This article explores the case DB v General Medical Council, Liverpool Civil and Family Court, 23 September 2016.
Section 7 of the Data Protection Act 1998 gives individuals a right of access to personal data by way of the "subject access request" (SAR) procedure. Where such a request cannot be complied with unless information relating to another individual is also disclosed, the consent of that other party is required unless it is reasonable in all the circumstances to comply without getting that consent. In DB v General Medical Council, Liverpool Civil and Family Court, 23 September 2016, the Administrative Court recently considered an SAR where DB (a General Practitioner) took action to prevent the disclosure to his former patient of an investigation report obtained by the GMC. The report investigated DB's professional competence following a complaint by the former patient, who later made an SAR seeking disclosure of it. DB refused to consent to disclosure, when asked by the GMC, on the basis that the report contained his personal data and that in making the SAR the former patient was clearly intending to pursue litigation against him. When the GMC indicated that it would disclose without his consent, DB brought judicial review proceedings seeking to quash that decision and prevent disclosure.
The judicial review therefore addressed the ongoing conflict as to how much weight a data controller should place on the purpose of an SAR when deciding whether to make disclosure. The courts have hitherto tended to the view that parties should not use the SAR regime as a means of obtaining pre-action disclosure, which is, in some cases, available to prospective claimants pursuant to rule 31.16 of the Civil Procedure Rules (CPR). However, the Data Protection Act and guidance from the Information Commissioner is more relaxed and takes the view that SARs must be regarded as "purpose blind". The Administrative Court, in deciding that the GMC had got the balance wrong and overturning the decision, set out a helpful summary of the factors it considered should properly have been weighed in the balance, namely that:
- the GMC's starting point should have been against making disclosure in the absence of DB's consent
- DB had expressly refused his consent
- as the report focused on DB's professional competence, the GMC should have given proper consideration to his privacy rights, ensuring any interference with such rights was proportionate to the achievement of a legitimate aim
- the purpose of the request was intended litigation by the former patient against DB (for which the CPR 31.16 procedure was available), rather than checking the accuracy of personal data as held by the GMC (which is what the Data Protection Act provisions contemplated)
The Court concluded that in considering similar SARs, data controllers:
- need to balance the respective rights of the data subjects involved
- should start on the basis that disclosure should not normally be made in the absence of consent (and particularly where there is an express refusal)
- should consider whether CPR 31.16 is more appropriate if the purpose of the SAR appears to be to assist in litigation
This is only a first instance decision. It does not have the authority of, for example, the Court of Appeal's decision in Durant v Financial Services Authority, Court of Appeal, 8 December 2003. But, in setting out the factors the Court held should have been considered, it will be of interest to data controllers, and those advising in respect of SARs, where litigation may potentially arise. Data controllers in particular may want to ensure they properly identify third-party data subjects when considering an SAR, and make early contact to request consent to disclosure. Those contemplating litigation should ensure any SARs they submit are very carefully framed, with the benefit of appropriate legal advice.
