BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just Β£1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

England and Wales Court of Appeal (Civil Division) Decisions


You are here: BAILII >> Databases >> England and Wales Court of Appeal (Civil Division) Decisions >> B v The General Medical Council [2018] EWCA Civ 1497 (28 June 2018)
URL: http://www.bailii.org/ew/cases/EWCA/Civ/2018/1497.html
Cite as: 164 BMLR 19, [2019] WLR 4044, [2019] 1 WLR 4044, (2018) 164 BMLR 19, [2018] EWCA Civ 1497, [2019] 2 All ER 219

[New search] [Printable RTF version] [Buy ICLR report: [2019] 1 WLR 4044] [Help]


Neutral Citation Number: [2018] EWCA Civ 1497
Case No: A2/2016/3903

IN THE COURT OF APPEAL (CIVIL DIVISION)
ON APPEAL FROM HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
Mr Justice Soole

[2016] EWHC 2331 (QB)

Royal Courts of Justice
Strand, London, WC2A 2LL
28/06/2018

B e f o r e :

LADY JUSTICE ARDEN
LORD JUSTICE SALES
and
LORD JUSTICE IRWIN

____________________

Between:
Dr B
Respondent/ Claimant
- and –


THE GENERAL MEDICAL COUNCIL
Appellant/
Defendant

____________________

Robin Hopkins (instructed by GMC Legal) for the Apellant/Defendant
Anya Proops QC (instructed by BLM) for the Respondent/Claimant
Hearing date: 20 March 2018

____________________

HTML VERSION OF JUDGMENT
____________________

Crown Copyright ©

    Lord Justice Irwin:

  1. In this case the General Medical Council ["GMC"] appeals the Order of Soole J of 23 September 2016, in which the judge granted an injunction against the GMC restraining disclosure of an expert report. The central facts are agreed between the parties and the claim has proceeded under CPR part 8, on the basis that there was no substantial dispute of fact.
  2. For convenience the relevant provisions of the Data Protection Act 1998 ["DPA"] are set out in Annex 1 to this judgment.
  3. The full factual background is set out in the judgment from the Court below in paragraphs 6 to 29. It is not necessary to recapitulate all of the facts but a summary is necessary.
  4. The Respondent is a general medical practitioner and for a number of years he had a patient anonymised as "P". P is a man in his 60s. Over a period of years P suffered difficulties in urinating, about which he consulted the Respondent Dr B. In September 2013, P was diagnosed as suffering from cancer of the bladder. On 8 November 2013, he complained to the GMC about his treatment by Dr B, in particular on 16 October 2012. The nub of his complaint was that Dr B had examined him and dealt with him incompetently, leading to an avoidable delay of about one year in the diagnosis of cancer.
  5. P complained on 8 November 2013 and the GMC commenced an investigation of Dr B's fitness to practice. The GMC instructed an independent expert GP to review the matter and the resulting report, consisting of 22 pages, was dated 14 May 2014. The report was delivered to the GMC and was the central element in their decision whether to take any action in relation to Dr B.
  6. The report was critical of the care provided by Dr B in a number of respects, concluding that the care provided fell "below" but "not seriously below" the expected standard of care. A further conclusion was that most reasonably competent general practitioners would not have suspected bladder cancer, given two particular findings recited in the report.
  7. On 19 May 2014, the GMC sent a copy of the report to Dr B. He was informed in the accompanying letter that the report would be forwarded to the relevant case examiners. On 17 July 2014, the GMC wrote again to Dr B and also wrote to P informing all parties that the case examiners, one of whom was medical and one of whom was a lay person, had taken the decision that there should be no further action. Attached to each letter was Annex A, summarising the reasons given by the case examiners for their decision. Annex A included a short summary of the experts' comments taking approximately one page. It is helpful to produce that summary here, redacted so as to preserve anonymity:
  8. "Expert report
    The expert's comments include the following:
    The expert states that it is important to note that the patient did not complain of the presence of blood in his urine until prior to the consultation in June 2013 and nowhere in his complaint does he state that he told Dr B this. Contrary to the assertion in the letter of referral by Dr B's colleague in June 2013, the previous urine tests had not shown any blood. The expert concludes that "most reasonably competent general practitioners would not have suspected bladder cancer on 16 October 2012 in the absence of a history of blood in the urine and this would have been confirmed by the laboratory result"."
  9. P's solicitors requested disclosure of the report, initially pursuant to the Freedom of Information Act ["FOIA"]. This request was refused by the GMC on 9 October 2014, on the ground that to do so would breach the principles of the DPA, and thus FOIA s.40(5)(b)(i) was engaged.
  10. On 11 September 2014, through his solicitors, P requested disclosure of the expert report. It is worth noting that the request was explicitly for the full report, not merely for P's personal data contained within the report: see the judgment at paragraph12. The report was the first on a list of requested documents. The GMC responded to the solicitors explaining that the request would be treated as a subject access request under Section 7 of the DPA and the solicitors agreed. The GMC then invited a response from Dr B on the question of disclosure of the report to P. His solicitors responded on his behalf on 17 October, 21 November 2014 and 6 March 2015 making clear Dr B's opposition to disclosure.
  11. The essence of Dr B's arguments in these letters was as follows. Initially, Dr B's solicitors suggested that the report contained "his own and not [P's] personal data, in that the report "relates to" Dr B as the "data subject". The first letter cited Durant v Financial Services Authority [2003] EWCA Civ 1746. The use of the DPA as a vehicle for third party discovery with a view to litigation was misguided. The letter cited the provisions of the Access to Health Records Act 1990, which would enable P to acquire copies of his own records. There was no "public interest" in disclosing the expert report "for the purposes intended by [P] and his solicitors".
  12. In their letter of 21 November, Dr B's solicitors' position had shifted somewhat. They rejected the suggestion from the GMC that the letter contained the "sole" personal data of P, and asserted that the report contained the personal data of both P and Dr B. The letter noted that it was the clear intention behind the request to initiate litigation against Dr B, rather than a case where "a disappointed party requests disclosure with a view to taking advice as to whether to bring a legal challenge against a decision taken by the [GMC]." The "stated importance of transparency in GMC decision making is much reduced in circumstances involving an alternative motive" namely suing for compensation, and not concern about the GMC's processes.
  13. The solicitors emphasised that Dr B had not been invited to make, nor had he made, comments on the draft expert report. The report "contains criticisms of him … which [P] proposes to use … to secure compensation." The interference in Dr B's Article 8 rights was "more than trivial or modest". Article 8 was certainly sufficiently wide to extend to the protection of a doctor's reputation: see Mkolajova v Slovakia 4479/03 18 January 2011.
  14. This letter also cited section 7(1)(c) of the DPA as conferring a right to have the communication of "information" in an "intelligible form", not a right to documentation. P had already received the relevant information in intelligible form, in the shape of Annex A.
  15. The GMC reasoning was refined and set down in an email of 12 February 2015 disclosed to the judge. Following consideration of the Information Commissioner's Code of Practice, the relevant advisor emphasised that:
  16. "… The GMC has a legitimate interest in ensuring openness and transparency when making decisions that affect an individual. The full report, which contains Mr S's personal data, and upon which a decision was taken in relation to Mr S and the treatment he received is based, should be disclosed to fulfil this obligation. The report contains the findings of an independent expert, who has provided the GMC with full consent to disclose, and as such there could be no justification in withholding this report from Mr S.
    In relation to Art.8 HRA, it states that: There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. We have to balance the rights and interests of both parties. As stated above, the report is based on the findings of an independent expert and is in no way intended to prejudice either side. Failure to disclose the findings of an independent expert would most likely be a breach of the Human Rights Act in terms of our obligations to protecting the health, as well as the rights and freedoms of the data subject (i.e. [P]). The report contains data that relates to both parties, (and it could be argued that both parties may very well disagree with certain aspects of the report) – by not disclosing to one party, we could be said to be biased and acting against the interests of the party, in contravention of our obligations under DPA/HRA."
  17. The GMC took the decision to disclose the report for reasons summarised in their letter to Dr B's solicitors of 13 February 2015. The reasons given by the GMC's Information Access Managers were very close to the reasoning in the internal email of the day before. The salient passages read:
  18. "You raise concerns about our view on the expert report in the context of the Durant judgment. It remains our view that the expert report is the joint personal data of Dr B and [P]. As such it is our view that the consideration of the disclosure of the report was correctly considered via the balancing exercise required under S.7(4) to 7(6).
    Following receipt of your letter I have asked a colleague to undertake a review of my original balancing decision. Having done so, they are of the view that disclosure of the expert report to [P] is appropriate.
    You have referenced DPA Schedule 2 conditions in the context of the requirement for any processing to be necessary. This needs to be considered, in the context of condition 6(1), coupled with legitimate interest and proportionality. The GMC has a legitimate interest in ensuring openness and transparency when making decisions that affect an individual. It is, in our view, necessary that the full report, which contains [P]'s personal data, and upon which a decision was taken in relation to [P] is based, should be disclosed to fulfil this obligation.
    In relation to Article 8 HRA, it states that: There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. We have to balance the rights and interests of both parties. As stated above, the report is based on the findings of an independent expert. Failure to disclose the findings of an independent expert would most likely be a breach of the Human Rights Act in terms of our obligations to protecting the health, as well as the rights and freedoms of the data subject (i.e. [P]). The report contains data that relates to both parties, (and it could be argued that both parties may very well disagree with certain aspects of the report) – by not disclosing to one party, we could be said to be biased and acting against the interests of the party, in contravention of our obligations under DPA/HRA."
  19. The GMC agreed to suspend the intended disclosure pending the decision of the High Court. Dr B's claim was brought under two heads, firstly the DPA and secondly in reliance on Article 8 of the ECHR. By the time of the hearing before Soole J, it was common ground that the Article 8 claim added nothing to the DPA claim and the case therefore proceeded on the application of Section 7 of the DPA, although the submissions and the decision of the judge took full cognizance of the parties' Article 8 rights.
  20. The Judge's Reasoning

  21. The judge began by analysing the history and facts, including the correspondence between the parties and the internal email traffic within the GMC, some of which I have touched on above.
  22. The Information Access Manager of the GMC was a Mr Julian Graves, the recipient of the email advice of 12 February 2015 quoted above. The judge noted that Mr Graves recognised the information was clearly being sought to further a potential claim for clinical negligence against Dr B. It was not submitted to the judge, nor to us, that this was inaccurate or an error. Nevertheless, he concluded that the report should be disclosed. Mr Graves recognised, as the judge put it, "the validity of the concern that the report was being sought in order to pursue litigation" but in fact did not think it would assist P in any claim for negligence. Mr Graves went on to take account of the "transparency of [the GMC] decision-making process". He had in mind Rule 12 of the GMC Fitness to Practice Rules, under which an affected patient can request a review of a decision not to proceed.
  23. The judge noted that by the time the case came before him the parties were agreed that the personal data of P and Dr B were "inextricably mixed" in the report. Where there cannot be compliance with a subject access request without disclosing information relating to another data subject, there had to be a balancing exercise pursuant to Section 7 of the DPA, although that exercise had to be considered in the context of Article 8 and fairness at common law.
  24. The judge also noted that the Court must conduct a more intensive review of that balancing exercise than would arise from application of the "traditional Wednesbury test". The judge noted that the primary objective of the EU Directive 95/46, enshrined in the DPA, was "to protect the right to privacy and accuracy of their personal data held by others", see Durant, per Auld LJ at paragraph 4, and Buxton LJ at paragraph 79, and see YS v Minister Voor Immigratie [2015] 1 CMLR 18.
  25. The Judge then set out the relevant provisions of the DPA, including the critical passages from ss.7(4) and 7(6). He noted the remark of Auld LJ at paragraph 55 of Durant that, in the absence of consent, there was a rebuttable presumption or starting point against disclosure. The judge considered the four non-exhaustive factors identified in s.7(6). He noted the obligation to process personal data "lawfully" (Schedule 1, Part 1, paragraph 1) and in compliance with the data controller's legal obligations (Schedule 2, Condition 3), taken together with Schedule 2 Condition 6, including the "Article 8/common law right of privacy; which must therefore be taken into account in the s.7(4) balancing exercise": judgment, paragraph 46.
  26. The judge cited various authorities to the effect that the relevant information was the private information of Dr B, but went on to note:
  27. "53. Whilst accepting that the Report's information about Dr B is private information, Mr Hopkins submits that he did not have a reasonable expectation that the Report would be kept from P. On the contrary, his reasonable expectation should have been that it would be disclosed to him (although not to the public generally) if requested under s.7. In disagreement Ms Proops in particular points to the GMC's practice of providing only a summary of the expert report to the complainant in the event of deciding to take no further action – as in this case."
  28. The judge went on to consider more closely the "purpose" of a request under the DPA. He quoted the passages from paragraphs 26 and 27 of the judgment of Auld LJ in Durant, to the effect that the purpose of the legislation was to enable the individual (the data subject) to obtain the information which concerned him, but not "to be provided with documents as such" (paragraph 26). The purpose was to enable him to check whether the processing of the information was lawful, and if not, to invoke the remedies under the Act (paragraph 27). The judge noted that the logic of these remarks had been followed in the first instance decision in Dawson-Damer v Taylor Wessing LLP [2016] 1 WLR 28.
  29. The judge continued:
  30. "58. Conversely in Dunn v. Durham County Council [2013] 1 WLR 2305 Maurice Kay LJ said (obiter) in a case concerning disclosure under CPR 31 : "I do not doubt that a person in the position of the claimant is entitled – before, during or without regard to legal proceedings – to make an access request pursuant to section 7 of the Act. I also understand that such a request prior to the commencement of proceedings may be attractive to prospective claimants and their solicitors. It is significantly less expensive than an application to the court for disclosure before the commencement of proceedings pursuant to CPR 31.16. Such an access may result in sufficient disclosure to satisfy the prospective claimant's immediate needs..' : see also Gurieva v. Community Safety Development Ltd [2016] EWHC 643 (QB) per Warby J at paras.67-72 ('It is commonly said that the subject access regime under the DPA is 'purpose blind'); also Kololo v. Commissioner of Police [2015] 1 WLR 3702 and Zaw Lin v. Commissioner of Police [2015] EWHC 2484 (QB).
    59. The Defence pleads that the requester's intention to use the information in furtherance of litigation is not of itself a reason for refusing the request. Mr Hopkins accepted, rightly in my judgment, that it was a factor which could be taken into account in the balancing exercise. However he submitted it should be given no significant weight in this case."
  31. The Judge noted the submissions on behalf of Dr B that the GMC's balancing exercise had failed to give sufficient weight to Dr B's privacy, and had given no or no adequate weight to the litigation purpose. The focus of the relevant report was on Dr B. The personal data of P was "incidental". Disclosure would be damaging to Dr B's professional reputation (and mental health). The refusal of the GMC to disclose the report pursuant to FOIA was inconsistent with the GMC's decision to disclose under the DPA: disclosure under FOIA was proper where it was "in the public interest". Yet it was proposed to publish under the DPA in order to demonstrate the transparency of the GMC processes. These decisions could not stand together. Disclosure of such material pursuant to s.35B of the Medical Act 1983 was invariably done subject to a Non-Disclosure Agreement, again an approach inconsistent with disclosure now proposed, since there would be no constraint on what P did with the report once disclosed. Not only was this disclosure sought for litigation, at variance with the purpose of the statute, but it would act to sidestep "the requirements and constraints of CPR 31".
  32. In reply, the counsel for the GMC argued that the report focussed equally on P and Dr B, and included "sensitive personal data" as defined by S. 2, of P alone. Dr B had no reasonable expectation that the report would not be made available to P. Any risk of damage to professional reputation was already present because of the summary, already in P's possession. There was no evidence that P would misuse the report by making it public: the summary had not been misused. There was no evidence of risk to Dr B's health. The report itself would advance P's understanding beyond the summary. There was a "legitimate and weighty public interest" in the transparency of the GMC's processes, and no inconsistency with refusal to disclose "to the world" under FOIA or the Medical Act 1983. The balancing exercise had been appropriate.
  33. The judge concluded that the GMC had fallen into error and "got the balance wrong". They failed to begin with a presumption against disclosure. They gave no adequate weight to Dr B's status as a data subject and to his rights of privacy in the undisclosed material. The real focus of the report was on Dr B's professional competence.
  34. The judge did not accept that Dr B's "reasonable expectation" was that the report would be disclosed to P: rather the reasonable expectation was that a lawful balancing exercise would be carried out. That expectation would be "fortified" by awareness of the GMC's practice "in disclosing only a summary" in such circumstances. Given the way the GMC approached the matter, they had never given any real weight to Dr B's privacy rights, had focussed on P's rights and the issue of transparency. They had taken no adequate account of Dr B's express refusal of consent, nor of the intended use of the report for the purposes of litigation, which was the "dominant purpose" behind P's request. That was important, even though it was right there was no evidence of any abuse of the summary already provided.
  35. The judge noted the GMC's practice in requiring a Non-Disclosure Agreement before disclosing a report under s.35B of the Medical Act, and noted the provisions of CPR Part 31; both pointed away from the approach advanced by P. The judge added:
  36. "82. If the GMC had considered that the principles of transparency and equality required a supply of the full Report to a complainant (such as P) in circumstances where no further action was taken, its policy and practice would doubtless have reflected this. If so, the complainant's entitlement would not be dependent on making a request under s.7 DPA or otherwise. In the absence of such a policy or practice, I do not consider that the GMC is entitled to give any particular weight to this factor (and whether expressed as the legitimate interest of P or itself) in the balancing exercise between the parties. To do so is in effect to revise its policy by the side-wind of the DPA; and thereby to defeat the other data subject's reasonable expectation of privacy."
  37. For those reasons, the judge allowed Dr B's claim.
  38. The Grounds of Appeal

  39. The GMC advance four Grounds of Appeal as follows:
  40. i) That it was an error to proceed on the basis that, in a case of "mixed personal data" there is a rebuttable presumption against disclosure.

    ii) That it was an error to hold that, where the sole or dominant purpose behind a Subject Access Request is to obtain information for the purpose of litigation, that was a weighty factor in favour of refusal.

    iii) That the Court's reasoning was flawed in holding that the GMC (a) gave inadequate consideration to Dr B's privacy rights, (b) took inadequate account of Dr B's express refusal of consent, and (c) underestimated the incremental impact of the disclosure of the report over and above the summary.

    iv) That the Court (a) "effectively substituted" its own assessment of the case for disclosure, rather than review the decision of the data processor, (b) over-estimated the risk of P publishing the report, and failed to consider that Dr B had preventive legal options open to him to block such abuse, and (c) gave inadequate consideration to P's "fundamental rights … to obtain and understand information about him of a highly sensitive nature".

  41. I will address the Grounds in turn. The submissions to us in support and in opposition to the Grounds broadly mirrored the submissions below save where more recent authority arose.
  42. Ground 1: That it was an error to proceed on the basis that, in a case of "mixed personal data" there is a rebuttable presumption against disclosure

  43. The formulation of a "rebuttable presumption against disclosure" was drawn directly from the dictum of Auld LJ in Durant. The GMC argues that the judge overstated the effect of Auld LJ's remarks. As that judge made clear, any such presumption could be overturned by showing that disclosure would be reasonable, within s.7(4). Moreover, the Appellant submits that these words were obiter dicta.
  44. The Respondent argues that the structure of the Act itself gives rise to the presumption, in the sense that where consent is refused under s.7(6) in a mixed data case, s.7(4) exempts the data processor from the duty to disclose, save where the disclosure is reasonable. The Respondent rejects the argument that these remarks in Durant were obiter dicta; rather they formed a key element in the ratio decidendi when deciding that the redaction of data in that case could not be challenged. In any event, says the Respondent, this ground is not critical to the decision, since the judge had substantive grounds for quashing the GMC decision.
  45. In my view, the remarks of Auld LJ in Durant did form part of the ratio of that decision. It may be that the term "presumption" is unhelpful, if it is thought to imply a continuing perspective on what is reasonable in a particular case, rather than truly a "starting point". In my view the statutory provisions, and paragraphs 55 and 56 of Durant need to be read together. It seems to me that the "starting point" in a mixed data case means no more than to underscore that there are competing rights in question, and thus the data controller cannot override the rights of the objecting data subject, unless it is reasonable to do so.
  46. On this issue, as on others, it seems to me helpful to bear in mind the remarks of Lewison LJ in Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd and Others [2017] EWCA Civ 121, [2017] 3 WLR 811, as to the scheme and purpose of a Subject Access Request:
  47. "82. The underlying purpose of the right of access to personal data is for the data subject to check the accuracy of the data and to see that they are being processed lawfully. The first place where this point is made is in recital (41) which I have quoted. In Rotterdam v Rijkeboer the court said at [49]:
    "That right to privacy means that the data subject may be certain that his personal data are processed in a correct and lawful manner, that is to say, in particular, that the basic data regarding him are accurate and that they are disclosed to authorised recipients. As is stated in recital 41 in the preamble to the Directive, in order to carry out the necessary checks, the data subject must have a right of access to the data relating to him which are being processed."
    83. The court repeated this in YS v Minister voor Immigratie at [44]. Auld LJ made a similar point in Durant at [27]. In the same case Buxton LJ said at [79]:
    "The guiding principle is that the Act, following Directive 95/46, gives rights to data subjects in order to protect their privacy. That is made plain in recitals (2), (7) and (11) to the Directive, and in particular by recital (10)…"
    84. In Johnson v Medical Defence Union [2007] EWCA Civ 282, (2007) 96 BMLR 99 at [1] he said that the protection of privacy was the "central mission" of the Directive; and at [16] that it was not easy to extract any other purpose from it.
    85. It is, however, true that as the Information Commissioner submits, the right of access under section 7 of the DPA is not subject to any express purpose or motive test. Nor is a data subject required to state any purpose when making a SAR.
    86. It has been suggested, based on Durant, that the making of a SAR for a collateral purpose such as to obtain documents for the purposes of litigation entitles the data controller to refuse to comply with the request. An alternative way of putting the point is that it is disproportionate to require him to do so in such circumstances. I do not consider that this is a valid objection. First, the target of a SAR is not documents; it is information. I return to this point below. Second, in principle the mere fact that a person has collateral purposes will not invalidate a SAR, or relieve the data controller from his obligations in relation to it, if that person also wishes to achieve one or more of the purposes of the Directive: compare Iesini v Westrip Holdings Ltd [2009] EWHC 2526 (Ch), [2011] 1 BCLC 498 at [119] to [121]. Third, there is now a considerable body of domestic case law which recognises that it is no objection to a SAR that it is made in connection with actual or contemplated litigation: Ezsias v Welsh Ministers [2007] EWHC B15 (QB), [2007] All ER (D) 65 (Dec) at [51]; Dunn v Durham CC [2012] EWCA Civ 1654, [2013] 2 All ER 213 at [16]; Kololo v Commissioner of Police of the Metropolis [2015] EWHC 600 (QB), [2015] 1 WLR 3702 at [35] to [36]; Zaw Lin v Commissioner of Police of the Metropolis [2015] EWHC 2484 (QB) at [114]; Guriev v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB) at [72].
    87. Fourth, section 27 (5) of the DPA provides that apart from exemptions contained in the DPA itself, the subject information provisions prevail over any other enactment or rule of law.
    88. Fifth, there is a sufficient safety net in the form of the EU doctrine of "abuse of rights". This is a principle of interpretation of EU legislation which applies across the board: for example to commercial activities, the common agricultural policy, marriages of convenience, VAT planning and so on. The topic is the subject of a comprehensive discussion by Advocate General Poiares Maduro in (Joined Cases C-255/02 and C-223/03) Halifax plc v Customs and Excise Commissioners [2006] Ch 397 at [62] to [71], and by the Supreme Court in HMRC v Pendragon plc [2015] UKSC 37, [2015] 1 WLR 2838. This court expressed a similar view in Dawson-Damer at [109] by reference to the domestic principle of abuse of process. I do not think that there is much difference between the two approaches in this context.
    89. Finally, the point is now put beyond doubt by the recent decision of this court in Dawson-Damer at [108].
    90. In some cases, it has been said that the supply of information does not tell the data subject anything he or she did not already know. In many cases that would miss the point. To take a simple example: everyone knows their own name and date of birth. A data subject may well make a SAR, not for the purpose of discovering his name or date of birth, but for the purpose of checking whether the data controller has correctly recorded them. A data subject will know his own address, and may make a SAR in order to discover to whom the data controller has disclosed those data. Likewise a data subject may ask for information about a particular meeting that he or she attended, not for the purpose of finding out what happened at the meeting (which is already known), but for the purpose of checking the accuracy of any personal data recorded in a note of the meeting. It is thus not necessarily an answer to a SAR to say that the data subject already knows what happened at the meeting. However, the case is different where the only relevant personal data are contained in a particular document (or documents) and that document has (or those documents have) been provided to the data subject. In a case in which the document or documents have already been provided otherwise than under a previous SAR the fact that they have already been provided may go to the exercise of the court's discretion under section 7 (9). Moreover where the focus of a SAR is (as is often the case) a request for copies of documents rather than personal data, the fact that the data subject was either the author or recipient of the document in question would also be highly relevant to the exercise of discretion."
  48. In that passage, Lewison LJ quotes with approval the remark of Buxton LJ in Durant: the "guiding principle" of the DPA is to enable data subjects to "protect their privacy". It seems to me that principle necessarily gives rise to a "starting point", in a mixed data case, that private information should not be revealed. That does not mean that there is a continuing presumption – a gradient which the requesting data subject must climb – before the data controller satisfies a SAR. The data controller must start from the objection and then consider all the circumstances and decide what is reasonable: no more, no less.
  49. In my view, the judge may have placed somewhat too much weight on this formulation, but it was not critical for his decision. Of more importance were his substantive considerations.
  50. Ground 2: That it was an error to hold that, where the sole or dominant purpose behind a subject access request is to obtain information for the purpose of litigation, that was a weighty factor in favour of refusal

  51. It is now well established that in general it is no objection to a SAR that it is made in connection with actual or contemplated litigation: see Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74, [2017] 1 WLR 3255 and see Ittihadieh, paragraph 86, and the authority recited therein.
  52. However, none of those cases addresses directly the question arising here: albeit an intention to litigate is not a bar, is it a relevant circumstance that litigation is planned by the one data subject against the other data subject, in a mixed data case? Should that consideration form part of the decision as to whether it is reasonable to override the privacy of the objecting data subject? In my view, it is inevitable that it should.
  53. It seems to me a proper aspect of privacy, well within the ambit of the rights protected by the DPA regime and by Article 8, that personal data should be kept confidential so as to prevent or diminish the prospect of hostile litigation. This is a quite separate consideration from legal professional privilege. Indeed, the scheme of the law concerning disclosure underscores this point. There is no obligation to divulge private information which may assist litigation until the relevant groundwork has been laid, in this context so as to satisfy CPR Part 31. Thus, while the prospect of litigation is in general no bar, and whilst I accept (subject to a qualification I will shortly enter) the remark of Warby J in Guriev v Community Safety Development (UK) Limited [2016] EWHC 643 (QB) that it is "commonly said that the subject access regime under the DPA is 'purpose blind'" (see paragraph 67), that judge too was considering a case where the SARs were made in respect of unmixed personal data. In my view, the "common saying" might wisely be qualified: "in the absence of mixed personal data, the DPA regime is purpose-blind". So far as can be discerned, all the reported cases bearing on this issue are cases where those making the SARs were seeking their own personal data rather than seeking mixed data, where another data subject was the proposed or potential defendant.
  54. The relevant guidance from the Information Commissioner in relation to requests bearing on requests for the purpose of potential proceedings is short:
  55. "Where legal professional privilege cannot be claimed, you may not refuse to supply information in response to a SAR simply because the information is requested in connection with actual or potential legal proceedings. The DPA contains no exemption for such information; indeed, it says the right of subject access overrides any other legal rule that limits disclosure. In addition, there is nothing in the Act that limits the purposes for which a SAR may be made, or which requires the requester to tell you what they want the information for.
    It has been suggested that case law provides authority for organisations to refuse to comply with a SAR where the requester is contemplating or has already begun legal proceedings. The Information Commissioner does not accept this view. Whether or not the applicant has a 'collateral' purpose (ie other than seeking to check or correct their personal data) for making the SAR is not relevant."

    This guidance does not address mixed personal data.

  56. The guidance addressing SARs "involving other people's information" is also relatively short. It is not necessary to reproduce more than a brief paragraph:
  57. "Circumstances relating to the individual making the request. The importance of the information to the requester is also a relevant factor. The need to preserve confidentiality for a third party must be weighed against the requester's right to access information about his or her life. Therefore, depending on the significance of the information to the requester, it may be appropriate to disclose it even where the third party has withheld consent."
  58. This guidance does not address the case where information is sought for the purpose of litigation against the "mixed" data subject.
  59. I repeat that I should not be understood to mean that in mixed data cases, an intention to litigate represents an inevitable bar to release of information. However, it seems to me that the judge was correct in thinking this is a significant matter to be weighed in the balance, as a necessary part of the consideration whether it is reasonable to override the refusal of consent by the data subject who is seeking to protect their personal data.
  60. If I am wrong about this, it may have very wide consequences. It would likely mean that in any case where the personal data of an individual is part of an expert report commissioned by a professional body following a complaint, that report could be obtained by the requesting data subject without regard to the privacy rights of the professional. Very often, as here, the professional will have no option but to be made the subject of such a report. This has potential implications beyond medicine and the other health professions. Financial professionals might easily be faced with the same problem. If I am wrong, then this route will be an obvious way to circumvent the requirements of the CPR, and it is easy to conceive how such an approach may lead to professional complaints which would not otherwise be made, and which are made in fact only to achieve the contingent benefit of free access to a professional review, where the potential professional defendant cannot raise the obvious objections.
  61. I do not mean that "floodgates" considerations are a proper basis for distorting the meaning of the provisions of the DPA, even if the consequences are as I consider they may be. I am simply of the view that it is, or can be, a perfectly reasonable consideration on the part of the professional, whose personal data are mixed in such a report, that the report is sought in order to sue him or her. In my view the data controller should have regard to that matter. It is clear the GMC did not do so here.
  62. It is no argument against the view taken by the judge that s.27(5) of the DPA provides that "the subject access provisions shall have effect notwithstanding any enactment on rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information." This is not a question of the disclosure provisions of CPR Part 31 being given effect, wrongly, at the expense of the DPA. The point in question here is that there are competing privacy interests to be protected as part of the very operation of the subject access provisions of the DPA itself.
  63. I have considered whether consideration of the question of litigation would place too heavy a burden on a data controller faced with a decision concerning mixed data. However, it does not seem to me that concern can be a valid objection to considering a "litigation purpose" where that properly arises. Firstly, it is a practical point and cannot alter the meaning of the statute. Secondly, these decisions inevitably encompass some difficult balancing factors: the existing guidance from the Information Commissioner makes that tolerably clear. Thirdly, in the circumstances of this case, and of parallel professions, the data controllers will be professional bodies perfectly sophisticated enough to address this issue.
  64. For these reasons, I consider the judge was correct to hold that the prospect of litigation was a "weighty consideration" which should have been borne in mind by the GMC, and that they failed to do so.
  65. Ground 3: That the Court's reasoning was flawed in holding that the GMC (a) gave inadequate consideration to Dr B's privacy rights, (b) took inadequate account of Dr B's express refusal of consent, and (c) underestimated the incremental impact of the disclosure of the report over and above the summary

  66. Here too I reject the attack on the approach taken by the judge. It appears to me a tenable and reasonable view of the GMC's approach, as evidenced by their internal and external communications, that they failed properly to consider Dr B's privacy rights. I remind myself that there is no issue but that Dr B's privacy rights under Article 8 were engaged, and that some of the material the GMC wished to disclose constituted his personal data. Criticism of a professional in the context of a formal disciplinary complaint, even where that criticism is not such as to found disciplinary or regulatory proceedings, can lead to important reputational damage. In many professional contexts, although less obviously here, it would be predictable that such reputational damage might easily lead to financial loss. The privacy rights engaged are not obviously trivial. In my view it was not, and is not, obvious that Dr B's rights should be trumped by P's request. In my view, the necessary balancing exercise required a weighing up of any gain to P represented by the additional information, set against the loss of privacy to Dr B. P already had the summary and knew not merely the personal data on which the expert had reported, but his conclusions. If there was any inaccuracy in the personal data on which the report had been obtained, he was already in a position to challenge and correct it. He lacked only the detailed reasons for the expert's conclusions
  67. I look in vain for any proper consideration of Dr B's rights by the GMC. Beyond recording Dr B's concern that disclosure would encourage legal claims in general, there is no formulation or account of his Art 8 rights and no considered weighing of the relative interests of the two data subjects expressed anywhere in the evidence. It appears to me that, by contrast, the data controller had P's rights well in mind, for example referring to him as "the" data subject. It is also clear that the GMC was centrally concerned to demonstrate the transparency of their own processes. There was also a concern about P's rights under the HRA 1998. There was no expressed concern about Dr B's privacy and no more than an assertion that a balancing exercise had been conducted.
  68. I would thus reject the criticisms of the judge on this Ground.
  69. Ground 4: That the Court (a) "effectively substituted" its own assessment of the case for disclosure, rather than review the decision of the data processor, (b) over-estimated the risk of P publishing the report, and failed to consider that Dr B had preventive legal options open to him to block such abuse, and (c) gave inadequate consideration to P's "fundamental rights … to obtain and understand information about him of a highly sensitive nature"

  70. It will be clear from the foregoing paragraphs that I consider the judge properly fastened on errors of approach by the GMC, and I do not consider he merely "effectively substituted" his own assessment of the case for disclosure. Nor do I accept that the judge gave inadequate consideration to P's "fundamental rights to obtain … information of a highly sensitive nature". It seems to me the last criticism blurs a necessary distinction.
  71. The mixed data did indeed contain "sensitive personal data" of P, within the definition in s.2(1)(e) of the DPA. However, it seems to me that the summary had already provided that information to P. There was no factual information as to P's "physical or mental health or condition" which was not provided in the summary. What was not contained in the summary was the full reasoning of the expert as to his or her conclusions on the quality of care provided by Dr B. It does not seem to me that material falls within the definition of "sensitive personal data". In broad terms, the withheld information did not relate to P's physical or mental health or condition, but rather was comment and opinion on Dr B's assessment of that health or condition and his actions (or inaction) proceeding from that assessment.
  72. It may be that the judge placed rather too much emphasis on the risk of "unauthorised" disclosure of the report by P. There was indeed no evidence of misuse of the summary by P. However, it is surely part of a rational consideration of the competing interests here that, once such a report is communicated to a data subject, there may be formidable obstacles in the way of any further legal remedy to publication by someone in P's position. Any attempt at such a remedy would be bound to be met by the argument that the data controller had balanced the competing considerations and found that P's interests and rights in disclosure properly overrode those of Dr B, and had done so, moreover, without requiring P to enter a data protection agreement, a measure exacted by the GMC in other, broadly analogous circumstances.
  73. Conclusion

  74. Following his decision, the judge received submissions as to what Order he should make, and subsequently made the Order of 22 September 2016, preventing the disclosure of further information to P. In my view that was an appropriate Order, since P had already received sufficient information as to what of his own personal data was held by the GMC.
  75. For these reasons, I would dismiss the appeal.
  76. Lord Justice Sales:

  77. I refer to a case involving personal data of the person making the subject access request ("SAR") which also comprise personal data of another person as a "mixed data" case. In the case before us, it is common ground that the entirety of the expert report obtained by the GMC ("the Report") should be regarded as comprising the mixed personal data of Dr B and P and that there is no distinction to be drawn between the data themselves and the contents of the Report. Thus, although there is no right under section 7 of the DPA to be provided with documents when a SAR is made, as opposed to being provided with "the information constituting any personal data of which [the individual making the SAR] is the data subject" (section 7(1)(c) of the DPA), the distinction between documents and information constituting personal data which may be important in some cases has no materiality in this.
  78. In respectful disagreement with Irwin LJ, I would allow the appeal on each of the four grounds advanced by Mr Hopkins for the GMC. I discuss each ground of appeal in turn below.
  79. In addition to the account of the facts presented by Irwin LJ, it is relevant to refer to an internal memorandum of the GMC dated 31 October 2014, from Mr Julian Graves (Information Access Manager), which set out the consideration of the balance of interests under section 7(4)-(6) of the DPA which was the foundation of the GMC's decision to disclose the Report to P, and which it continued to defend throughout the proceedings (see [17]-[24]). The memorandum considered both the SAR from P and the written representations made by Dr B's solicitors setting out his objection to disclosure of the Report and the reasons for that objection. In the memorandum, Mr Graves correctly identified this as a mixed data case and referred to the regime for balancing the interests of P and Dr B as set out in section 7(4)-(6). He wrote this:
  80. "It is clear that [Dr B], via BLM [his solicitors], is concerned about the perceived encouragement to the claims industry that would be given by the GMC should disclosure be made and I accept that this is a valid concern. However, the report itself is largely supportive of the actions taken by [Dr B] and as such I am doubtful that the disclosure of the report will assist [P] in any legal action he chooses to take.
    Nevertheless, taking account of the transparency of our decision making process, I feel there is a strong case to justify providing [P] with a document which played a key role in the GMC's decision to close his complaint at an early stage. There is certainly the potential for [P] having considered the comment of the expert, to seek a Rule 12 review with the GMC. His opportunity for doing this without sight of this key piece of evidence will undoubtedly be hampered.
    My decision on balance is therefore that the report should be disclosed to [P] on the basis that disclosure would be, on balance, fair and lawful and not in breach of the DPA Principles. I believe that Schedule 2, conditions 3 and 6 are satisfied in this case. …
    Given the robustness of the objection raised by BLM, I would suggest that the advice that we intend to disclose the documents [after prior notice to BLM] in order that they may decide if they wish to take further action."
  81. The reasoning here is tolerably clear. P's complaint to the GMC about the conduct of Dr B was dealt with under the General Medical Council (Fitness to Practise) Rules 2004 (SI 2004/2608). The complaint was referred to case examiners pursuant to rule 8 for investigation, in the course of which the Report was commissioned. In light of the Report, the case examiners decided that the allegation against Dr B should not proceed further. Thus, P had an interest to see the detail of the information about him and his medical treatment as set out in the Report in order to check that the expert and the case examiners had made a proper evaluation of his complaint on the basis of accurate information about him. Further, under rule 12, P had a right to seek a review of the decision not to proceed with his complaint, if he could persuade the Registrar of the GMC that the decision was materially flawed or that there was new information available which may have led to a different decision (rule 12(4)). Provision of the detail of the information about him as set out in the Report would allow him to check to see if there was any inaccuracy in that information which might have affected the views expressed in the Report, or if any significant relevant information about him had been omitted. Also, the reference to the objections to disclosure raised in correspondence by BLM on behalf of Dr B shows that Mr Graves was well aware, and took into account, that Dr B strenuously objected to the disclosure of the Report to P. Mr Graves plainly gave weight to that factor, in that he expressed his conclusion in favour of disclosure as being one arrived at "on balance" and by recommending that the disclosure not occur immediately, but only after giving notice to Dr B to allow him to take legal proceedings, if so advised.
  82. In my view, this reasoning by the GMC is legitimate and proper. A person who makes a complaint about a doctor with respect to the medical treatment he has received has a legitimate interest in understanding, and being in a position to check, the basis in respect of his personal data for a decision by the GMC not to pursue the allegation by instigating a disciplinary procedure against the doctor. The complainant also has a legitimate interest in receiving information which will enable him to see whether there may be grounds for making a request for a reconsideration pursuant to rule 12. These are interests which are within the scope of the type of interest which the subject access rights under Article 12 of the Directive and section 7 of the DPA are intended to safeguard.
  83. Further, the reasoning makes it clear that Mr Graves had considered Dr B's objection that disclosure of the Report would provide undue assistance to P if he decided to commence legal proceedings against Dr B in respect of his treatment. Mr Graves concluded that the Report was unlikely to help P very much, because it had largely exonerated Dr B from blame. In my view, this assessment was plainly rationally open to Mr Graves to make and cannot be faulted.
  84. Ground 1: improper reliance on an alleged presumption that there should be no disclosure in a mixed data case.

  85. In my view, the judge was in error in saying that there is a presumption under section 7(4) of the DPA in favour of a person who has not consented to or who objects to disclosure ("the objector") pursuant to a SAR in a mixed data case as against a person requesting disclosure ("the requester"), and in criticising the GMC for failing to adopt this as the starting point for its consideration under section 7(4) whether disclosure should be given in this case of the data in the expert's report: see [68] and [88(2)].
  86. The judge's position on this was taken from a passage in the judgment of Auld LJ in Durant v Financial Services Authority [2003] EWCA Civ 1746; [2004] FSR 28 at [55], where he said this:
  87. "There are two basic points to make about the scheme of sections 7(4)-(6), and 8(7), for balancing the interests of the data subject seeking access to his personal data and those of another individual who may be identified in such data. The first is that the balancing exercise only arises if the information relating to the other person forms part of the "personal data" of the data subject, as defined in section 1(1) of the Act. The second is that the provisions appear to create a presumption or starting point that the information relating to that other, including his identity, should not be disclosed without his consent. The presumption may, however, be rebutted if the data controller considers that it is reasonable "in all the circumstances", including those in section 7(6), to disclose it without such consent."
  88. In relation to the first ground of appeal, I do not consider that we are bound, as a matter of authority, to accept and follow Auld LJ's observation concerning his second point. In my opinion, it does not form part of the ratio decidendi of his judgment or the decision in the case. This is indicated by Auld LJ's own slightly tentative way of expressing himself in [55] ("… the provisions appear to create a presumption …") and by the fact that his observation was not critical to the decision in the case. Most of the disclosure requested by Mr Durant did not comprise his personal data at all (and so, as a result of the first basic point made by Auld LJ, did not fall within the regime in section 7(4)-(6) governing cases involving mixed data); and for the two instances where mixed data was involved, it is clear that Auld LJ considered that redaction of the relevant information in question (the names of persons who had had conversations with Mr Durant) was reasonable whatever starting point or presumption was applied (if any), because the information was "of little or no value to Mr Durant", whereas the objectors had good reason to request that their names should not be provided to him, since he had abused them over the telephone: see [67].
  89. As we are not bound by precedent, we have to consider Mr Hopkins's submissions in support of this ground of appeal on their merits. In my view, Auld LJ was wrong to identify a basic presumption or starting point in favour of the objector in a mixed data case. Presumptions come in various different forms and with different effects in the law. Sometimes the only function that a presumption has in a particular context is to operate as a tie-breaker at the end of a process of analysis, if all other competing factors are otherwise precisely in balance. But to say that a presumption applies as a starting point for a particular exercise of analysis (rather than as a final tie-break) suggests that there is some significant hurdle or threshold which one party has to overcome before a decision can be made in his favour.
  90. The disclosure regime under section 7(4)-(6) of the DPA seeks to strike a balance between competing interests of the requester and the objector, both of which are anchored in the right to respect for private life in Article 8 of the European Convention on Human Rights ("ECHR"), as reflected in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 ("the Directive"). The recitals to the Directive explain that data-processing must respect the fundamental rights and freedoms of individuals, notably the right to privacy (see Recitals (2), (7) and (10)); and Article 1(1) confirms this. As part of the rights or interests of data subjects which the Directive is intended to protect, data subjects are accorded a right under certain conditions to have access to their personal data held by a data controller to check that those data are accurate: Article 12. A data subject's right to respect for his private life may be infringed if things are done by a data controller on the basis of personal data about him which are materially wrong or inaccurate in some way. Such a subject access right is important in helping individuals ascertain whether their personal data are correct and are being processed lawfully: see Cases C-141/12 and C-372/12, YS v Minister voor Immigratie [2015] 1 CMLR 18, [44] ("the protection of the fundamental right to respect for private life means, inter alia, that [the data subject] may be certain that the personal data concerning him are correct and that they are processed in a lawful manner"). Section 7 of the DPA implements this right in domestic law. On the other hand, in a mixed data case, the objector may also have a right or interest in the non-disclosure of his personal data, in order to maintain his privacy in respect of it; and Article 13(1)(g) of the Directive provides that a Member State may adopt legislative measures to restrict the scope of the rights provided for in Article 12 "when such a restriction constitutes a necessary measure to safeguard … (g) the protection of the data subject or of the rights and freedoms of others". This rubric reflects that in Article 8(2) of the ECHR, which governs when the rights set out in Article 8(1) (including the right to respect for private life) may be interfered with. Article 13(1)(g) of the Directive provides the legislative basis in EU law for the regime for mixed data cases in section 7(4)-(6) of the DPA.
  91. Contrary to the view of Auld LJ and the judge below, I do not think that the balancing regime in section 7(4)-(6) of the DPA includes any presumptive starting point or hurdle which either the requestor or the objector has to overcome. The circumstances in which the balancing exercise has to be carried out from case to case will be many and varied, and where no consent has been given for disclosure (or where objection has been raised, as in this case) the outcome of the exercise will inevitably depend on the particular facts and context. The question is simply whether "it is reasonable in all the circumstances to comply with the [SAR] without the consent of the other individual" (section 7(4)(b)). Although section 7(6) specifies that regard should be had to certain listed matters "in particular", it does not limit the other matters which may be relevant circumstances; nor does it specify the weight to be given to the listed matters either as between the items in the list or as against other, non-listed relevant circumstances. There is no sound basis for saying that one should load the exercise at the outset in favour of either the objector or the requester. The rights and interests engaged on each side are both rooted in Article 8 of the ECHR and in specific protective provisions in the Directive. Both sets of rights and interests are important and there is no simple or obvious priority as between them which emerges from consideration of their nature or their place in the legislative regime. In that regard I note that the Information Commissioner, in her guidance, does not recognise or endorse any presumption of the kind referred to by the judge: see her Subject Access Code of Practice (version 1.1, February 2014, at pp. 30-34; version 1.2, June 2017, at pp. 36-40).
  92. It is conceivable, but in practice I think unlikely, that a data controller who carries out the balancing exercise in section 7(4)-(6) in a mixed data case might be left with factors for and against disclosure which are found to be in perfect equilibrium with nothing to choose between them. In that situation there would be a need to apply a presumption at the end of the exercise, in order to arrive at a decision one way or the other. In my view, the presumption to be applied at this stage would be in favour of withholding disclosure. I emphasise that this would be a presumption of the weak, tie-breaker type referred to above. It is not a significant or substantive presumption to be applied at the outset.
  93. My reason for saying that the tie-breaker assumption operates in favour of the third party data subject, rather than the requestor in this situation is that, although section 7(1) of the DPA creates a right for the data subject as against the data controller to have his personal data disclosed to him upon making a SAR, by virtue of section 7(4) the data controller is relieved of that obligation where information comprising those personal data cannot be disclosed "without disclosing information relating to another individual who can be identified from that information", unless either of sub-paragraphs (a) or (b) is satisfied. As regards sub-paragraph (b), it must appear that it is "reasonable in all the circumstances to comply with the request without the consent of the other individual"; that is to say, having regard to the strength of the interest of the requester (as reflected in the legislative regime set out in the Directive and the DPA) in obtaining disclosure, to the strength of the interest of the objector in maintaining his privacy in relation to the information in question and to any further public interest factors which may be relevant. If the considerations for and against disclosure really are precisely balanced, the data controller (or anyone else applying the test in section 7(4)) cannot positively say that it is reasonable to comply without the consent of the other individual. This indicates that the tie-break presumption should operate in this residual sense against disclosure.
  94. Turning to the present case, the GMC gave positive reasons why it considered it reasonable in all the circumstances to comply with P's request for disclosure of his personal data set out in the Report, notwithstanding that it also comprised personal data of Dr B. Therefore, there was no scope for application of any residual tie-break presumption to resolve the case.
  95. I consider that the judge erred by treating the relevant presumption as something to be applied at the outset of the analysis, i.e. as constituting a substantive threshold which had to be overcome by the GMC in order to justify its decision to disclose the Report. The judge was wrong to criticise the GMC for proceeding in the way it did, by considering what was reasonable in the case without reference to any presumption. In my view the judge was also wrong to apply a strong, substantive presumption in favour of the objector in his own assessment of how to strike the balance between P and Dr B, in [88]. These were not immaterial errors, but go to the heart of the judge's approach.
  96. Ground 2: improper reliance on the motive of P in making the SAR

  97. The judge held that the GMC's decision "took no adequate account of the fact … that the purpose of the request was to use the Report and its information in the intended litigation against [Dr B]": [77]. This was a further basis on which the judge decided it was right for him to set aside the GMC's own assessment of the balance of interests and to impose his own. In his own assessment, the judge held that "if it appears that the sole or dominant purpose is to obtain a document for the purpose of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the court procedure under CPR 31" ([88(3)]). In my view, the judge erred on both these points as well.
  98. I begin here with two factual points. As I have noted above, the GMC plainly did take account of the allegation by Dr B that the purpose of the SAR was to obtain the Report and to use it in litigation against him. The GMC was prepared to proceed on the basis that this was a valid concern, but treated it as having only limited weight because obtaining the Report was unlikely to assist P very much in any proceedings he might bring. That was a rational and lawful assessment. The judge was wrong to criticise it as inadequate.
  99. Moreover, although Dr B made this allegation about P's motivation, it is by no means clear that this was P's sole or dominant purpose in seeking disclosure. He had made a complaint to the GMC about Dr B and had a legitimate interest in seeing that it was properly considered and not dismissed without adequate grounds. The fair inference is that this was a significant part of the reason why P wished to check the information which had been available to the expert in writing the Report. I do not think there was any sound evidential basis on which the judge could infer that P's sole or dominant purpose in making what came to be treated as a SAR was to obtain the Report in order to use it in litigation. In fact, as I have noted, it is well established that a person making a SAR is only entitled to disclosure of information, not documents. P could not have known that the Report itself would be disclosed as a result of a SAR by him.
  100. However, there is a wider issue of principle here, namely what weight (if any) should be given to the motivation of a person in making a SAR in a mixed data case, where the motive or part of the motive is to seek to obtain information which might assist the requester in litigation against the objector. I respectfully disagree with Irwin LJ and the judge about this.
  101. In my view, there is no general principle that the interests of the requester, when balanced against the interests of the objector, should be treated as devalued by reason of such motivation. The general position is that the rights of subject access to personal data under Article 12 of the Directive and section 7 of the DPA are not dependent on appropriate motivation on the part of the requester: see Durham County Council v Dunn [2012] EWCA Civ 1654, [16] (Maurice Kay LJ); Gurieva v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB), [72] (Warby J); Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74; [2017] 1 WLR 3255, [105]-[113] (Arden LJ); Itthadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121; [2017] 3 WLR 811, [104]-[110] (Lewison LJ); and see also the Information Commissioner's Subject Access Code of Practice ("the purpose for which a [SAR] is made does not affect its validity, or [a data controller's] duty to respond to it": version 1.1, p. 20; version 1.2, p. 26). Moreover, where a person has two rights to obtain something (here, access to information), the usual position is that he is entitled to rely on whichever right is the more effective from his point of view. On the other hand, when carrying out the balancing exercise under section 7(4) in a mixed data case, it will be relevant to have regard to the extent to which the interests on either side which are of a kind which are protected by the legislation are engaged and may be prejudiced by a decision one way or the other.
  102. In this case, it appears that a material part of P's object in making a SAR was to check that accurate personal data of his had been used by the GMC and the expert in their consideration of how to react to his complaint about Dr B's conduct. That is an object which is squarely within the purpose for which subject access rights are conferred by Article 13 of the Directive and section 7 of the DPA. Even if part of P's object was to try to obtain material which might help him in litigation against Dr P, that in no way diminishes the legitimacy or force of his interest to have communicated to him under section 7 information about his personal data as processed by the GMC and the expert. The GMC rightly focused on this interest in its reasoning. Even if there might have been another way in which P could have sought to obtain access to such information pursuant to CPR Part 31, it was not incumbent on him to seek to employ that route. He was entitled to try to obtain the relevant information in this case by means of a SAR, e.g. if that appeared to him to be cheaper and more effective. The judge was wrong to treat CPR Part 31 as "the more appropriate forum" in this case and accordingly to devalue P's interest in disclosure of his personal data pursuant to his SAR when comparing it with Dr B's interest in resisting disclosure.
  103. Before leaving this ground of appeal, I would make three further comments. First, by contrast with P's legitimate interest in securing disclosure of his personal data in this case, it seems to me that Dr B's own legitimate interest (in terms of his interest in maintaining privacy in relation to those data) was considerably weaker. It was not in doubt that Dr B had been the doctor who treated P. P already knew how he had been treated by Dr B. A significant object of his SAR was to check that accurate personal data about him (P) had been used by the GMC and its expert in processing his complaint about Dr B. This is a legitimate objective for DPA purposes: see YS v Minister voor Immigratie above and Ittihadieh at [90]. It is difficult to see what legitimate privacy reason Dr B had for objecting to the disclosure to P. He could not legitimately say that the GMC and its expert should be treated as being immune from having the accuracy of the personal data of P checked in this way or that he had any proper interest of his own in them proceeding on the basis of false information. I also think it is noteworthy that the personal data of P constituted "sensitive personal data" within the meaning of section 2 of the DPA, as "information as to … (e) his physical or mental health or condition", whereas the same data in relation to Dr B did not have that enhanced status. Under the scheme of the Directive and the DPA, sensitive personal data is treated as having special sensitivity and significance and as generally meriting enhanced protection. Further, there is force in Mr Hopkins's submission that the incremental intrusion upon Dr B's privacy interest by disclosure of the Report, by comparison with the summary of it already provided to P by the GMC, was very modest. I do not go so far as to say that a desire on Dr B's part to be protected from litigation was wholly irrelevant in the balancing exercise under section 7(4), but it is a matter which is peripheral to the main focus of that balancing exercise, which is concerned with weighing the privacy interests of the requester and the objector. In any event, the GMC took Dr B's desire into account, but for rational reasons decided that it could not be treated as determinative. There was no suggestion that P was proposing to use the Report by releasing it into the wider public domain, e.g. in an attempt to damage Dr B's reputation.
  104. Secondly, in a mixed data case where (as here) a data controller gives the objector a full opportunity to state his grounds of objection to disclosure, the data controller will generally be entitled to focus on the objector's arguments in evaluating his interest in having disclosure withheld. The data controller does not have to cast around for further reasons which have not been raised by the objector, at any rate so long as they are not matters which are so obvious that they must be taken into account in the balancing exercise under section 7(4) whether raised or not. In this case, Dr B and BLM did not mention the argument regarding CPR Part 31 on which the judge came to rely so heavily. It was not an obvious point. The GMC was not under any obligation to raise it of its own motion when conducting the balancing exercise under section 7(4). It did properly address the argument which Dr B did make in his written representations, which was concerned with the assistance that disclosure of the Report might afford to P in any litigation he commenced against Dr B.
  105. Thirdly, in view of the wide-ranging submissions we heard on this appeal, I should mention a possible half-way house which may be open to data controllers which conduct a balancing exercise under section 7(4). In some cases, the balance between the legitimate protected interests of a requester and those of an objector may be more finely balanced than in this. For example, it might appear that the requester has good reasons for wishing to check on the accuracy of his personal data used in processing by the data controller whilst at the same time there are objective grounds to think that he wishes to use the information obtained for an illegitimate purpose, e,g, to post the information on the internet to try to traduce the objector. In such a case it might be reasonable (within the meaning of section 7(4)(b)) to make disclosure of the information to the requester if there can be appropriate assurance that no wider inappropriate dissemination of the information will occur, whilst it might not be reasonable to make disclosure in the absence of such assurance. In my view, it would be open to the data controller in such a case to invite the requester to consider giving a binding contractual undertaking to the data controller or the objector or both, to restrict the use to which the information might be put. In conducting the balancing exercise under section 7(4), the data controller would then be entitled to take into account whether such an undertaking had been proffered, or not, when deciding whether it was reasonable to make disclosure. To be clear, I do not think that this would usually be an appropriate course to try to restrict a requester from using information sought by means of a SAR in litigation thereafter. Later use in litigation is not something which is illegitimate in itself, so far as the subject access regime is concerned.
  106. Ground 3: the judge's reliance on other factors in favour of non-disclosure

  107. The judge held that inadequate consideration was given by the GMC to Dr B's privacy rights ([69]-[75]); that no adequate account was taken by the GMC of Dr B's express refusal of consent ([76]); and that the GMC's assessment of the incremental impact on Dr B of the disclosure of the Report (as compared with the summary which the GMC had already provided to P) was flawed, in that it gave too little weight to Dr B's wish to preserve his right of privacy or to his assessment and concern about potential risk to his professional reputation ([84]). The GMC submits that the judgment is flawed on each of these points as well.
  108. In my view, the judge erred in relation to each of these points. The legal and factual contexts are both important.
  109. The legal context is that the relevant duties under section 7(1) and under section 7(4)-(6) are duties imposed on data controllers. In a mixed data case falling for consideration under section 7(4)(b), a data controller will be obliged to disclose relevant information if it is reasonable in all the circumstances to do so. It is the data controller who is the primary decision-maker in assessing whether it is reasonable or not. The class of persons who qualify as data controllers under the DPA is a very wide one. They come in all shapes and sizes, across a very wide range in terms of resources available to them to deal with SARs which may be made to them. The legislation confers rights on the whole population. The potential number of SARs is huge. In this context, the legislature contemplated that individual data controllers should be afforded a wide margin of assessment in making the evaluative judgments required in balancing the privacy rights and other interests in issue under section 7(4). The incommensurable and very varied nature of the interests of requesters, objectors and data controllers which might be taken into consideration in the balancing exercise under section 7(4)-(6) also indicates that individual data controllers have a wide margin of assessment under section 7(4)(b). This corresponds to the wide margin of appreciation which a public authority enjoys when competing Convention rights under Article 8 of the ECHR fall to be balanced against each other: see Evans v United Kingdom (2008) 46 EHRR 34, [77]. The effect of all this is that, apart from the mandatory relevant considerations identified in section 7(6), data controllers generally have a wide discretion as to which particular factors to treat as relevant to the balancing exercise: cf R (Corner House Research) v Director of the Serious Fraud Office [2008] UKHL 60; [2009] 1 AC 756, [40] per Lord Bingham of Cornhill. They also have a wide discretion as to the weight to be given to each factor they treat as relevant. As Auld LJ stated in Durant at [60]:
  110. "… Parliament cannot have intended that courts in applications under section 7(9) should be able routinely to 'second-guess' decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed. To so interpret the legislation would encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act. …"
  111. If a data controller refuses to accede to a SAR in a mixed data case under section 7(4)(b), the requester may apply to the court under section 7(9) and if the court is satisfied that the data controller has not complied with its obligations under section 7(4) it may order him to comply with the SAR. On the other hand, if the data controller proposes to disclose the personal data to the requester, the objector may apply to the court using the general procedure under CPR Part 8, as has happened here. Either way round, the question for the court is similar: was it reasonable in all the circumstances for the data controller to refuse the request (in the first case) or to decide to comply with the request (in the second). If the data controller did not make a reasonable assessment, in either case the court has a discretion to make the relevant assessment itself and then order the data controller to act on that assessment or to quash the data controller's existing assessment and remit the matter for fresh determination by the data controller. If the court decides to make the relevant assessment itself, it has to seek to balance the competing rights and interests as primary decision-maker.
  112. As regards the factual context, I consider that the GMC did give proper consideration to Dr B's privacy interests. In its reasoning it addressed the particular arguments against disclosure raised in the representations made by BLM on Dr B's behalf. The weight to be attached to Dr B's interests in all the circumstances was a matter for the GMC as data controller. I accept Mr Hopkins's submission that the judge erred in law by, in substance, substituting his own assessment of the weight to be given to Dr B's privacy rights in the balancing exercise for that of the GMC.
  113. I have already noted above that the GMC plainly did take into account that Dr B had expressly refused his consent to the disclosure to be made to P. The weight to be accorded to that factor was again a matter for the GMC as data controller. There is no good ground for the judge's conclusion that it failed to take this matter adequately into account.
  114. I also consider that the judge erred in his assessment at [84]. The GMC did consider the arguments raised by Dr B in relation to the impact of disclosure upon him. It made a lawful and rational assessment of the points he made. The weight to be accorded to them in the balancing exercise was a matter for the GMC as data controller. Its assessment cannot be faulted.
  115. Ground 4: the judge's approach to the factors in favour of disclosure

  116. The judge criticised the GMC for its approach in assessing factors in favour of disclosure in two respects: (i) he said that no significant weight should have been given to providing P with a more detailed understanding of why the GMC had decided to take no further action in respect of his complaint against Dr B, because it had a practice simply to provide complainants with summaries of documents such as the Report ([81]-[83]); and (ii) although there was no evidence that P had an intention to disseminate or publish the Report, "this was a matter which the GMC should have had in mind in any event; particularly given its practice [of requiring the giving of a non-disclosure undertaking] when making disclosures under [the Medical Act 1983], section 35B(2)" ([85]). Mr Hopkins submits that the judge was in error on both these points as well. I agree with this submission.
  117. The principal reason for finding that the judge has erred is, again, that he has departed from the basic approach which is applicable in reviewing the decision of a data controller under section 7(4), as set out above. The judge improperly substituted his own views regarding relevant factors and their weight for those of the GMC as data controller. The assessment made by the GMC under section 7(4) was rational and lawful.
  118. There is nothing wrong or inconsistent in the GMC having a practice of disclosing summaries of expert reports to complainants on a proactive basis, when it explains a decision not to pursue a complaint further under the disciplinary rules, and separately considering whether further disclosure of personal data should be made later on pursuant to a SAR. As noted above, a complainant making a SAR has a legitimate interest within the contemplation of the Directive and the DPA to check that the personal data which have been used by the GMC and the expert in forming their views are accurate.
  119. The GMC was not required to approach disclosure under a SAR in the same way as a public interest disclosure under the 1983 Act. Dr B and his representatives had not suggested that it should. There was no suggestion made by them that P was proposing to publish the Report in an inappropriate way and it was not incumbent on the GMC to speculate about that. As I have indicated above, if Dr B was worried about the possibility of dissemination of the Report by P for wholly inappropriate or illegitimate purposes, it was open to him and his advisers to ask the GMC to seek undertakings from P to protect against that. They did not suggest that this was a course which merited consideration.
  120. Conclusion

  121. For the reasons I have set out above, I would allow the appeal. In my view, the GMC's assessment under section 7(4)(b) of the DPA that disclosure should be made of the Report (on the basis that it comprises in its entirety personal data of P) was a lawful one.
  122. Lady Justice Arden:
     

  123. I have had the considerable benefit of reading the judgments of Lord Justice Irwin and Lord Justice Sales, and I am indebted to them both. I agree with Lord Justice Sales, and so I too would allow this appeal. I do so for the reasons given by Lord Justice Sales subject to the following additions.
  124. Ground 1

  125. In Durant v Financial Services Authority [2003] EWCA Civ 1746 at [55], Lord Justice Auld, with reference to section 7(4) of the Data Protection Act 1988 ("DPA"), explained that there was a "presumption or starting point" against disclosure where the person whose data would be disclosed had not given his consent to disclosure. Lord Justice Sales concludes that this was not part of the ratio decidendi of Durant and I agree with him for the reasons he gives. As I see it, the more natural reading of section 7(4) DPA is that the data controller has alternative courses of action. He can either obtain a valid consent but if he does not do so he can disclose only under section 7(4)(b) DPA. The data subject who does not give consent is adequately protected by section 7(4) (b) without the need for a presumption against disclosure.
  126. Ground 2

  127. I specifically agree with Lord Justice Sales that a litigation motive is not irrelevant under section 7(4) but nor yet is it a disqualifying factor (see paragraph 81 above). Section 7(4) DPA is a special provision dealing with mixed data (adopting Lord Justice Sales' definition of that term). As Lord Justice Auld explained in Durant, there are two stages. At the first stage, the data controller must determine whether the information can be disclosed without disclosing data of another identifiable data subject. At the second stage, the data controller must decide, if he wishes to disclose mixed data, whether "it is reasonable in all the circumstances" to comply with the request without the consent of the other individual whose personal data is included in the mixed data. Parliament's instruction to the data controller is therefore that he must consider every aspect of the matter (as well as follow the instruction in section 7(6) DPA), and that would include any evidence as to the litigation motive of the party making the request.
  128. However, in my judgment, in the usual case the fact that the person requesting the data has it in mind that he may bring litigation should not disqualify him from receiving the mixed data. It is simply a factor to be weighed in the balance by the data controller. There could be exceptional cases where the data controller concludes that the litigation motive outweighs every other consideration, as where the person requesting mixed data is a vexatious litigant or wishes to bring further litigation of a kind that has previously been held to be an abuse of the court. I have taken two extreme examples and there may be other circumstances where the litigation motive carried real weight.
  129. I also agree with Lord Justice Sales that the data controller can take into account any satisfactory undertaking which he is offered as to the future use or integrity of the data (see paragraph 83 above). Before he accepted any such undertaking, he would have to be satisfied that he could properly rely on it, and it might have to be given in a form that was enforceable by the other data subject. The acceptance of such an undertaking could not relieve the data controller of his duty to form a view that the disclosure is reasonable in all the circumstances. Although we have had no argument on this point, it would seem to me provisionally that despite the possible inflexibility of section 7(9) in terms of options for enforcement of compliance, it ought to be possible for the court to be able to accept undertakings in the exercise of its discretion under that sub-section.
  130. It follows on this view that the role played by litigation motive in respect of mixed data is different from that played by it in relation to other data. However, I do not find this surprising. Mixed data involves the use of data which does not pertain solely to the requesting party. Accordingly, it is understandable that Parliament might require the courts to have regard to all the circumstances in this situation.
  131. I further agree with Lord Justice Sales that there is neither evidence of an intended abuse of information by P nor evidence of any request by Dr B for any undertaking to be requested. In those circumstances, these points about litigation motive and undertakings do not make any practical difference to the outcome of this appeal.
  132. Ground 3

  133. The structure of section 7 is important. There is a clear statutory remedy in section 7(9) if a data controller refuses to comply with a request under section 7. However, if the data controller forms a view under section 7(4), there is no specific statutory remedy for an objector. The objector must instead start CPR Part 8 proceedings for a declaration and/or an injunction. The question then for the court will be whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual where section 7(4)(b) applies.
  134. At the hearing, the data controller will adduce his evidence as to the circumstances which in his view make it reasonable to reach that conclusion. If he proves that that disclosure without the consent of the other data subject is reasonable in all the circumstances to the satisfaction of the court, it is not necessary or appropriate for the court to consider whether any other course is reasonable, still less to substitute its own view as to what is reasonable.
  135. It is therefore in my judgment significant that Parliament has used the word "reasonable" and not some other word such as "appropriate". The word "reasonable" conveys that there may be one or more courses open to the data controller and that his choice, if within subsection (4), will prevail. In that sense, I agree with Lord Justice Sales that the court should defer to the data controller and not substitute the court's own opinion.
  136. That brings me to the relief on this appeal. As explained above, I agree it should be allowed.
  137. ANNEX 1
    DATA PROTECTION ACT 1998
    Part I
    Preliminary

    1 (1) In this Act, unless the context otherwise requires—

    ...

    "personal data" means data which relate to a living individual who can be identified –

    …

    and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

    …

    2 In this Act "sensitive personal data" means personal data consisting of information as to—

    (1) …

    …

    (e) his physical or mental health or condition,

    …

    4 (1) References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.

    (2) Those principles are to be interpreted in accordance with Part II of Schedule 1.

    …

    (4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.

    …

    Part II
    Rights of data subjects and others

    7 (1) Subject to the following provisions of this section and to sections 8, 9 an individual is entitled—

    …

    (c) to have communicated to him in an intelligible form—

    (i) the information constituting any personal data of which that individual is the data subject, and
    (ii) any information available to the data controller as to the source of those data, and …

    …

    (4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—

    (a) the other individual has consented to the disclosure of the information to the person making the request, or
    (b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

    (5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

    (6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—

    (a) any duty of confidentiality owed to the other individual,
    (b) any steps taken by the data controller with a view to seeking the consent of the other individual,
    (c) whether the other individual is capable of giving consent, and
    (d) any express refusal of consent by the other individual.

    …

    (9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.

    …

    Part IV
    Exemptions
  138. (1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.
  139. (2) In this Part "the subject information provisions" means—

    (a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and
    (b) section 7.

    …

    (5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.

    SCHEDULE 1
    The data protection principles
    Part I
    The Principles

    1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

    (a) at least one of the conditions in Schedule 2 is met, and
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

    2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

    …

    6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

    …

    Part II
    Interpretation of the principles in Part I
    The first principle

    1 (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.

    (2) Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who—

    (a) is authorised by or under any enactment to supply it, or
    (b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.

    …

    The second principle

    6 In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.

    …

    The sixth principle

    8 A person is to be regarded as contravening the sixth principle if, but only if—

    (a) he contravenes section 7 by failing to supply information in accordance with that section,


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/ew/cases/EWCA/Civ/2018/1497.html