MDU in relation to professional problems, including complaints made against him, which had resulted in the MDU opening 17 files on him over 10 years. The MDU resolved to terminate Mr Johnson’s membership following a risk-assessment of his case history. The MDU reviewed case summaries of each of the 17 incidents reported to them, whether by Mr Johnson or a third party, during his membership as well as some of the files themselves. The case summaries and some files were computerised although other files were manual. Further case summaries and recommendations were created on the MDU’s standard forms, among which was a score sheet to rate Mr Johnson’s risk to the MDU’s funds(in accordance with a numerical system) before a decision was made. It is important to note that this risk assessment methodology did not involve any assessment as to whether any claim or complaint in a case had any merit; the MDU set up a system which was based on the principle that the fact a claim was made was predictive of whether a particular member might cause a drain on MDU funds. It was noted by the MDU that highly competent but brash doctors with no bedside manner are more likely to find themselves receiving a claim (albeit one which might fail) than the most incompetent but extremely charming doctors.
As a result of the review of the case summaries, Mr Johnson’s professional indemnity cover provided by the MDU automatically terminated with his membership in March 2002, when his then current subscription expired. Mr Johnson alleged that the defendant had unfairly processed his personal data in breach of the first data protection principle under the DPA (data must be processed ‘fairly and lawfully’, the equivalent of Article 6.1(a) of the Directive) and sought compensation under s 13 of the DPA, claiming, amongst other things, that the termination of his membership had caused damage to his professional reputation. Mr Johnson accepted that the MDU had, as a matter of contract law, an absolute discretion to terminate his membership, but his case was that, but for the unfair processing, the decision to terminate that contract would not have been made.
The Issues
The MDU, as its first line of defence, argued that the claim must fail as there was in fact no ‘processing’ of personal data within the meaning of the DPA or the Directive which it sought to implement. At the original trial, Mr Johnson won on this point, but nonetheless failed to show that he suffered any damage consequent on any unfair processing; the court finding that even if there had been processing, it was mostly fair and the small element which had been unfair would have made no difference to whether or not his membership would have been terminated.
Mr Johnson appealed, and the MDU cross-appealed saying that the court had been wrong to find that there had been processing of personal data. It is this point which is of general interest.
The main issue: Was there processing and, if so, where?
It was clear that there was processing of Mr Johnson’s personal data at various stages of the MDU’s dealings with him (eg, when information about him was in fact recorded on the computer files, and subsequent use of that information). However, Mr Johnson had not merely to identify an act of processing his data, but to identify such an act that was done unfairly. He alleged that that act was ‘selecting the information contained in the personal data and thereby presenting a false picture of the situation’.
‘Processing’, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including, inter alia, disclosing the information.
The MDU’s argument was founded on the fact that the purported ‘processing’ was their manual selection of data from Mr Johnson’s files and its input into a computerised record system (including the score sheet) as part of the review process. It was accepted that the original 17 incident files were not part of a ‘relevant filing system’ (as defined in s 1(1) of the DPA) to which the DPA would apply (or the equivalent ‘personal data filing system’ in the Directive). As such, the processing which took place on the manual files relating to Mr Johnson was done on information which was not ‘data’ within the meaning of the DPA since a prerequisite was storage either on computers or on a relevant filing system.
The judge had been persuaded that it was enough that the information manually selected by the MDU was then held on a computer. He felt that the definition of ‘processing’ shows that the ‘obtaining’ of information intended to be contained in, and which is in fact entered into, a computer, will be ‘processing’. The MDU’s selection of data and completion of the forms therefore amounted to ‘processing’.
The majority in the Court of Appeal disagreed, and, broadly, accepted the MDU’s arguments. The allegation of unfairness was in relation to ‘selection’ of information for inputting into the computerised system and it was not right to take that as simply the first stage in one overall continuous act of processing (the later stages of which did involve computers). The Court felt that this in essence was an attempt by Mr Johnson to use data protection law to fix a problem resulting from the discretion enjoyed by the MDU under its rules to terminate membership; rather than a real issue about the protection of privacy – the proper subject matter of the Directive.
Was the processing fair?
Given that Mr Johnson lost on the first point, this issue did not really arise but views were nonetheless expressed. There are two ways in which unfairness could arise; either in the actual selection of information as part of (and in compliance with) the MDU’s policy or, alternatively, and more generally, that the MDU policy was in itself actually ‘unfair’.
Mr Johnson lost at trial in relation to all but 2 of the 17 files which were reviewed. Those decisions were not challenged, and all that arose on the appeal was a determination as to whether the policy was unfair. The Court of Appeal did not see any reason to criticise the judge’s conclusion that there was nothing ‘unfair’, within the meaning of the Directive, in the MDU’s policy. Mr Johnson had framed his complaint on the basis of not receiving the information necessary according to para 2(3)(d) of Part II of Sch. 1 to the DPA (Article 11 of the Directive) to render any processing fair. However, as the Court pointed out, what Mr Johnson really wanted was not this information as such, but rather to know what the MDU investigator was proposing to put into forms which were completed as part of the risk assessment, so that he could add to that information and make submissions to the body within the MDU which then assessed those forms and made the determination.
Buxton LJ found that the judge in the High Court ‘was entitled to take the commonsense view that the MDU were responsible for running the business, in the interests of members as a whole, were in no respect suggested to be acting in bad faith, and had adopted a rationally thought-out policy that, at the lowest, was not clearly unjustified … I would accordingly hold that there is no basis for dislodging the judge’s finding that in any relevant respect the MDU’s processing was not unfair.’
One of the three appellate judges, Arden LJ, took a different view on whether there was processing, but she agreed that the processing (which she found to exist) was ‘fair’. She placed special emphasis on the existence of the contract between Mr Johnson and the MDU. Indeed, she said that, where a data subject and a data controller have freely entered into a contract, with the controller doing no more by means of computers than he would be completely free to do manually under the terms of the contract, and the data subject can reasonably have foreseen that the data controller might wish to process the information for a purpose, that consideration is likely to be critical. She said (at [143]): ‘[i]n this situation, the question of fairness has to be approached on the basis that the parties have made their agreement. If this were not so, the “privacy” interest protected by the directive would be privileged over the contractual rights of the other contracting party.’ And concluded (at [149]): ‘… as a general proposition a party to a contract cannot in my judgment use the fairness principle as a means of upsetting any contractually permitted use of information where, as here, processing was foreseeable. I see no basis for displacing this general proposition in this case.’
Damages
Given the majority view that there was no processing and the unanimous view that, even if there was, it was not unfair, issues as to what damages might have been recoverable fell away. As the issues had been argued however, Buxton LJ did give some brief views as to how he would have determined those issues.
Even if he was wrong on the two issues of processing and fairness, Buxton LJ found that Mr Johnson still failed as he had not shown that, if all processing had been fair, he would still not have had his membership terminated. In any case, even if Mr Johnson had succeeded on fairness, processing and causation (as Buxton LJ put it (at [64]) piling ‘hypothesis on hypothesis’), he suffered no recoverable damages.
Mr Johnson claimed that he had suffered pecuniary loss and distress from losing his professional indemnity cover from the MDU upon the termination of his membership. He also claimed compensation for damage to his reputation. Section 13(1) of the DPA entitles an individual who has suffered ‘damage’ by reason of a contravention of the DPA to ‘compensation’ for that damage. Section 13(2)(a) provides that an individual who suffers ‘damage by reason of the contravention’ is also entitled to compensation for any ‘distress’ that such contravention may have caused him. Thus damage for distress can be recovered only if there was pecuniary damage. The judge at first instance did find pecuniary damage of £10 but the Court of Appeal overturned that on the evidence and so the issue of damage for distress did not arise. Buxton LJ lastly found it was not possible to recover damages to reputation under s 13 of the DPA; this latter head of damages was solely one for the law of defamation.
Commentary
The original trial judge’s finding that the selection of information from something which is not personal data and putting it into an electronic form was ‘processing’, and can therefore be subject to an analysis under the first (and presumably then also the other) data protection principles, was at the time seen as somewhat widening the perceived scope of the DPA. Four judges have now pronounced on this and two judges (the minority in the appeal court together with the first instance judge) found that such selection was in fact processing. This view is not however presently the law in the UK; and like Durant it is not clear how this reasoning would survive scrutiny in the European Court of Justice (there is as yet no referral).
Some commentators have already expressed the view that it would not survive such scrutiny. Parallels are drawn with the Durant case and the suggestion is that this is yet another aberration by an English court handing down a restrictive decision out of step with general understanding throughout
In the meantime, many (including this writer) will be grateful for this reining in of such thinking. As Buxton LJ pointed out, if processes on information which are undertaken with a view to eventual storage in computers is within the DPA, it would have many unwelcome consequences. To modify one of the examples given by the judge, a lawyer’s decision as to whether or not to accept instructions from a potential client (which if accepted would likely result in the creation of personal data in the practice’s computer systems) does seem to be a stretch too far of the purposes of this legislation. That should not be ‘processing’ susceptible to an adjudication as to whether it is fair under the data protection rules, even allowing for the consideration enunciated by Arden LJ that the existence (and presumably non-existence) of a contract should ‘generally’ be the critical factor in such an adjudication. Other legal regimes exist (the cab rank rule for barristers for example) to govern such decisions.
This debate is far from over, and it is not too hard to imagine attempts now to clarify what is in fact ‘processing’ even when there is no doubt that there is personal data.
Renzo Marchini is Counsel at Dechert LLP: renzo.marchini@dechert.com.
