Skip to Main Content
Alpha

Help us to improve this service by completing our feedback survey (opens in new tab).

Johnson v Medical Defence Union

[2007] EWCA Civ 262

Neutral Citation Number: [2007] EWCA Civ 262
Case No: 2006/0596
IN THE SUPREME COURT OF JUDICATURE
COURT OF APPEAL (CIVIL DIVISION)

ON APPEAL FROM THE HIGH COURT OF JUSTICE

CHANCERY DIVISION

MR JUSTICE RIMER

[2006] EWHC 321 (Ch)

Royal Courts of Justice

Strand, London, WC2A 2LL

Date: 28th March 2007

Before :

LORD JUSTICE BUXTON

LADY JUSTICE ARDEN

and

LORD JUSTICE LONGMORE

Between :

David Paul Johnson

Appellant

- and -

The Medical Defence Union

Respondent

(Transcript of the Handed Down Judgment of

WordWave International Ltd

A Merrill Communications Company

190 Fleet Street, London EC4A 2AG

Tel No: 020 7421 4040 Fax No: 020 7831 8838

Official Shorthand Writers to the Court)

Mr Martin Howe QC and Mr Ashley Roughton (instructed by Withers LLP) for the Appellant

Mr Richard Spearman QC and Miss Jacqueline Reid (instructed by Fladgate Fielder) for the Respondent

Hearing dates : 12-14 December 2006

Judgment

Lord Justice Buxton :

Preliminary

1.

This case raises some striking issues arising out of the Data Protection Act 1998 [the 1998 Act]. The case has nothing, or almost nothing, to do with the protection of the privacy and integrity of a person whose personal data is held by another person on a computer, which is usually regarded as being the central mission of the 1998 Act and, even more so, of Directive 95/46/EC [the Directive] that the 1998 Act seeks to implement: as to which see further §§ 15ff below. Rather, it is claimed that the 1998 Act has created rights between the parties that are in substance though not in form of a contractual nature; and rights to compensation for infringement of those primary rights of a nature that did not previously exist in English domestic law.

2.

That claim arises in this way. As will be explained more fully below, Mr Johnson complains that the insurance cover and professional support that he had previously enjoyed under his membership of the defendant [the MDU] was withdrawn unfairly, and by reason of that withdrawal he suffered loss and damage. It is agreed that as a matter of contract, or otherwise in domestic law, he could not complain of that decision, however much he objected to it and however unfair it was. He accepts that the MDU had an absolute discretion to terminate his membership but (at this stage to speak generally of a much-contested issue) decision-making within the MDU that led to the decision to terminate Mr Johnson’s membership involved dealing with and assessing information about Mr Johnson that was held on a computer. That is said to change the entire case, because Mr Johnson can now claim, not that the decision itself was unfair, or not open to the MDU, but that the processing of information that led to that decision was done unfairly. That was a breach of the requirements of the 1998 Act; it caused the decision to withdraw cover; and Mr Johnson can thus recover damages for the loss caused to him by that withdrawal. It should be emphasised that those damages are not calculated according to the common law principles that would be applied if Mr Johnson’s claim had its legal basis in the removal of his cover, but rather are damages calculated and assessed according to the special rules attaching to breach of the terms of the 1998 Act that are set out in section 13 of that Act. Absent the computer, none of these claims would have been maintainable, under the 1998 Act nor under any other chapter of English law.

3.

These propositions, as far as this court is aware novel in their nature, have led to difficult and complex litigation both in this court and below. I apologise in advance for the length of this judgment, which nonetheless only sets out the very minimum required to understand the various issues to which the case gives rise.

Background

4.

Both we and the parties have the benefit of what, if I may respectfully say so, was an eminently thorough and careful judgment by Rimer J, extending to 79 pages of single-space type. The parties were good enough to indicate to this court that they did not take issue with the Judge’s account of the facts, background or structure of the MDU’s operations. In explaining what occurred I shall draw heavily on that account, in many places verbatim. If anyone thinks that they need further information about the case over and above what is contained in the present judgment they may safely resort to the judgment of Rimer J.

The parties, their relationship, and the dispute

5.

I can take this directly from the first nine paragraphs of the Judge’s judgment.

1. The claimant is David Paul Johnson. He is a consultant orthopaedic surgeon. The defendant is The Medical Defence Union Limited (“the MDU”). The MDU is a mutual society which provides its members (who are principally in the United Kingdom and Ireland) with a range of discretionary benefits in the nature of advice and assistance. Until July 2000, it also provided them with discretionary professional indemnity cover, although since then such cover has been provided by an insurance policy underwritten by an insurance company for which the MDU’s subsidiary company has acted as agent.

2. Mr Johnson was a member of the MDU from 1980 to 1985 and again from 1 October 1986 to 31 March 2002. He has never been the subject of a claim for alleged professional negligence. Over the years he has, however, sought advice and assistance from the MDU in relation to professional questions and problems that concerned him, including complaints made against him. His contact with the MDU, and that from others about him, gave rise to the opening (at least since 1991) of 17 MDU files.

3. On 17 January 2002, the MDU wrote to Mr Johnson advising him that it had exercised its discretion under article 11(a) of its Memorandum of Association to resolve not to renew his membership after 31 March 2002, when his then current annual subscription would expire. The letter gave no reasons. Mr Johnson sought the reasons, but none was provided.

4. Mr Johnson was shocked. He had been given no forewarning of the possible termination of his membership. The immediate consequence of what he regarded as his “expulsion” from the MDU was the automatic termination of his professional indemnity cover, a serious thing for a professional person. He was able to obtain prompt alternative cover from the Medical Protection Society (“the MPS”), being cover of the like discretionary nature as the MDU had provided until July 2000 (the MPS does not provide its members with indemnity cover under an insurance policy). But he claims that his expulsion has caused him significant damage of a wider nature. He says he has had to disclose it to hospitals where he has, or has since sought, admitting rights or employment; and he asserts that it reflects that he was regarded by the MDU as a serious risk to its funds, which he says is likely to have had a chilling effect on hospitals who became aware of it. He claims it has damaged his professional reputation. He now asks to be compensated. His claim for compensation is brought under section 13 of the Data Protection Act 1998 (“the DPA”) and is founded on the assertion that his expulsion was the consequence of the MDU’s unfair processing of his personal data.

5. The MDU disagrees with every step in his case. But perhaps its main point is this. It says that over the years Mr Johnson was involved in, or was the subject of, a number of incidents and allegations in the course of his professional life, of which he and others made the MDU aware. By May 2001, his track record had caused the MDU’s risk management department to carry out a risk assessment review in relation to him. That involved an assessment of the various incidents and allegations, with particular features of his case history also being scored by reference to a standard form system that the MDU applies to its members under its risk assessment policy. Mr Johnson’s score was at a level which, in accordance with that policy, justified consideration of his future membership of the MDU by a committee of senior clinicians. The outcome of that consideration was the termination of his membership. The MDU’s position is that the termination was properly in line with the operation of its risk assessment policy.

6. More particularly, the MDU’s position is that its risk management policy, of which the scoring system is part, is not dependent on any allegation against the member being well founded, a question which the MDU does not attempt to answer. It depends simply on the fact that the allegation was made: the MDU does not endeavour to investigate its merits. It applies the same policy to all its members. If (which it disputes) it processed any of Mr Johnson’s personal data whilst carrying out its risk assessment in relation to him, it asserts that he consented to it, that he knew that his data was liable to be processed for the MDU’s risk management purposes and that the processing was in line with its established policy and was fair. It emphasises that it is a non profit-making body, with a duty to protect its funds in the interests of all members, and it asserts that the termination of Mr Johnson’s membership was a decision responsibly made by it in the performance of that duty. It emphasises that, under its contractual relationship with Mr Johnson, it had an absolute discretion to terminate his membership.

7. Mr Johnson’s riposte to that is that a risk management policy geared to an assessment of risk by reference to a catalogue of allegations and what he says is an irrational and arbitrary scoring system is inherently unfair. He says that the MDU should have brought his side of the allegations and incidents into consideration and taken account of it when engaging in the risk review. The MDU’s unfair failure to do so is said to have been reflected in the manner in which it processed his personal data whilst performing its risk review and entitles him to statutory compensation for the damage to him to which he says it ultimately led. He accepts that the MDU had an absolute discretion to terminate his membership, but his case is that, but for the unfair processing, the decision to terminate it would not have been made.

8. The central questions which I have to decide are, therefore: (i) did the risk review involve any processing of Mr Johnson’s personal data; (ii) if it did, was the processing unfair; (iii) if it was, has it been shown that, if the processing had been fair, the termination decision would probably not have been made; (iv) if Mr Johnson succeeds thus far, to what (if any) compensation is he entitled? The answer to each question is in issue.

9. It is fair to note that Mr Johnson’s case is an apparently exceptional one. I was told that the MDU currently has about 160,000 members. The evidence was that in 2002 there were 26 risk review references (including Mr Johnson’s) to the MDU committee which considers such matters. The committee recommended that 16 of the referred members (including Mr Johnson) should not have their membership renewed, and that was the decision that the MDU’s Board of Management made in each case.

The MDU’s procedure

6.

We have already noted the MDU’s policy, which is to assess risk according to the incidence of allegations against a member, rather than according to a member’s claims record, or whether allegations had proved to be well-founded. Something more now needs to be said about that policy, and about the machinery for assessing members and their continuation in membership in the context of that policy. Again, I can rely on the Judge, this time at §§ 30-36 of his judgment:

30. Dr Stephen Green has been head of risk management for the MDU since 1994 (he is actually employed by MDUSL). He qualified as a medical practitioner in 1975 and, after various hospital training posts, trained as a general practitioner. He practised as a GP until March 1992, when he joined the MDU as a medico-legal adviser. In 2002, he was working full time for the MDU, but he has since resumed part-time practice as a GP. He explained that the MDU has, it considers, an obligation towards all its members to protect its funds and regards it as prudent to have an internal procedure for carrying out risk assessments with regard to members about whom it has concerns. That procedure in relation to any member involves a consideration of his case history, which is contained in files opened by the MDU (or MDUSL on its behalf) following any contact made with the MDU either by the member himself or by another member in relation to him. Such contact will typically be made in circumstances in which the member seeks advice, assistance or insurance indemnity. A file will normally only be opened in relation to cases in which correspondence in relation to the matter is already in existence and is provided to the MDU. Dr Green explained that his department also provides and advertises a clinical risk-management service to MDU members and he accepted that it had been doing so since at least about the mid 1990s.

31. The MDU’s risk assessment procedure in operation by 2002 (when Mr Johnson’s membership was terminated) dates from early 1998, when the MDU executive first implemented a formal procedure directed at identifying and assessing members whose membership might represent a disproportionate risk to MDU funds. Dr Tomkins said that the MDU had been giving thought to a risk assessment procedure since 1994. Dr Green, as head of the risk management department, had a central role in its formulation. The procedure was based on the MDU’s experience of the underlying risk factors in complaints and claims reported by members. In devising the procedure, the MDU identified common features in cases reported by members which might be regarded as assisting as an early warning system of future losses. This was regarded as important because the benefits of MDU membership were and are provided on the “occurrence” basis I have mentioned. In time, the risk review process became carried out by MDUSL, but nothing turns on that.

32. Dr Green produced in evidence a document headed “Risk Assessment Procedure”, which he said dated from May 1998 and was the subject of amendments resulting in a final version dated April 1999. It formed the core of the MDU’s risk review policy but is drawn only in very general terms. It opens by stating that some members present a disproportionate risk to MDU funds and can be identified in a number of ways, and it gives three generalised explanations of how they might do so (including “having an unfavourable track record of claims/complaints/disciplinary matters”). It summarised the essence of the review procedure, including the scoring of the subject member. It regarded a score of up to 49 as representing a low risk; one of 50 to 74 as medium risk; and one of 75 and above as high risk. Cases with scores of over 50 were referred to the Risk Assessment Group (“the RAG”), a committee of medical practitioners appointed by the Board. The RAG’s function was to consider the subject member’s case, and make recommendations to the Board as to how it should be dealt with, and the document summarised the options so open to the RAG. It suggests that only a score of above 80 will deserve a recommendation of article 11 treatment. As I shall explain, Mr Johnson’s score was exactly 80. It is not, however, said that this undermines the lawfulness of the recommendation that the RAG made in his case, namely that his membership should not be renewed after his subscription expiry date of 31 March 2002. Mr Johnson expressly disclaims any criticism of the fairness of the RAG’s procedure or recommendation, or indeed of the ultimate decision itself, which was made by Dr Tomkins acting under a delegated power from the Board. His case is built exclusively on the assertion that the recommendation and decision were probably inevitable given the material with which the RAG was presented and that the real problem was that that material had been unfairly processed at an earlier stage. His case focuses on that earlier stage.

33. The 1998 document provides little detail as to the risk assessment procedure that was devised and has in practice been operated since then. The procedure was more fully explained in the evidence. It involves the completion in relation to the subject member of three documents: a Risk Assessment Review form (“the RAR form”); a pro forma score sheet (“the score sheet”); and a Risk Assessment Group sheet (“the RAG sheet”). The work is carried out by an MDU risk manager. In an appropriate case, the completed documents will all be referred to the RAG for consideration. Dr Green’s evidence was that about 50% of members who are the subject of a risk assessment review have their cases referred to the RAG. It was still the practice of the MDU in 2001 and 2002 (when Mr Johnson’s case came up for review) that a score of 50 or more was the level at which there would be a reference to the RAG, but Dr Green said that in cases where special factors were present there could be a reference even if the score was lower (for example, if it turned out that the member had provided misleading information to the MDU when applying for membership). The review of a member may lead to one of several outcomes: for example, (i) he may be notified under article 11(a) that his membership will not be renewed after the expiry of his current subscription; (ii) his membership may be terminated under Article 11(b); or (iii) he may be retained on the adverse risk register, with any instances of further contact being closely monitored. I now refer in more detail to the RAR form, the score sheet and the RAG sheet.

34. The completion of the RAR form is based on files opened in respect of the member. It will contain a summary of the member’s case history. Any allegation, claim or complaint in respect of a member which is the subject of contact by that member with the MDU will generally have resulted in the opening of a file in the member’s name. These files are so-called “lead files”. Files opened with respect to like contact made by another member, but in which the member in question is also identified, are known as “non-lead files”. The files are regarded by the MDU as the member’s case history. When a file is opened a brief summary of the nature of the matter with which it is concerned is given to it. This is known as the “day one summary.” When a risk manager is required to consider a particular member, he will consider the day one summary in relation to each file and will also review some or all of the underlying files, which will be held either in electronic or manual form. The usual practice is for review managers to consider the member’s files over the previous ten years or, if there is a significant number of them, then at least the last ten files. Both assistance and advice files will be reviewed, the task being to identify potential risk factors. The risk manager will make summaries of his review in the RAR form and may add his own observations on matters that occurred to him in his review.

35. Dr Green made it clear, as did all the MDU witnesses (in particular, Dr Roberts, the risk manager who dealt with Mr Johnson’s case), that it is no part of the review procedure for the risk manager, or anyone else, to form or express a judgment on the truth or otherwise of any allegations against the member recorded in the files. If the outcome of a particular allegation is known, it will be included in the review, but it will not always be known: the member may not have reported it. Even if the outcome is known and favourable, that is not regarded as a factor material to the risk assessment exercise. The MDU’s risk assessment policy is based on the principle that it is the nature of the allegation or the incident, not its ultimate outcome, which is regarded as potentially relevant. It is the fact that an allegation has been made that is regarded as predictive in terms of future risk to the MDU’s funds; and the rights or wrongs of the particular allegation or incident are regarded as immaterial. The purpose of the procedure is to identify markers for future potential risk. Dr Green did, however, also make clear in cross-examination that the allegations are looked at in the context in which they had been made and that the RAR form would set out that context. He said that it would seem to him to be unfair if the form merely set out a list of allegations, with no other information at all.

36. The MDU’s experience in these respects is, as Dr Tomkins further explained, that the making of a claim or complaint, regardless of its merits, can be a marker of the likelihood of a future claim or complaint. The MDU engages in no attempt to establish the validity or otherwise of the allegation when engaging in a risk assessment review in relation to one of its members, or to assess blame or culpability, although if, by the time of the review any claim is a settled claim (that is, the MDU has made a payment), the MDU will take into account the fact of the settlement. In practice, it is obvious that the MDU could anyway rarely, if ever, conclusively investigate the merits of an incident or an allegation. The MDU’s policy has been developed against a background in which the MDU’s experience has taught it that there is no direct connection between clinical incompetence and the making of a claim or complaint. There are many doctors – the so-called “benign incompetents” (long on bedside manner, charm and communication skills but short on clinical skills) - who pose a risk to their patients but who will never suffer a complaint or claim; by contrast, a doctor who is clinically highly competent can attract claims; and there is often a long time-lag between the occurrence and the claim. Dr Tomkins referred to a study by Charles Vincent who had analysed some 8.5 million hospital admissions in three specialities and their related clinical records and had estimated that there had been avoidable adverse incidents in 5% of the cases, or in relation to 425,000 patients. But there had not been 425,000 claims or complaints.

The review in Mr Johnson’s case

7.

We have seen, from §32 of the Judge’s judgment, that Mr Johnson makes no complaint about the procedure or the decision of the RAG as such. His complaint is that the material on which it had to work, and in particular the RAR form, was drawn up unfairly, because it was, first, drawn up on the basis of the MDU’s policy of assessing members according to number of incidents or complaints rather than according to their outcome; and second that, because of that policy, the RAR form did not contain, and therefore the RAG did not see, any explanation by the member of the various incidents reported to it. It is this part of the process, the compilation of the RAR form, that is said to fall within the ambit of the 1998 Act. We therefore need to concentrate on how that job was done in Mr Johnson’s case.

8.

Once more, I can rely on the agreed account given by the Judge. He recorded at his §44 that the decision of the MDU Board to refer Mr Johnson for a risk review sprang from consideration of his file No 0001331. It will illustrate the process to set out by way of example the summary of that file that eventually appeared on the RAR form:

Suspension of inpatient and outpatient admitting rights pending investigation into alleged breach of regulations; member asked other member of staff to log into computer data, to which he had no access.

Member notified MDU of incident 2/00. The hospital manager had been approached by two separate junior members of administrative staff who reported that mbr had asked them to log onto system to which he had no access. Hospital manager indicated that similar problem had occurred in 1999, following which member assured management that he recognised error and would not repeat.

Suspended following final occurrence.

Member advised that this is a BMA issue, or that private legal proceedings an option. Board of Management decision that member be not assisted in this case and that member be referred to RA Group

The Judge then gave, at his §§ 44-47, an account of the process that followed:

44. The case was referred to Dr Karen Roberts. Dr Roberts has both medical and legal qualifications. She had joined the MDU in 1999 as a Senior Medical Claims handler and on 2 April 2001 she became employed by MDUSL as a clinical risk manager. There were about four other risk managers also carrying out reviews. Dr Roberts had received training for the task, in particular that her function was to summarise allegations against the member although she also understood that they had to be summarised in a sufficient context to show the circumstances in which they had been made. The review would also include the outcome of the allegation, if known, although often it will not. In Mr Johnson’s case, as in others, Dr Roberts’s task was to prepare an RAR Form, a score sheet and a RAG sheet. She had previously prepared like documentation in other cases and she followed the usual practice. Since 2001, she has carried out about one or two risk reviews per month.

45. Dr Roberts worked on a blank RAR form, score sheet and RAG sheet on an MDUSL computer. She completed the RAR form on 27 November 2001, recording in its first six boxes Mr Johnson’s initials (not his name), address, MDU membership number, GMC number, the date he joined the MDU (recorded as 1 October 1986: she made no reference to his prior period of membership), the date of the next renewal of his membership (1 April 2002), his qualifications (“MD MB ChB FRCS (Orth)”), his surgical speciality (“Orth/Trauma Surg”), and his non-indemnified income (£125,000, being his private practice income and so relevant to the professional indemnity cover provided). The form is deliberately anonymous and if (as with Mr Johnson) the case is referred to the RAG, they will not know the identity of the member.

46. Dr Roberts derived from Mr Johnson’s case history (held on computer under his MDU membership number) that 17 files had been opened for him since 1991 (the practice is to go back ten years). She recorded this in the RAR form, describing 11 files as “active” (an active file is one that has not been closed on the system, although she added that seven such files were apparently either inactive or raised statute-barred allegations) and the other six as “advice” files. She wrote “Nil” against “Costs”, “Indemnity” and “Legal” and recorded a figure of £300 for “Reserves”. That meant that the matters raised in the various files had not resulted in any call on MDU funds, although a small (and unexplained) reserve of £300 had been provided for.

47. Dr Roberts listed in the RAR form each of the 17 files and their day one summaries. She also retrieved and reviewed ten of the underlying files going back to 1995: with regard to the earlier ones, she merely set out the day one summaries. She gave a compressed summary of each file she reviewed.

9.

Since the point is of some importance at a later stage of the argument, it should be noted that three of the files that Dr Roberts worked off were already in electronic form. Those included file 0001331, already mentioned, and also the files about two complaints made to the GMC about Mr Johnson. Mr Johnson contended that it was the matters contained in those files that formed the main basis of the MDU’s adverse decision in his case. The rest of the files were “manual”, that is paper files of the traditional sort. The “day one summaries” were usually one-sentence summaries, on computer, of each of those files. The realistic position is, therefore, that a very significant part of the information that Dr Roberts used was held on a computer, and in order to access the information she had to process the data in the sense of calling the information up on to her computer screen.

10.

The Judge then went on to set out Dr Roberts’ summary of each of the files that she had read. I do not repeat that exercise here; further reference will be made to it when considering the issue of fairness. Dr Roberts, having summarised the files, then made various “observations” that drew attention to certain particular aspects of the files, and went on to complete the standard score sheet. That sheet listed a large range of categories of incident to which, if occurring, a standard points score was awarded. It was Dr Roberts’ task to categorise the various matters revealed by the files, which she did. The score that she gave Mr Johnson was 60 points. She left open for the RAG itself the possibility of adding a further 20 points under the heading of “failure to change behaviour”, that arising in connexion with the repeated complaint about computer misuse that is referred to in §8 above. The RAG did in the event take that step. Dr Roberts also added further observations setting out what she thought should be particularly drawn to the attention of the RAG.

11.

Dr Roberts said that both when categorising the incidents and when making her observations she was not being “judgmental”, but simply applying a standard process. She also said that no-one taking part in the assessment would have been misled by the absence of comment by Mr Johnson, because everyone realised that the process was taking place within the standard policy of the MDU already described. I understand the Judge to have accepted both of those contentions.

12.

The RAR form, score sheet and RAG sheet were duly considered by the RAG, which recommended to the MDU Board that Mr Johnson’s membership should be discontinued. Again, the judgment below goes into considerable detail as to what happened at those stages of the process, but since no complaint is made to us in respect of them I do not need to do more than note the outcome.

13.

I now turn to the Judge’s four questions that are set out in his §8, which I repeat for ease of reference:

(i) did the risk review involve any processing of Mr Johnson’s personal data; (ii) if it did, was the processing unfair; (iii) if it was, has it been shown that, if the processing had been fair, the termination decision would probably not have been made; (iv) if Mr Johnson succeeds thus far, to what (if any) compensation is he entitled?

Put shortly, the Judge’s answers were (i) yes; (ii) only in a minor and inconsequential respect; (iii) and (iv) do not arise, but if they did the answers to them would be (iii) yes, on the balance of probabilities; (iv) £10.50 for pecuniary loss, £5,000 for distress; and if (contrary to Judge’s view) damage to reputation is a valid head of claim under the 1998 Act, £1,000 in that respect. The appellant appeals against the Judge’s finding (ii), and against his approach to, and thus the level of the sums awarded under, (iii) and (iv). The respondents cross-appeal against finding (i) and against findings (iii) and (iv), saying that in any event no damages were recoverable. It hardly needs to be said that that brief summary does not do justice to the elaboration of the issues, to which I now turn.

Was there processing of data in the terms of the 1998 Act?

The legislative framework

14.

The claim is brought under the 1998 Act, which however has to be interpreted in the light of Directive 95/46/EC, which it seeks to transpose into domestic law. The 1998 Act in some places uses different wording from that of the Directive, and the discrepancies were the subject of a good deal of consideration in the written stages of this appeal. However, Mr Howe QC, for Mr Johnson, indicated that in the event nothing in his view turned on the various differences in wording. Nor was it argued, at least in respect of the present issue of the definition of “processing of data,” that the Directive had been inadequately transposed into English law.

The Directive

15.

The Directive is stated to be “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. That clearly states the main objects of the Directive. First, as is recognised in particular in recitals (1)-(3), the economic development of the Community and of the internal market will be supported by the free flow of data between member states, which free movement will be promoted by uniformity of national laws that affect the use, transfer and retention of data. Second, that use of data, and the national laws that relate to it, must respect the rights of individuals. The most prominent right, specifically set out in the Directive, is the individual’s right to privacy. Accordingly, a leading principle of the Directive is that data should be handled in such a way as to protect the privacy of the data subject. That is shown by various of the recitals to the Directive, such as:

2. Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy….

7. Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State…..

10. Whereas the object of national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community

11. Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data

16.

Recital 10 is particularly striking. Under the Marleasing doctrine, Case C-106/89 [1990] ECR I-4135, we are bound to interpret the domestic legislation so as to give effect to the purpose of the Directive. It is not easy to extract from this Directive any purpose other than the protection of privacy, and thus not easy to see any way in which the Directive drives an interpretation in favour of Mr Johnson, who does not claim that his privacy, in the usually understood meaning of that term, was infringed by the MDU. Mr Johnson initially sought to argue, in particular in connexion with an aspect of his claim for damages, that the somewhat general reference in recitals to privacy has to be viewed as a reference to all rights arising under article 8, which latter is noted in general terms in recital 10. But article 8 does not extend its protection to the loss of employment or loss of insurance cover that Mr Johnson fears or complains of. For that conclusion I would respectfully adopt the judgment, binding on us, of the Master of the Rolls in R(Countryside Alliance) v Attorney-General [2006] 3 WLR 1017, especially at §§ 100-103. Mr Howe indicated that in the light of that authority, not reported until well after the written submissions in this appeal had been formulated, he did not pursue the contention that the treatment accorded to Mr Johnson infringed any right under article 8 or, as I understand it, any other article of the Convention.

The 1998 Act

17.

Section 1 of the 1998 Act lists “basic interpretative provisions”. I set out the main relevant provisions, together with some initial commentary on how they apply in this case:

1.-(1) In this Act, unless the context otherwise requires –

‘data’ means information which –

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system…..

data controller’ means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

‘data processor’, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;

‘data subject’ means an individual who is the subject of personal data;

‘personal data’ means data which relate to a living individual who can be identified –

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;

‘processing’, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –

(a) organisation, adaptation or alteration of the information or data,

(b) retrieval, consultation or use of the information or data,

(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or

(d) alignment, combination, blocking, erasure or destruction of the information or data; …

(2) In this Act, unless the context otherwise requires –

(a) ‘obtaining’ or ‘recording’, in relation to personal data, includes obtaining or recording the information to be contained in the data, and

(b) ‘using’ or ‘disclosing’, in relation to personal data, includes using or disclosing the information contained in the data. …

4. – (1) References in this Act to the data protection principles are to the principles set out in Part I of Schedule I.

(2) Those principles are to be interpreted in accordance with Part II of Schedule I.

(3) Schedule 2 (which applies to all personal data) … [sets] out conditions applying for the purposes of the first principle; …

(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller. …

18.

In the present case, and for reasons that it is not necessary to take time in explaining, we are not concerned with a “relevant filing system”. The case is concerned only with automatic processing of data as envisaged in sections 1(1) (a) and (b). In that context, the following points are not in issue.

i)

The information held by the MDU in relation to Mr Johnson’s career and claims record was his personal data

ii)

The MDU was a data controller in respect of that data

iii)

It was therefore the duty of the MDU to comply with the data protection principles in respect of that information.

That is why it is crucial to this case to determine whether any relevant “processing” of Mr Johnson’s data had taken place, because the main thrust of Mr Johnson’s complaint is that it was the MDU’s processing of his data that infringed the Data Protection Principles, and thus was unlawful under the 1998 Act.

19.

The Data Protection Principles are set out in Schedule I to the 1998 Act, the relevant parts of which are as follows:

SCHEDULE I

THE DATA PROTECTION PRINCIPLES

PART I

THE PRINCIPLES

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) at least one of the conditions in Schedule 2 is met, …

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. …

PART II

INTERPRETATION OF THE PRINCIPLES IN PART I

The first principle

1. – (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed. …

2. – (1) Subject to paragraph 3 [which is not material], for the purposes of the first principle personal data are not to be treated as processed fairly unless –

(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and

(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).

(2) In sub-paragraph (1)(b) ‘the relevant time’ means –

(a) the time when the data controller first processes the data, or …

(3) The information referred to in sub-paragraph (1) is as follows, namely –

(a) the identity of the data controller,

(b) if he has nominated a representative for the purposes of this Act, the identify of that representative,

(c) the purpose or purposes for which the data are intended to be processed, and

(d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair. …

20.

By far the most important part of these Principles in this case is principle 1(a), fair processing of data. That requires the consideration of the present issue, of whether there was processing of data; and, if so, whether that processing had been fair, a question addressed in the next part of this judgment.

The acts alleged to constitute the processing of Mr Johnson’s personal data

21.

Processing of Mr Johnson’s personal data did take place at various stages of the MDU’s dealings with him and with his case: for instance, when information about him was recorded on the computer files; when Dr Roberts extracted that information from the computer files; when Dr Roberts transmitted her analysis to the RAG; and when the opinion of the RAG was transmitted to the MDU Board or to its delegate Dr Tomkins. But in order to succeed Mr Johnson has not merely to identify an act of processing his data, but to identify such an act that was done unfairly. That act was said by him in his Particulars of Claim to be, and the trial and this appeal proceeded on the basis that what was alleged was

Selecting the information contained in the personal data and thereby presenting a false picture of the situation.

The selection was the process that was performed by Dr Roberts when she drew up the RAR form, score sheet and RAG sheet: see §8 above.

22.

To deal first with a point on which Mr Spearman QC placed some weight in his initial submissions, “selection” of information is not listed amongst the acts of processing specified in the definition of that term in section 1(1) of the 1998 Act. But there is no doubt that during the process Dr Roberts performed operations on Mr Johnson’s data such as retrieving or consulting it; and in any event the examples given in the definition are only examples of the general category of “carrying out any operation or set of operations on the information or data”. The pleading accordingly identifies the stage in the process where Mr Johnson says that unfair processing of data took place, but uses “selection” as essentially a word of such identification rather than of definition.

23.

However, that said, the difficulty for Mr Johnson remains that the selection, and thus the carrying out of operations, of which he complains was done by Dr Roberts, using her own judgement, and not by any computer or by any automatic means. To the extent that the material on which she worked was already recorded on a computer Dr Roberts had to operate that computer in order to access the information, but no complaint is made of that: because it is not suggested that in looking at Mr Johnson’s record Dr Roberts shut her mind to, and therefore refused even to look at, any particular data. Similarly, having made her decisions Dr Roberts recorded them, or caused them to be recorded, in electronic form; but by that stage Dr Roberts had already made her decision, so the subsequent mechanical recording of her decision did not add to the alleged unfairness.

24.

The respondent accordingly says that the answer is simple. The carrying out of the operation on his data that Mr Johnson says was done unfairly was not done by means of equipment operating automatically in response to instructions given for that purpose, as section 1(1) of the 1998 Act requires. Nor was it the processing of personal data wholly or partly by automatic means, to which article 3.1 of the Directive says that its provisions (other than those relating to relevant filing systems) are limited. Rather, the selection of data of which complaint is made was all done not by a machine but by a human being, Dr Roberts. She made the decisions complained of, and no automatic process entered into that decision-making.

25.

This simple approach has undoubted attractions, some of which I shall explain in more detail below. The appellant raised a number of objections to it, which I now consider.

Extended definitions of processing of data

26.

Various parts both of the 1998 Act and of the Directive were relied on to indicate that “processing” was not limited to the automatic treatment of data.

27.

First, by section 1(1) “processing” includes obtaining or recording information or data, and by section 1(2) “obtaining” or “recording” in relation to personal data (our case) includes “obtaining or recording the information to be contained in the data”. It was therefore suggested (in an argument developed more fully in relation to the claim that the whole operation performed by the MDU should be taken as one, discussed in §§ 30ff below) that when obtaining the information about Mr Johnson that was contained in the computer files and day one summaries Dr Roberts was then automatically processing Mr Johnson’s data. That contention does not work, for two reasons. First, it is not the recording or the obtaining of the information that is complained of. It is not suggested that Dr Roberts made errors in retrieval, but rather that, having retrieved the information, she then analysed the information unfairly. Second, what was obtained or recorded by Dr Roberts was already Mr Johnson’s personal data. What further was “to be contained in” his personal data were the expressions of opinion by Dr Roberts that were contained in the RAG sheet and other documents drawn up by Dr Roberts. Those expressions of opinion were further personal data of Mr Johnson; but his complaint is as to the way in which they were arrived at by Dr Roberts, and is not based at all on the fact that, once Dr Roberts had reached her conclusions as to what opinions she should express, those opinions were then recorded on a computer.

28.

Second, it was contended that when Dr Roberts retrieved the material contained in the electronic files she was “using” information that was being automatically processed under sub–paragraph (a) of the definition of “data” and sub-paragraph (b) of the definition of “processing” in section 1(1) of the 1998 Act. Here again, however, one has to revert to the complaint made by Mr Johnson. He does not complain of the way in which Dr Roberts got the material about him on to her computer screen, but about what she did with it once she saw it there. The latter was not any sort of automatic process.

29.

Third, weight was placed on article 2(b) of the Directive, which states that

‘processing of personal data’ shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means

the emphasis being supplied by the appellant. Taken literally, that definition cannot be reconciled either with article 3.1, referred to in §24 above; or with recital 15 to the Directive, which reads:

Whereas the processing of such data is covered by this Directive only if it is automated or [if the data is contained in a relevant filing system]

The answer would seem to be that the very general definition of “processing” in article 2(b) was intended to cover both of the cases addressed by the Directive: automatic processing on the one hand; and processing of material in a relevant filing system on the other. So read, it does not assist the appellant on the present point.

Processing as a continuous operation

30.

This contention, which persuaded the Judge, depends on analysing the whole of the dealing with Mr Johnson’s case, from the gathering of the information by Dr Roberts through to the adoption of the recommendation of the RAG by Dr Tomkins, as one continuous and single operation. Since some, indeed as we have seen many, stages of that operation involve the automatic processing of data, the whole operation is argued to fall under the statutory definition, even in respect of stages such as Dr Roberts’s process of reasoning that were not performed by automatic means. To quote Mr Howe’s skeleton in reply in this court, that whole set of operations amounts to ‘processing’ in the terms of the 1998 Act since it is sufficient if one or more steps are performed by automatic means.

31.

It is quite true, indeed obvious, that Dr Roberts’s selection and analysis of the material was only one step in a more lengthy operation. But as we have seen, the way in which Mr Johnson’s case was presented isolated that selection as the only part of the operation of which complaint was made. Nor was that simply a pleading point, or a mistake by Mr Johnson’s advisers. The stage at which the unfairness allegedly arose, in the shape of the failure to seek Mr Johnson’s explanation or point of view, was when Dr Roberts did her work: not earlier and, because the RAG took the RAG sheet as read, not later either. And the case presented in these proceedings is not that the operation taken as a whole was unfair; and there is good reason why the appellant did not so contend. That is because to complain of the overall decision-making of the MDU would underline even more clearly than did the presentation of the case at trial that the complaint is about the general policy of the MDU with regard to qualification for membership, and not about the way in which the MDU processes data.

32.

Even, therefore, if the approach now under consideration were open to Mr Johnson on his pleadings it would seem highly artificial to say that Dr Roberts was processing data, not because of the conclusions that she drew from the data, but because those conclusions came either before or after the automatic operation of a computer on that or other data. Nor is there any support for the appellant’s analysis in the wording either of the Directive or of the 1998 Act. It was suggested that assistance could be obtained from article 3 of the Directive:

This Directive shall apply to the processing of personal data wholly or partly by automatic means…

However, first, that contention assumes what it has to prove, that the relevant “processing” in the present case is the whole operation on Mr Johnson’s data. And, second, I found persuasive Mr Spearman QC’s suggestion that this definition is an anti-avoidance provision, to prevent arguments that, because some manual operations had occurred in the course of processing, none of that processing could fall under the Directive.

33.

I should also note that reference was made to the decision of the European Court of Justice [ECJ] in Case C-101/01 [2004] QB 1014 (Lindqvist). A web page containing personal information about L and some of her fellow parishioners was composed by L on her home computer and placed on the internet. She was prosecuted for processing personal data by automatic means. The national court referred to the ECJ the question:

Does it constitute ‘the processing of personal data wholly or partly by automatic means’ to list on a self-made internet home page a number of persons with comments and statements about their jobs and hobbies etc?

The ECJ held that the listing of the parishioners was the processing of their personal data, and that the process had been “performed, at least in part, automatically” because of the loading of the page on to the server. The selection of the data had been purely manual, yet there was no suggestion that the processing taken as a whole was not automatic. It is, however, important to remind ourselves of the terms of the question that was asked in Lindqvist, which was limited to whether using the computer to place the list on the net was processing. Plainly it was, for the reason given by the ECJ. By the same token, when Dr Roberts caused the computer to transmit her conclusions to the RAG data was being processed. But it does not help Mr Johnson to establish the latter point, because what he complains of is unfair conduct in the reaching of those conclusions, before that processing of the conclusions took place. I think that in the end it was agreed by the appellant that Lindqvist does not assist in our present concerns.

34.

But Mr Howe has more formidable support from authority nearer home, the decision of this court in Campbell v MGN Ltd [2003] QB 633. That case was regarded by the Judge as conclusive in Mr Johnson’s favour on the processing issue, and it must therefore be analysed in some detail.

Campbell v MGN Ltd [2003] QB 633

35.

The facts are notorious, but must be briefly restated. C complained of the publication by MGN in its newspaper of information and photographs that invaded her privacy. This court explained, at its §122, that

the definition of processing is so wide that it embraces the relatively ephemeral operations that will normally be carried out by way of the day-to-day tasks, involving the use of electronic equipment, such as the laptop and the modern printing press, in translating information into the printed newspaper.

For that reason, it was inevitable that there had been processing of data by automatic means leading up to the print publication, and no-one seems to have argued to the contrary. But that was not the end of it. The issue that exercised the court was that set out in the cross-heading before the court’s §§ 96-106: Does the Act apply to the publication of hard copies? And that on the facts was the important question, because it was that publication that infringed C’s privacy, in breach inter alia of that part of the first data principle that requires the consent of the data subject to the processing.

36.

The court drew attention to the provisions both in the Directive (article 23) and in the 1998 Act (section 13) for compensating persons suffering damage by reason of unlawful processing of data. It said, at its §104, that

While an individual may reasonably find it objectionable that another should record and hold personal data about himself, the greater invasion of privacy, damage and distress is likely to be caused when that information is made public.

In that context, the compensation provisions would not be effective to protect the privacy of a data subject’s personal data if (§105) publication was not treated as part of the operations covered by the requirements of the 1998 Act.

37.

The court accordingly approached the terms of the 1998 Act as follows in its §§ 101 and 103:

101. The definition of “processing” in the Directive and the Act alike is very wide. “Use of information or data” and “disclosure of information or data by transmission, dissemination or otherwise making available” are phrases, given their natural meaning, which embrace the publication of hard copies of documents on which the data has been printed. Is such a meaning consistent with an interpretation which gives effect, in a sensible manner, to the objects of the Act?

103. The Directive and the Act define processing as “any operation or set of operations”. At one end of the process “obtaining the information” is included, and at the other end “using the information”. While neither activity in itself may sensibly amount to processing, if that activity is carried on by, or at the instigation of, a “data controller”, as defined, and is linked to automated processing of the data, we can see no reason why the entire set of operations should not fall within the scope of the legislation. On the contrary, we consider that there are good reasons why it should.

And the court then set out the policy reasons for that approach that I have referred to in §36 above.

38.

I respectfully agree with the Judge that this is an extremely broad approach, that in its literal terms encompasses as “processing” the selection of data undertaken by Dr Roberts. There are, however, four reasons why we are not compelled to that conclusion: a conclusion that, for the reasons that I set out in the next section of this judgment, leads to very surprising results, that I do not think would have been countenanced by the court in Campbell.

39.

First, although the court expressed itself about the status of collection of data before the automated stage of the operation commenced, that was not the question that it was asked, nor was it the issue that concerned it in that case. It is, with deference, perfectly possible to say that the publication of information that has already been automatically processed can, in accordance with the aims of the Act and Directive, be regarded as falling with the terms of the Act and activating its compensation provisions, without taking the same view of the manual analysis of data before any automated processing begins. The court in Campbell did not consider that distinction because it did not need to do so. In our case we are forced to confront the distinction.

40.

Second, the court in Campbell was strongly influenced by the fact that it was dealing with a case of breach of the proper privacy of the processed information. It (rightly) saw the protection of privacy of information as a prime interest of the Directive, so that the 1998 Act had to be interpreted in that spirit: see and compare §15 above. There is no such driving force in our case. For the reasons stated in §16 above Mr Johnson makes no complaint of invasion of his privacy in the sense in which the term is used in the Directive, nor could he do so. Rather, he complains that unfair decisions have been taken, not by the malfunctioning of a computer or by the way in which it was programmed, but by a human being. It is not possible to find in the Directive any concern that human reasoning needs to be covered just because the reasoning is exercised on automated material.

41.

Third, that the court in Campbell was exercised by the particular problem that faced it in that case is further illustrated by its approach to section 32 of the 1998 Act, which (put shortly) exempts from liability personal data processed “with a view to the publication by any person of any journalistic material”. The argument put to the court, which had been adopted by the trial judge, was that the expression “with a view to” limited the exemption to acts prior to publication. The court was very concerned that that limitation would effectively nullify the investigative journalism that the exemption seemed designed to protect. It pointed to how that conclusion could be avoided in its §129:

Under section 32(1) it is the data which is exempt from the provisions of the Act specified in subsection (2). The Act only applies in relation to data. If, as we have held, the Act applies to publication, as part of the processing operation, it does so because the information published remains “data”, as defined by the Act.

We must, of course, be wary of reading too much into that observation. But, first, it reinforces the focus of the court’s concern, as already set out. And, second, if the explanation is that the information remains “data”, by section 1(1)(a) the information achieves that status only because it was processed by means of equipment operating automatically. Information at the pre-processing stage does not share that quality.

42.

Fourth, to revert to the issue in this case, as we shall see when we consider the way in which it is said that Dr Roberts acted unfairly, the main thrust of Mr Johnson’s complaint is that Dr Roberts applied what he says is the unfair policy of the MDU. I do not find it easy to think that the court that decided Campbell would, if confronted with that question, have thought that the use of automatic processing once Dr Roberts had finished her work exposed that work to the compensation provisions of the 1998 Act.

43.

That consideration leads to a wider concern, that the interpretation urged by the appellant and accepted by the Judge would give rise to very surprising outcomes. First, a number of types of situation that under English law do not involve legal rights and obligations would do so if a computer were to be involved in any aspect of them. Second, a very wide range of decision-making would be exposed to potential scrutiny by the court in terms of “fairness”, expressed in the entirely general terms of the 1998 Act. Those concerns are explored in the next section.

Some implications of the Judge’s view

44.

If the Judge is correct, any exercise in decision-making by an individual the results of which are then as part of the same operation recorded or transmitted in electronic form will be subject to scrutiny under the Data Protection Principles, including the requirement that the processing (such as, on this view, the decision-making is) should have been conducted fairly. That leads to many alarming examples: some of these render justiciable decisions that are socially trivial; others render justiciable decisions in respect of which there are good policy reasons why the courts should abstain from interfering. Some but not all of these were explored with counsel in the course of argument.

45.

Hotels, or doctors, or barbers, now often keep their appointments lists on a computer. The putting on to the computer of the name of the customer (personal data) who has been allocated a particular room or appointment involves automatic processing of that data. If the human decision on allocation of rooms or appointments that precedes that processing is itself part of the processing, the hotel or doctor will have to answer for the allocation under the first Data Processing Principle. Mr Howe agreed that that would be so, but only if the manager consulted computerised information (for instance, as to whether the client was a regular customer) before deciding who should get the better room. That is alarming enough; but I am not at all sure that it was consistent with Mr Howe’s argument to make even that reservation, if presence of automatic processing at any stage of the operation (in the present case, entering the client’s name on the room register) is sufficient to bring all parts of the operation within the 1998 Act.

46.

Judges when they have decided what their reserved judgments should say place those conclusions on a computer, or dictate those conclusions for typing up by their clerk, again by use of a computer. Judgments tend to contain or to refer to a good deal of personal data in respect of the parties to the case. Judges are for that reason data controllers under the terms of the 1998 Act; but one does not need to stress the oddity of a conclusion that the typing of the judgment brings the decision-making process that preceded the typing within the “fairness” terms of the first Data Processing Principle. Mr Howe, as I understood him, did not demur from the suggestion that that was indeed the effect of the provisions of the 1998 Act, but said that the judge would be immune from suit under the rule of judicial privilege or immunity, which Parliament must be taken to have had in mind when enacting the 1998 Act. That may well be so. The point rather is that it is odd and unsatisfactory to have to rely on that doctrine in order to avoid the application to the judge of what the appellant says is the meaning and effect of the words used in the 1998 Act.

47.

And that defence would not avail parties who do not benefit from special immunities, unconnected with data protection, provided by domestic law. Thus, employers assess employees for promotion on the basis of their personal qualities, which involves decision-making based on personal data. If that personal data is held on a computer, alternatively once the decision is typed up on a computer, it follows from the appellant’s argument that the fairness of that decision becomes justiciable not in terms of employment law, but in terms of data protection. The same is the case in the public as well as the private sector. Government no doubt has to make many policy decisions that involve taking a view on individuals. Again, whether based on computerised data or once made typed on to a computer, the decision can be challenged on grounds of fairness, even if there is no other ground of challenge in law, and strong reasons of policy why there should not be a challenge in law.

Conclusion

48.

The width of the contention advanced by the appellant is shown by the present case, where Mr Johnson, who agrees that he has no right in contract or in any other chapter of English law to challenge Dr Roberts’s selection of the information contained in his personal data, asserts that he can nonetheless mount these proceedings because her act of analysis is covered by the First Data Protection Principle. I would not be prepared to conclude that the 1998 Act has had that effect, and the other widespread effects suggested in §§ 44-47 above, unless I was driven to it. Far from that being the case, neither the 1998 Act nor the Directive give any support to the appellant’s case. I would therefore hold that the Judge was wrong to find that Dr Roberts’s selection of the data amounted to processing of data in the terms of the 1998 Act, and I would allow the cross-appeal on that point.

49.

After the text of the foregoing section of this judgment, §§ 14-48 above, had been completed I had the benefit of reading in draft the judgment to be delivered by Arden LJ. With appropriate diffidence I venture some brief further observations.

50.

First, the principles to be applied in reading Community legislation, including the detailed guidance given by my lady in her judgment in Commissioners of Customs & Excise v IDT Card Services Ltd [2006] STC 1252, are not in doubt. Those principles have to be applied to the only issue in this part of the case: whether the act complained of by Mr Johnson as identified in his pleadings as quoted in §21 above, the selection of information by Dr Roberts, was an act of processing of data in the terms of the Directive.

51.

Second, I entirely accept that it is not conclusive that the proposition on which that claim rests (that the mental process of selection became the processing of data because it was prefatory to the recording of the results of the selection on a computer) leads to the practical results indicated in §§ 44-47 above; even though counsel had no adequate explanation for those practical results, and even though none of the examples given are covered by the exceptions to the Directive’s ambit to which my lady refers. I also entirely accept that it is not conclusive that the claim is plainly inconsistent with recital (15) to the Directive. I was not aware that I had argued that recital (15) must predominate over the rest of the Directive, and regret if the terms of my judgment give that impression.

52.

Third, however, both of those factors mentioned in §51 above should cause us to proceed with care. That care leads me to be very cautious about a reading of article 2(b) of the Directive that allows the words “whether or not by automatic means” effectively to override the scheme of the rest of the Directive: see §29 above. And that caution is borne out, in relation to the present case, by article 3.1, the “scope” provision, which limits the reach of the Directive to either (i) processing wholly or partly by automatic means; or (ii) or processing of data in relation to a [relevant] filing system. This is not a filing system case; and the act with which we are concerned, I repeat, the selection by Dr Roberts, was not partly by automatic means, but not by any automatic means at all.

53.

So far as authority is concerned, Lindqvist is of no assistance, because the issue in that case concerned what was on any view processing, the adding of material to an internet home page. And it would be fruitless to speculate as to whether the apparent absence from the European jurisprudence of any further discussion relevant to the present issue indicates that no-one has previously thought that the Directive has the application that Mr Johnson asserts. As to Campbell, I do not understand it to be argued that the case is authoritative in the sense that, whatever appears to us to be the state of the Community jurisprudence, we are obliged to follow Campbell under the rule in Kay v Lambeth LBC [2006] 2 AC 465; and to the extent that it is suggested that a ratio of the case relevant to the present point is to be found in §129 of Campbell I venture to draw attention to what I say in §41 above. The reality is that Campbell was not addressing the present issue, and for reasons that I have already set out at length cannot be used to drive to a conclusion on that issue that is otherwise unpersuasive.

54.

The decision on the cross-appeal is sufficient to dispose of the entire proceedings in favour of the MDU, but in view of the detailed argument that we have received about the other issues I go on to consider them as well.

Was the processing fair?

Preliminary

55.

There were three potential ways in which it was said that the processing, in the shape of Dr Roberts’s selection of the information, was unfair. First, that she herself acted unfairly or wrongly even within the limits of the MDU’s policy that she was applying. Second, that the processing of information in the “non-lead” files (that is, files containing information obtained from other members of the MDU rather than from Mr Johnson himself) was automatically unfair, because, in breach of paragraph 2(1) of Part II of schedule 1 to the 1998 Act (see §18 above), Mr Johnson had not been informed that the MDU held that data, or what they were intending to use it for. Third, that the policy of the MDU that Dr Roberts applied, of only having regard to incidents and not to their outcome, and of not taking into account the member’s explanations or counter-arguments, was unfair in itself.

56.

As to the first of these potential objections, the judge took it upon himself to go in careful detail in his §§ 127-195 through all of the analysis of information undertaken by Dr Roberts. He concluded in respect of the files generally, in his § 197, that

I find that in no case did her summary, again measured by reference to the MDU risk assessment policy, reflect any unfairness, or at any rate any material unfairness.

That general conclusion was not challenged before us.

57.

Second, as to the (two) non-lead files, the Judge held, at his §112, that they had been processed unfairly, on the ground mentioned in §50 above, but not because Mr Johnson ought to have been consulted about them. However, Mr Howe very fairly said that he was not able to challenge the Judge’s further conclusion, in his §199, that the processing of the non-lead files had not made any material difference to the decision that was taken about Mr Johnson’s membership, and therefore that the unfairness had not caused any loss. It is not therefore necessary to pursue further the Judge’s conclusion as to the initial unfairness.

58.

That leaves Mr Johnson’s major criticism of the MDU, that its policy was unfair. I preface consideration of that issue with a warning. This part of the judgment is necessarily hypothetical, because it addresses an issue that on my finding set out in §47 above does not arise. That causes an even more significant artificiality than is normally the case with hypothetical issues. The enquiry is and has to be into the MDU’s general policy. That policy would exist whether or not there was any processing at all involved in the MDU’s operations, and the fairness or otherwise of the policy has to be assessed entirely divorced from the processing that is relied on to bring the policy into issue in the first place. That that is the outcome of the appellant’s case on processing is another reason that compels me in the direction of thinking that that case must be wrong. The hypothesis however requires me to bring quite general considerations to the quite general issue of the MDU’s policy, without limiting the enquiry to any specific question regarding the MDU’s holding and use of automatic data.

The MDU’s policy and the Judge’s approach to it

59.

The Judge came to his consideration of the fairness of the MDU’s policy by addressing the complaint made by Mr Johnson under paragraph 2(3)(d) of Part II of Schedule 1 to the 1998 Act and (the same wording) article 11 of the Directive, that he had not received information that was required to guarantee the fairness of the processing. However, as the Judge pointed out, what Mr Johnson wanted was not information as such, but rather to know what Dr Roberts was proposing to put into the RAR form, so that he could add to that information and make submissions to the RAG about it. Of that, the Judge said in his §107:

The complaint is that, having processed the personal data from the lead files, Dr Roberts did not consult Mr Johnson about the fruit of her work. But by then the relevant processing had been done and the suggested consultation cannot naturally be regarded as a continuation of the processing. Mr Johnson’s complaint that he was not consulted about Dr Roberts’s work is, in substance, nothing other than a complaint that he was not entitled to make representations to the RAG about his case. He has specifically disclaimed that he had any right to do so, and so his case under this head is nothing other than an attempt to say that he should have enjoyed a like right at an earlier stage and as part of the processing exercise. In my judgment, that contention is misconceived.

That the Judge thought that “the relevant processing” was completed as soon as Dr Roberts had made her selection was, of course, loyal to Mr Johnson’s pleaded case, but as a broad proposition it is difficult to reconcile with his analysis of the nature of processing, as discussed above. But however that may be, the Judge was with respect right to think that no guidance as to fairness was to be found in the legislation.

60.

The Judge then went on to consider whether consultation was in any event appropriate, whatever the guidance in the legislation. Of that, he said this, at his §§ 109-110:

109. In considering this, I regard the starting point as the MDU’s risk assessment policy. As I have explained, and find, that policy was one under which the MDU assessed a member’s potential risk to MDU funds by reference exclusively to the allegations made against him, or the nature of the incidents in which he was allegedly involved. Whether the allegation was justified or not was regarded by the policy as irrelevant, as was (at least generally) the outcome of the allegation (if known). It is easy for an outsider, with no experience of the type of risk management in which the MDU was engaged, to leap to a judgment that such a policy was unfair and that a fairer one - which might perhaps be expected to enable a more reliable assessment of future risk – would be one in which the merits of each allegation are, so far as possible, assessed, although there are obvious limits to that possibility. If a policy of that sort were one that the MDU in fact employed, it is also easy to see that a fair assessment of the merits could only be arrived at after (at least) consulting the subject member for his comments on the allegations made against him.

110. That, however, is not the policy that the MDU has developed and adopted and, with respect to Mr Howe’s unqualified submission to the contrary, I regard it as no part of the court’s function to pass judgment on the merits of the policy that it did adopt. The policy was devised as a result of the MDU’s own experience and its formulation was essentially a matter of commercial judgment exercised in what I have no doubt was complete good faith in the interests of the members of the MDU generally. It was also formulated against the background of a contractual relationship between the MDU and its members under which the MDU had and has an absolute discretion to terminate a member’s membership and in which it was in the interests of all members that it should have a sound risk assessment policy. …Like all MDU members, [Mr Johnson] must take the MDU risk assessment policy as he finds it; and, given its nature, I see no basis on which it can be said that his input was necessary in order that the data could be fairly processed. The MDU could process his data in the circumstances in which it did perfectly fairly without his input, and the evidence from the MDU witnesses satisfied me that his input would be unlikely to have made any difference to the assessment of his case: because, put shortly, the policy regards a member’s input as essentially irrelevant.

61.

Mr Howe criticised the Judge’s very generally expressed statement that the court could not pass judgement on the MDU’s commercial policy, and I think that that criticism was, in verbal terms, well-founded. Once the court is launched on an enquiry into “fairness”, it cannot conclude that conduct is fair just because it is adopted in obedience to the party’s commercial policy. The judge’s statement may indeed reflect some (justified) unease on his part at the way in which the very broad construction that he was persuaded to place upon the 1998 Act had led him into an enquiry from which the court would normally be excluded. However, the Judge did not in the event regard his view as to the paramountcy of the MDU’s policy as excluding him from considering the justification for that policy in terms of fairness, which he did in his §§ 114-126, under the heading “Was the processing anyway unfair?”

The Judge’s conclusion on fairness

62.

Various decisions of the Data Protection Tribunal were put before the Judge and before us. The Judge did not find them of assistance, save in that they explained that “fairness” required consideration of the interests not only of data subjects (such as Mr Johnson), but also of data users (such as the MDU). I would respectfully endorse that judgement. The Judge went on to apply that approach in his §123:

It is easy to see how [Mr Johnson] regards the decision in his case as unfair but it has to be remembered that the policy is directed at risk management – at preserving the MDU funds against a risk of claims, and the incurring of costs, in the future. The MDU experience is that a risk of that nature cannot be measured simply by awaiting the happening of a statistically significant number of occurrences that do in fact cause a drain on its funds. It is also that the risk of complaints is not a matter that is necessarily geared to the clinical competence of a doctor. The likelihood of complaints may well be based just as much on the way in which the doctor gets on with his colleagues and patients. A complaint, when made, may well be unfounded, but may also be expensive to defend. The objective of the risk management policy is to minimise the exposure of MDU funds to such expense. The policy that the MDU has developed is to assess risk by reference to whether the particular doctor attracts complaints. It is not assessed by an attempted investigation of whether there is anything in such complaints, an investigation which in practice could anyway not be carried out in any conclusive way. It would be possible to obtain the member’s view of the complaint, but it is not part of the policy to do so because (a) it would only provide part of the picture and (b) it is a part which the policy does not regard as material to the assessment which the risk review is making. A wider investigation would usually be impracticable. In defending the MDU’s risk assessment policy as fair, Mr Spearman emphasised that it has to be viewed against the background in which there is a contractual relationship between the MDU and its members and in which the MDU has a positive duty, in the interests of all its members, to adopt a responsible risk assessment policy directed at preserving its assets. The fairness of the processing of a member’s personal data has to be considered in that contractual context.

63.

Some complaint was made that the Judge had not received proper evidence to support his view of the MDU policy, and in particular that the MDU witness who explained it to him was not a statistician, and therefore could not vouch for the reliability of the MDU’s assumptions as to risk. That evidence was summarised in §§ 35-36 of the Judge’s judgment, set out in §6 above. I am not moved by those objections. The Judge was entitled to take the commonsense view that the MDU were responsible for running the business, in the interests of members as a whole, were in no respect suggested to be acting in bad faith, and had adopted a rationally thought-out policy that, at the lowest, was not clearly unjustified. And the Judge’s analysis, set out above, was entirely open to a judge with considerable experience of company affairs.

64.

I would accordingly hold that there is no basis for dislodging the Judge’s finding that in any relevant respect the MDU’s processing was not unfair. Mr Johnson fails on that point also. Again, however, I go on to pile hypothesis on hypothesis, and consider whether, if Dr Roberts’s application of the policy had been “processing”, and if that processing had been unfair, that unfairness would have affected the MDU’s decision.

If the processing had been unfair, would that unfairness have affected the MDU’s decision?

65.

The Judge first considered what would have occurred had Mr Johnson been permitted to state his case, but the MDU had adhered to its policy. That was a somewhat unreal set of hypotheses, because, as the Judge said in his §200, the MDU would have regarded what Mr Johnson had to say as irrelevant under the policy.

66.

Mr Spearman also submitted that if one read the Judge’s lengthy account of the files summarised by Dr Roberts in the light of the explanations that Mr Johnson gave in the present proceedings, it was clear that in many cases what Mr Johnson wanted to say would have made his position worse. I do not pursue that argument (well though I understand why the MDU properly wanted it to be before the court), because the Judge’s findings were dependent on the MDU’s policy, which at this stage of the discussion he had held Mr Johnson could not in any event challenge.

67.

The Judge however went on to consider the case from a more radical standpoint, which can be best described in his own words, from §§ 201-202 of the judgment:

201. The final hypothesis I have to consider is the possibility that, contrary to my view, the requirements of fair processing under the DPA required the MDU to tear up its established risk assessment policy and operate the quite different type of policy that Mr Johnson urged would have been fairer. That was one which required the abandoning of the score sheet, with its alleged potential for arbitrariness and irrationality; which required the RAG to assess so far as possible the merits of a particular incident or allegation, at any rate by taking account of the subject member’s representations on it; and which required the RAG to engage in a more sensitive analysis of which incidents and allegations were of real potential seriousness and which were not.

202. For reasons given, I reject the suggestion that Mr Johnson was entitled to have his data processed and case considered by reference to his own inexpert assertions as to the risk assessment policy that the MDU should apply. I consider he had to take the MDU’s policy as it was and is. If, however, I am wrong on that and Mr Johnson is right that his data should have been processed, and his case considered, in the way I have just summarised, then I find that it is probable that the MDU would have come to a different decision about the termination of his membership.

68.

Mr Spearman complained that his clients had been given no warning of this part of the Judge’s consideration, and had had no chance to meet it. I think that that complaint is justified. The discussion of the hypothetical outcome if Mr Johnson had been given a chance to put his case had all taken place in the context of the existing policy. What would have happened if the RAG had applied to Mr Johnson’s explanations the more sensitive analysis mentioned by the Judge at the end of his §202 never seems to have been addressed. Because it understood, rightly, that what was complained of was the steps preliminary to the deliberations of the RAG the MDU called as witnesses none of the RAG’s decision-makers, who could have given evidence as to their view of Mr Johnson’s case assessed against the Judge’s hypothesis. Mr Howe said that that was not a sufficient answer, because causation had been put in issue generally. But that had been done in Mr Johnson’s pleadings in terms that can at best be described as gnomic:

“Unfair processing led to unfair meeting documents leads to expulsion”

That said nothing to alert the MDU to the need to meet the specific hypothesis adduced by the Judge.

69.

Mr Spearman also took us to the evidence of Dr Tomkins (as to whom see §§ 31 of the Judge’s judgment, set out in §6 above) who had attended the RAG meeting, and who said that she did not think that it would have made a difference to the deliberations if the RAG had been given Mr Johnson’s account of the files. Some caution must be exercised about that statement, because it seems to have been made in the context of the MDU’s existing policy. The point however remains that there was no sufficient evidential base for the Judge’s conclusion; and for my part I do not consider that that conclusion is self-evident to the extent that it can be reached without hearing the view on it of the MDU executives who would have had to make the decision.

70.

I therefore conclude that the claim that a different policy would have led to a different result was not sufficiently pleaded, and in any event not sufficiently proved. The conclusion in §202 of the judgment was not open to the Judge.

71.

Even, therefore, if I am wrong both on the issue of processing and on the issue of fairness Mr Johnson’s case still fails. I nonetheless go on to consider what compensation would have been recovered by Mr Johnson on what is now the triple hypothesis that his case fell under the 1998 Act; was handled unfairly in the terms of that Act; and that unfairness caused him to lose his membership of the MDU.

Compensation

The legislative structure

72.

Article 23 of the Directive states that

Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of an act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered

The Judge recalled that article 249 EC leaves to member states “the choice of form and methods” in achieving the results required by a Directive. That choice has been made in section 13 of the 1998 Act, which provides:

13. – (1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if –

(a) the individual also suffers damage by reason of the contravention

73.

Mr Johnson sought damages under three heads: pecuniary loss, incurred in achieving cover from another society, the MPS; damage for the distress caused to him by the removal of his cover with the MDU with no explanation given; and damage inflicted on his reputation by the removal of his MDU cover. Damages for distress are, by the plain terms of section13(2)(a), only available if the claimant also suffers other “damage”. Mr Howe argued that that limitation was inconsistent with the general rule of compensation for damage to be found in the Directive. The latter should be read in an autonomous Community sense, as requiring the provision of compensation for any sort of damage recognised in national law.

74.

While, like the Judge, I find this point not entirely straightforward, also like him I cannot accept it. In the absence of specific Community authority, none of which we were shown, I do not accept that the Directive has to be read so widely. I bear in mind Mr Spearman’s warning that the national laws of the member states differ in their approach to damages, and in particular in relation to compensation for injury to feelings or reputation. There is no compelling reason to think that “damage” in the Directive has to go beyond its root meaning of pecuniary loss. Nor do I accept Mr Howe’s contention that the fact that the Directive envisages the protection of rights under article 8 of the European Convention (as to which, see §15 above) entails that compensation must be available in every case for loss of a type or category that would be covered by article 8: for example, damages for distress. If a party could establish that a breach of the requirements of the Directive had indeed led to a breach of his article 8 rights, then he could no doubt recover for that breach under the Directive, without necessarily pursuing the more tortuous path of recovery for a breach of article 8 as such. But that is not this case, since it is agreed that Mr Johnson can make no complaint under article 8: see §16 above. There is no reason to think that the Directive nonetheless requires Mr Johnson to be able to recover for a head of loss available under article 8 even if domestic law denies him that recovery.

75.

This issue of construction matters in the present case in particular because by the terms of section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered. With that in mind I turn to the three heads of compensation that were claimed.

Pecuniary loss

76.

Mr Johnson originally claimed substantial amounts allegedly incurred in his attempt to obtain cover from the MPS. All of that case failed. However, at a late stage of the trial, and after Mr Johnson had left the witness box, a hotel bill was produced allegedly relating to the negotiations with the MPS. That bill showed items that, as the Judge found, were incurred by Mr Johnson for other purposes, but also included, apart from Mr Johnson’s own bed and breakfast charges, a sum of £10.50 for an additional breakfast. After some lengthy consideration of the matter the Judge concluded, at his §230, that

I am prepared to find, on the probabilities, that the £10.50 for the extra breakfast was referable to the meeting with the MPS representative. I have no reason not to accept Mr Johnson’s evidence that such a meeting took place

No doubt the meeting took place, but the Judge had no evidence from Mr Johnson that it was over breakfast or that the extra breakfast that he paid for was eaten by the MPS representative; and much less that any purchase of breakfast was required of Mr Johnson as a step in the process of obtaining cover, a matter that I am certainly not prepared to assume. The Judge was not entitled to find that this, the only item of pecuniary damage that survived, was attributable to damage for which the MDU was responsible.

Distress

77.

Applying as I do the terms of section 13(2)(a), this claim fails in limine by reason of Mr Johnson’s failure to prove damage in the terms of section 13(1). The Judge would have awarded £5,000 under this head if he had found the case proved. Mr Spearman criticised that amount, as plainly too high for the modest level of distress that the Judge had found, when compared with the standard measures for various kinds of personal damage. I agree with that criticism, but in view of the findings in the rest of this judgment it would be an undue use of judicial time to reason the matter out.

Reputation

78.

Unlike “distress”, this head of loss is not envisaged in the 1998 Act, and there is no reason to think that it is inherent in the provisions of the Article. The Judge rejected on the facts a number of specific claims under this head, and his decisions are not appealed But in addition, and no doubt inspired by the English law of defamation, the appellant, although he did not prove any actual loss of reputation, much less any financial loss or other tangible detriment that had flowed from it, nonetheless relied on assumptions that his reputation must have been damaged and that a financial value must be put on that damage. I am certainly not prepared to import those assumptions, peculiar to, and in the view of some an unedifying feature of, the English law of defamation into this wholly different chapter of the law. Mr Johnson’s inability to prove any loss destroys this claim, as the Judge rightly held. Nor can English law be said in that regard not to respect its obligation to give compensation for loss of reputation caused by unfair processing of automatic data. If an Englishman thinks that that has occurred he can always actually sue in defamation, with the prospect of recovering far more, and on a less exacting basis, than he would find in other member states of the Community.

Disposal

79.

I would dismiss the appeal; allow the cross-appeal; and uphold the Judge’s order dismissing the claim.

Reference to the European Court of Justice

80.

The appellant has applied for certain questions to be submitted to the European Court of Justice. We deferred that application until we had heard the appeal. With the benefit of the considerations set out in the body of this judgment I would not make any reference Only two of these issues give me pause. The first concerns the proper understanding of processing in the context of the Directive. But although this court is unfortunately divided on that issue, the majority has been able to reach a conclusion on it without the need of the assistance of the ECJ. The second issue is the proper construction of article 23 of the Directive, and whether it is properly transposed into domestic law by section 13 of the 1998 Act. However, and additionally, there are substantial grounds, not affected by either of those issues, why the appeal must fail in any event. That being so, it would not be appropriate to occupy the time of the ECJ on matters that cannot affect the outcome of the litigation.

Lady Justice Arden:

81.

I have had the benefit of reading in draft the judgments of Buxton and Longmore LJJ. I agree with the judgment of Buxton LJ, save on one issue, that of processing. I consider that the judge came to the right conclusion on this issue. It follows that I am not in agreement with the judgment of Longmore LJ on the same issue. In my judgment, Dr Roberts' selection of the data amounted to “processing” for the purposes of the Data Protection Act 1998 (“the 1998 Act”). I also wish to make some additional observations about the application of the first data protection principle, that of fairness, and the question of a request for a preliminary ruling. I agree with Longmore LJ’s observations in paras. 158 to 160 of his judgment that the assessment of risk by reference to allegations without further reference to explanations or outcomes is not unknown to the law for the reasons that he gives, and that this lends support to the conclusions reached by Buxton LJ and myself in relation to the fairness principle.

Summary

82.

In my judgment, for the reasons given below:

(1) the 1998 Act must be interpreted so far as possible in conformity with the data protection directive 95/46/EC (“the directive”);

(2) the directive applies to the selection of information constituting personal data which following such selection is to be placed on a computer;

(3) the decision of the Court of Justice of the European Communities (“the Court of Justice”) in the Lindqvist case [2004] QB 1014 provides some slight support for this conclusion;

(4)

the statutory definition of “processing” in the 1998 Act can be interpreted in conformity with the directive;

(5)

my conclusion on processing is consistent with the conclusion of this court in Campbell v MGN [2003] QB 633;

(6)

accordingly, the judge was right to conclude that the selection of personal data about Mr Johnson and its presentation on the RAR form, the RAG form and the score sheet constituted “processing” for the purpose of the 1998 Act, and the Medical Defence Union Ltd (“the MDU”) as the data controller thus had a duty to comply with the data protection principles.

83.

The facts are very fully set out in the judgment of the judge, now reported at (2006) 89 BMLR 43, and it is unnecessary for me to repeat them. Like the judge, I will refer to the risk assessment review form as the “RAR form” and to the risk assessment group sheet as the “RAG sheet”.

84.

As recorded in the minute of order of Deputy Master Arkush dated 20 September 2005, the acts of processing relied upon by Mr Johnson are “selecting the information contained in the personal data and thereby presenting a false picture of the situation”. The act of selection was accordingly relied on as a step towards the presentation of the information by automated means. The personal data were listed in schedule 1 to the amended particulars of claim and included information extracted from MDU’s files and inserted into the RAR form and the observations added by Dr Roberts’ word processor. The gravamen of the MDU’s case before the judge was that the directive and the 1998 Act required both steps to be done by automatic means; otherwise, the selection of information was not “processing” for the purpose of the directive or the 1998 Act (see judgment, para 91). The judge rejected that argument (judgment, paras 96 and 97). Accordingly, on this appeal, the sole issue on processing is whether Dr Roberts, by virtue of manually selecting information from various (non-electronic and electronic) files, which thereafter was presented by automated means, thereby “processed” information for the purposes of section 1 of the 1998 Act. At its very essence, the question is whether, and if so when, the statutory restrictions on data processing apply to extracting information from non-electronic files and putting them into electronic form.

85.

Mr Spearman QC, for the MDU, accepts that the 1998 Act applies to information which has been, or is being, automatically processed. His case is that the 1998 Act does not apply to information processed or selected manually except in three situations. Those situations are: (i) where the information is stored in a “relevant filing system” at as defined in the 1998 Act; (ii) where a manual element has been introduced in an attempt to avoid the mandatory requirements of the 1998 Act, and (iii) (if contrary to his primary submission this court was correct in law in para. 103 of its judgment in the Campbell case) where information is stored by electronic means but is then produced in hardcopy format as part of a process linked to that of automatic processing. None of those situations arises in this case.

The importance of the issue

86.

A concrete example may help to illustrate the importance of the issue on “processing” arising here. Suppose that an employee provides his employer with a medical report in hard copy. Can the employer select and obtain information from that report, even going beyond what the employer needs to discharge his own obligations to the employee, and add it to his electronic records about the employee free from any restriction under the 1998 Act? I appreciate that, by section 2(c) of the 1998 Act, such a report would be “sensitive personal data”, which is a special category of “personal data”, but, if Mr Spearman is right and the judge was wrong, it would mean that neither the data protection principles nor the special protections set out in sched 2 to the 1998 Act will apply in this example. So, if, as Buxton LJ states, there are startling conclusions if the judge is right, there may also be startling conclusions if he is wrong. The data protection principles would apply to the retrieval, use or holding of information but they may not apply in the same way if information can be added to the employer's electronic files without restriction. Moreover, the directive would provide no protection to the individual at the initial stage of putting the information on to the computer, which will process the information by automatic means. Particular examples of the results of an interpretation are often useful as a way of testing any conclusion on statutory interpretation and as throwing light on its likely intendment. In this particular case, however, I consider that particular examples are of limited use as examples may be taken to support the likelihood of either interpretation in issue. Accordingly the most important task for the court is the interpretation of the relevant legislation in the light of its provisions and the instruments and concepts to which it refers.

87.

Thus, the correctness of Mr Spearman's submission turns on the true interpretation of the 1998 Act. As the 1998 Act implements the directive, it is necessary to identify the principles of interpretation applicable to domestic legislation implementing directives, next to seek the meaning of the directive and lastly to interpret the 1998 Act in the light of the directive. I do this in the next four sections of this judgment which amplify my reasons for the first four conclusions set out in the above summary.

(1) The 1998 Act must be interpreted so far as possible, in conformity with the directive

88.

It is well established that where domestic legislation implements a directive of the European Community, the domestic legislation must so far as possible be interpreted in conformity with the directive. To ascertain the meaning of a directive the court is enjoined by the Court of Justice to consider other language versions of the directive (CILFIT Srl and Lanificio di Gavardo v Ministry of Health (Case 283/81) [1982] ECR 3415). We have not been taken to the directive in this case in other languages but the French version at least does not seem to me to provide any further help on the question at issue here. I turn therefore to the question of how domestic legislation implementing a directive should be interpreted.

89.

In IRC v IDT Card Services Ltd [2006] STC 1252, I pointed out that European legislation is often less precise than domestic legislation:

“72. It has been said European Union legislation is "a negotiated law" (Jean-Claude Piris, The Legal Order of the European Community and of the Member States: Peculiarities and Influences in Drafting). It is often the product of compromise. In the context of the European Union, legislation has to be negotiated between different sovereign states with separate interests. For this reason, it may not be possible to obtain a precise text. To obtain agreement, an element of ambiguity must be left for later resolution. The very nature of this kind of legislation places a greater burden on courts than domestic legislation where the scheme of the legislation is generally worked out in great detail.”

90.

I then summarised the principles which apply when the court has to interpret domestic legislation in conformity with a directive. In the interests of simplicity I set out what I said in the IDT case:

“73. …Under what is now article 249 of the EC Treaty, a directive is binding as to the result to be achieved but needs to be implemented in a member state to have effect. The effect of a directive in the United Kingdom is governed by the legislation bringing the EC treaties into force in the United Kingdom, namely section 2 of the European Communities Act 1972. Section 2(1) of the 1972 Act incorporates obligations under the EC Treaties into domestic law. It also provides a means for the incorporation of later directives into domestic law by secondary legislation. Thus, section 2(2) of the 1972 Act provides that designated Ministers can make regulations for the purpose of implementing any Community obligation of the United Kingdom. Then section 2(4) of the 1972 Act provides:

“… any enactment passed or to be passed, other than one contained in this Part of this Act, shall be construed and have effect subject to the foregoing provisions of this section;”

74. The 1972 Act thus contains the mandate for the English courts to interpret domestic legislation in accordance with applicable European Union directives. The courts may have to interpret domestic legislation in this way because it was adopted specifically in order to implement such directives. It may also have to interpret legislation in accordance with European Union law even though it (the domestic legislation) was enacted for another purpose if it in fact contains the provisions which have to be enacted in the member state to implement a directive or which, if the directive were properly implemented, would be affected by it, and the date for implementing the directive has passed.

75. The approach of the English courts when interpreting UK legislation designed to give effect to Community legislation is to construe the English legislation so far as possible so as to make it compatible with the Community legislation. This is the approach that the English courts adopt to legislation implementing international treaties generally. In addition, when Parliament recently incorporated the European Convention on Human Rights into domestic law, it took the same formula and used it to impose an obligation on English courts to interpret domestic statute law, so far as possible, compatibly with human rights (Human Rights Act 1998, section 3). ..

77. Non-implementation or defective implementation of a European Union directive may lead to liability on the state: Francovitch v Italy [1993] 2 CMLR 66…

78.…Where there is no preliminary ruling from the Court of Justice and difficulties arise because the case cannot be said to be acte clair, it may be necessary to seek a preliminary ruling from the Court of Justice… In Kobler v Austria [2004] 2 WLR 976, the Court of Justice held that in special circumstances a state can be liable if the final court of appeal in a member state declines to refer a question of the interpretation of the EC treaties to the Court of Justice, and takes a wrong view of the EC law. This may lead to national courts taking a more restrictive view of acte clair in the future.

79. The Court of Justice lays down the obligations of national courts with respect to European Union legislation. The Court of Justice has held that the national court’s obligation is to interpret domestic legislation, so far as possible, in the light of the wording and the purpose of a directive in order to achieve the result pursued by the directive and thereby comply with Community obligations: see Marleasing S.A. v La Commercial Internacional de Alimenation SA at para 8. In this judgment, I refer to this obligation as the Marleasing principle. It is sometimes also referred to as the principle of conforming interpretation. The Court of Justice has held that the obligation may apply even if the relevant legislation was passed before the relevant Community legislation: Webb v EMO Air Cargo (UK) Ltd [1994] QB 718, and see S.Vogenauer, Richtlinienkonforme Auslegung Nationalen Rechts, (1997) ZEuP 158.

91.

In my judgment in the IDT case I referred to the recent case of Pfeiffer v Deutsches Rotes Kreuz Kreisverband v Waldshut [2004] ECR1-8835, in which the Court of Justice summarised and developed the relevant principles. I drew the following conclusions from this case:

“81. The approach described above makes it clear that, while under European Union law the member states are bound to interpret national legislation so far as possible in conformity with the wording and purpose of a directive, it is for domestic law to determine how far the domestic court can change other provisions of purely domestic law to fulfil this obligation. Thus in this situation the national court is not concerned to ask what interpretative approach is adopted by the courts of the other member states of the European Union. The question how far it can go under the guise of interpretation, and whether it can for instance adopt what would otherwise be regarded as a strained construction, is a matter for domestic law.

82. Normally when construing domestic legislation, the English courts must find the meaning of the words which Parliament has used. In the context, however, of legislation which requires to be construed in a way which is compatible with European Union law or with the rights conferred by the European Convention on Human Rights, the English courts can adopt a construction which is not the natural one. The process, however, remains one of interpretation: the obligation imposed by the Court of Justice is only to interpret national law in conformity with a directive “so far as possible”. That raises the question when a process ceases to be that of legitimate interpretation and trespasses into the field of lawmaking that is the task of Parliament and not the courts.”

92.

I went on to hold that the court could adopt the same approach to interpretation of domestic legislation in conformity with a directive as the court adopted under section 3 of the Human Rights Act 1998. I referred to Ghaidan v Godin-Mendoza [2004] 2 AC 557, and continued:

“85. However, further guidance is now provided by Ghaidan v Godin-Mendoza. As I have explained above, this was a case under section 3 of the Human Rights Act 1998 and is thus not a case in which the House had to consider the interpretation of legislation so as to make it compatible with the wording and purpose of a directive. However, under section 3 of the 1998 Act, the court has to interpret legislation “so far as possible” in a manner which is compatible with Convention rights. The case is therefore in my judgment authority as to what is “possible” as a matter of statutory interpretation. The similarities in this regard between interpretation under section 3 of the 1998 Act and under the Marleasing principle are illustrated by the fact that Lord Steyn traced the origin of the interpretative obligation in section 3 to the Marleasing case and that both Lord Steyn and Lord Rodger in their speeches relied on (inter alia) the Litster case as demonstrating that the court could read in words in order to interpret legislation under section 3(1) of the 1998 Act. In those circumstances, in my judgment, the guidance given by the House of Lords in that case as to the limits of interpretation can also in general be applied to when the limits of interpretation under the Marleasing principle arise for consideration….

92. Although the technique of interpreting domestic legislation as far as possible in conformity with European Union law has now been applied (with necessary alterations) to test whether the legislation is compatible with the ECHR, I recognise that the context is different in some respects. The obligation to comply with the Convention is imposed on the member state. The Convention does not bind the courts of a member state. But the actions of the courts can place the member state in breach of its obligations under international law. Furthermore, the Human Rights Act 1998 provides the court with an alternative solution, namely that of making a declaration of incompatibility (Human Rights Act 1998, section 4). This alternative was inserted in the interests of preserving Parliamentary sovereignty. No such alternative is available for domestic legislation implementing European Union legislation. I doubt however whether much turns on this point. Section 3 imposes an obligation to interpret legislation compatibly with Convention rights, not a discretion to do so. Accordingly, I consider that the differences in concept between section 3 interpretation and interpretation under the Marleasing principle are more apparent than real. As already stated I consider that the Ghaidan case is a helpful guide when determining the interpretation under the Marleasing principle. I see no reason why the same robust techniques used to make legislation compatible with the ECHR should not equally apply to make domestic legislation comply with the laws of the European Union.”

93.

Pill and Latham LJJ agreed with my judgment, and Pill LJ delivered a concurring judgment. In my judgment, the IDT case demonstrates that Community law imposes a duty of some intensity on national courts to interpret domestic legislation so that it conforms with Community law. Domestic courts are expected to use their powers of statutory interpretation under domestic law in full to achieve that result. Domestic courts are required loyally to find the meaning of the Community instrument, and, as this will inevitably be the driving force in the interpretation of domestic law, the logical place to start must be with that instrument itself.

(2) The directive applies to the selection of information constituting personal data which, following such selection, is to be placed on a computer

94.

I now turn to those provisions of the directive which throw light on the question whether and in what circumstances information which is manually processed is within the scope of the directive. I am mindful of Mr Johnson’s application for a reference for a preliminary ruling from the Court of Justice with which I deal in para 151 below. Even if I had concluded that the application should be granted, I would still have needed to analyse the meaning of “processing” in Community law (to some extent at least) in order to establish whether this court could itself determine that meaning with the appropriate degree of confidence. Since it appears that the court is divided on the meaning of “processing” under the directive, I doubt whether the court as a whole could be so satisfied.

95.

The title of the directive describes it as a directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. The directive is remarkable for a number of recitals. It has 72 recitals but only 34 articles. It is impossible to set out a fair selection of the recitals. They demonstrate the width of the directive.

96.

Buxton LJ points out that the most prominent right, specifically set out in the recitals to the directive, is the individual’s right to privacy. I agree. As the recitals point out, that right of privacy is recognized both in art 8 of the European Convention on Human Rights (which confers the right to respect for private and family life) and in the general principles of Community law. Moreover, recital (2) makes it clear that data-processing systems must respect the right to privacy:

“Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy…”

97.

Buxton LJ makes the point that art 8 does not extend to “the loss of employment or loss of insurance cover that Mr Johnson fears or complaints of” (judgment, para. 16) and that no complaint is made as to whether the treatment accorded to Mr Johnson infringed any right under art 8. However, there is a separate point as to whether the carrying out of any particular operation on personal data falls within art 8 by virtue only of that fact. If it is, then since, as recital (2) shows, one of the purposes of regulating data-processing systems is to ensure respect for art 8 rights, the scope of the directive is unlikely to exclude an aspect of processing which would engage art 8. Although we were not taken to the authorities on this point, it appears from the jurisprudence of the European Court of Human Rights (“the Strasbourg court”) that art 8 is engaged by the creation and maintenance of a record of data relating to the “private life” of an individual and that the term “private life” includes certain professional or business activities (Niemietz v Germany). Thus, in Amann v Switzerland (16 February 2000, application no 27798/95), the applicant complained at the interception of a telephone conversation between himself and a person from the former Soviet embassy in Berne and the creation and maintenance by a public authority of a record of the call in a manual filing system stating that he was a contact of the Russian Embassy. The court held that art 8 was engaged because the details filled in on the record card were data relating to the applicant's “private life”. It held :

“65. The Court reiterates that the storing of data relating to the “private life” of an individual falls within the application of Article 8 § 1 (see the Leander v Sweden judgment of 26 March 1987, Series A no. 116, p.22, § 48).

It points out in this connection that the term “private life” must not be interpreted restrictively. In particular, respect for private life comprises the right to establish and develop relationships with other human beings; furthermore, there is no reason of principle to justify excluding activities of a professional or business nature from the notion of “private life” (see the Niemietz v Germany judgment of 16 December 1992, Series A no. 251-B, pp. 33-34, § 29, and the Halford judgment cited above, pp. 1015-16, § 42).

That broad interpretation corresponds with that of the Council of Europe’s Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, which came into force on 1 October 1985 and whose purpose is “to secure in the territory of each Party for every individual…respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him” (Article 1), such personal data being defined as “any information relating to an identified or identifiable individual” (Article 2).

66. In the present case the Court notes that a card was filled in on the applicant on which it was stated that he was a “contact with the Russian embassy” and did “business of various kinds with the [A.] company” (see paragraphs 15 and 18 above).

67. The Court finds that those details undeniably amounted to data relating to the applicant’s “private life” and that, accordingly, Article 8 is applicable to this complaint also.”

98.

The court went on to hold that art 8 had been infringed by both the creation and storage of the information:

“80. The Court concludes that both the creation of the impugned card by the Public Prosecutor’s Office and the storing of it in the Confederation’s card index amounted to interference with the applicant’s private life which cannot be considered to be “in accordance with the law” since Swiss law does not indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power in the area under consideration. It follows that there has been a violation of Article 8 of the Convention.”

99.

Accordingly, in my judgment, art 8 is relevant to the processing issue for this reason. It provides some support for the view that the directive is likely to be concerned with the creation and maintenance of a computerised record of personal information even if it was created manually. The creation of the RAR form containing personal data relating to Mr Johnson was the creation of such a record. It is interesting to note that the Convention of 28 January 1981, which is referred to by the Strasbourg court in the Amann case and which is also referred to in the recitals to the directive, did not protect information in a manual filing system as the directive now does. The introduction of references to manual systems was one of the major differences between the directive on the one hand and that Convention and the 1984 predecessor of the 1998 act on the other. The point that I wish to make for present purposes is that, if personal data relating to complaints made against Mr Johnson in a professional capacity is selected manually and then recorded electronically, art 8 is likely to be engaged. In so far as the directive is intended to confer protection on persons in situations arising out of the recording of personal data within the ambit of operation of that article, Mr Johnson would appear to be within its intendment.

100.

Recital (15) would appear to provide that all processing must be automated:

“Whereas the processing of such data is covered by this directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question;”

101.

The conclusion reached by Buxton LJ in para 29 of his judgment would appear to have the effect of making recital (15), read with art. 2(b), predominate over, or govern, other provisions of the directive. This is a matter which I will have to refer below. Recital (15) needs to be read with other provisions of the directive. Recital (27) provides:

“Whereas the protection of individuals must apply as much to automatic processing of data as to manual processing; whereas the scope of this protection must not in effect depend on the techniques used, otherwise this would create a serious risk of circumvention; whereas, nonetheless, as regards manual processing, in this directive covers only filing systems, not unstructured files; whereas, in particular, the content of a filing system must be structured according to specific criteria relating to individuals allowing easy access to the personal data;…”

102.

Art 2 sets out definitions:

“(a) “personal data” shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

(b) “processing of personal data” (processing) shall mean any operation or set of operations, which is performed upon personal data, whether or not by automatic means such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;”

103.

Art 3(1) of the directive, headed “scope” and dealing with the scope of the directive, provides that processing can be wholly or partly the automatic means:

“(1) This directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data, which form part of a filing system or are intended to form part of a filing system.”

104.

Art 3(1) thus states that the directive applies to processing personal data whether it is carried out “wholly or partly” by automatic means. The definition of “personal data” makes it clear that information can be “personal data” even if it is not recorded or held by automatic means. It simply applies to “any information” relating to an identified or identifiable natural person. Art 3(1) does not lay down the extent to which information may be recorded partly by automatic means. This is clearly a different method of recording information from recording information in any filing system for the purpose of the second limb of art 3(1). In respectful disagreement with Longmore LJ, in my judgment, it would naturally include information selected manually though I would accept that such selection is unlikely to be a sufficient condition in itself. Some guidance can be gained from the definition of “processing of personal data”, which includes the “collection” of personal data. I return to that point in para. 113 below.

105.

The interpretation placed on the directive by Buxton LJ involves reading down the definition of processing data by reference to recital (15). In effect, in my respectful judgment, this gives precedence to recital (15) over art 3(1). In his judgment, no reliance can be placed on art 3(1), because that is dealing with the processing to which the directive applies and not with the question whether there was processing. In my judgment, there is no distinction between processing to which the directive applies and processing as defined by the directive. Moreover, in my judgment, recital (15) does not have the effect of excluding the application of the directive from collecting information by manual means and recording it by automatic means. I now set out my reasons for that conclusion.

106.

First, in the interpretation of a directive, the provisions of an article are generally to be given precedence over any provision in a recital. Thus, in Deutsches Milch-Kontor v Hauptzollamt-Hamburg-Jonas (Case C-136/04), the Court of Justice held:

“32. As regards the ninth recital in the preamble to Regulation No 176/89, it is sufficient to recall that the preamble to a Community act has no binding legal force and cannot be relied on either as a ground for derogating from the actual provisions of the act in question or for interpreting those provisions in a manner clearly contrary to their wording (Case C-162/97 Nillson and others[ 1998] ECR 1-7477,para. 54, and Case C-308/97 Manfredi [1998] ECR 1-7685, para. 80).”

107.

There are other decisions of the Court of Justice to the same effect. In Wirtschaftsvereinigung Stahl v Commission (Case C-441/97P) [2000]ECR I-10293 at [38], the Court of Justice stated that, although the preamble to a Commission decision in the form of an aid code indicated “that the rules contained in the earlier aid codes prohibit “any other operating or investment aid to steel firms, those words in the preamble are not endorsed by any provision of the [code]. It follows that those words in the preamble cannot by themselves change the scope of the [code].” Likewise, in Leclerc-Siplec v TF1 Publicité SA (Case C-412/93)[1995] ECR I-179, at [47] the Court of Justice did not adopt a particular interpretation of a provision in a directive even though that interpretation appeared to follow from a recital where the interpretation was not supported by the wording of the provision. Similarly, in Gunnar Nilsson (Case C-162/97) at [54], the Court of Justice stated that “the preamble to a Community act has no binding legal force and cannot be relied on as a ground for derogating from the actual provisions of the act in question”, but in that case the question - which was whether member states could impose additional restrictions on the breeding of livestock - arose in criminal proceedings.

108.

Secondly, recital (15) is dealing with the scope of the directive (see the word “covered”). It is not dealing with the definition of any particular term used in the directive. Therefore it is to be read with the operative provision of the directive dealing with scope, namely art 3. When read with art 3, it is clear that it conflicts with art 3 because if recital (15) is read literally it excludes any step within automatic processing which happens to be manual whereas art 3(1) clearly anticipates that automatic processing can include a manual stage because it uses the words “wholly or partly by automatic means”. To read the “scope” provision in art 3 as not applying to that aspect of processing would not only be to fail to take account of the express wording of art 3 but also contravene the principle just mentioned about the interpretation of recitals. I do not consider that it would be any answer to this point to read down art 2(b) and then to use that provision to read down art 3(1). The argument would be that the reference to "wholly or partly by automatic means" in art 3(1) has to be read as a reference to the circumstances in which under the definition of "processing of personal data" in art 2(b) processing can occur manually and then that the relevant words in art 2(b) (“whether or not by automatic means”) have to be interpreted by reference to recital (15). On that basis the “processing of personal data” would only apply to operations which were either exclusively automatic or within the second limb of recital (15) and that definition would then be inserted into art 3(1) with the effect that the words "wholly or partly by automatic means" in art 3(1) would mean only operations which were either exclusively automatic or within the second limb of recital (15). I reject this approach for the reasons that I have already given. It would be using recital (15) dealing with the scope of the directive impermissibly to read down the operative provision on scope in art 3(1), and that is not made permissible by the fact that it is done by two steps rather than one.

109.

Put another way, the first part of recital (15) states that processing is covered by the directive “only if it is automated”. Art 3(1) provides that the directive applies to processing “whether wholly or partly by automatic means”. In my judgment, these two provisions conflict, and under the jurisprudence of the Court of Justice the operative provision, that is art 3(1), must prevail.

110.

Thirdly, and in any event, recital (15) has to be read with the other recitals, particularly recital (27). Recital (15) expressly contemplates that the directive applies to information, which is to be contained in a filing system, even before it has been placed in that system. It would indeed be curious if that problem was addressed only in the context of manual systems. Recital (27) makes it clear that the scope of protection conferred by the directive is not to “depend on the techniques used”. In my judgment, when those two recitals are read together, it is clear that recital (15) does not mean that when automated means are used they must be exclusively used. If that were the true interpretation of recital (15), the passages in Campbell set out below could not stand and there would be no room for interpreting the directive as applying to the end product of a system, which is automated, but from which hard copy is obtained. That would greatly reduce the scope of operation of the directive. It follows, in my judgment, that the expression “wholly or partly by automatic means” in art 3(1) cannot be read as narrowly as Mr Spearman submits. In his submission (accepted by Buxton LJ in para. 32 of his judgment), this expression is limited to creating an anti-avoidance provision to prevent arguments that because some manual operations had occurred in the course of processing none of the processing could fall under the directive. On my interpretation, that expression must, or must also, include manual operations connected to automatic processing which would be within the directive if the whole of the processing has been a manual operation and, instead of using automatic means, the data controller had used a manual process to which the directive applied.

111.

Mr Spearman submits that the directive specifically provides that not all manual operations are within its provisions. He further submits that to treat the directive as applying to manual operations in connection with automatic processing, other than in the very exceptional situations accepted by him (see para. 85 above), would be to render otiose the limitation in the directive, in the case of manual processing, to structured filing systems. This argument would be correct if the effect of the expression “wholly or partly by automatic means” in art 3(1) was to bring processing, that was substantially done manually, within the purview of the directive. However, that is not the effect of my interpretation. I have not purported to give a comprehensive definition of when processing by automatic means can include manual operations, but the formulation in the last paragraph does not render the restriction to filing systems otiose.

112.

Mr Spearman further submits that the judge effectively disregarded the fact that data was being collected for private use rather than for mass use, for example, marketing. However, the directive cannot be read as excluding the use of personal data in circumstances such as the present.

113.

Fourthly, as I have observed, the definition in the directive of “processing” applies to the “collection” of personal data, and that data as defined need not be automated. Recital (28) also refers to the collection of data, which underlines the fact that references to the collection of data are no accident. The references to the “collection” of information are not limited to the relevant filing systems. Accordingly, in my judgment, under the directive, personal data can be “processed” by the collection of information held by non-automated means for recording by automatic means.

114.

Fifthly, in so far as relevant, I do not find this conclusion surprising. No database can be set up without the collection of information held manually. Moreover, a person inputting personal data to a computer must know that he or she is likely to be within any legislation conferring data protection, because he or she is actually putting information on to a computer. Furthermore, in that instance, there is a link between the action said to constitute processing and the automatic means of processing. No one has suggested that the collection of data, which does not involve the use of computer, would constitute processing unless it is stored in a filing system of the kind to which the directive and the 1998 Act apply.

115.

As the example which I gave in para 86 above shows, there are important effects of the judge’s view being wrong as well as of its being right. For my own part, and with respect to Buxton LJ, I do not consider it would be appropriate for this court to try to form any overall assessment as to that question. Whether the instances given by Buxton LJ are indeed far-reaching effects outside the likely scope of the directive must also in part depend on the width of the exceptions conferred by it, (see for example arts. 3(2), 8(2) and 9), on which we were not fully addressed.

116.

I would add, by way of respectful disagreement with the judgment of Longmore LJ on processing, that the above analysis of the directive and the Act shows that processing can include a non-automated step. This court in the Campbell case came to the same conclusion on the different facts of that case. I deal with that case below.

(3) The decision of the Court of Justice in the Lindqvist case provides some support for this conclusion

117.

In the Lindqvist case, the Court of Justice held that the listing of details of fellow parishioners on a self-made internet home page did constitute the “processing” of personal data. The selection of the data in question had been manual but the act of uploading the data via a server was automatic. The first question submitted by the Gota hovratt in Sweden, the referring Court, was “whether the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies”, constituted “the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1)” of the directive. The opinion of the Advocate General provides no assistance in this case as he concluded on the facts that the case fell under the exception provided in art 3 (2) of the directive.

118.

In its reply, the Court of Justice stated that:

“25. According to the definition in Article 2(b) of Directive 95/46, the term “processing" of such data used in Article 3(1) covers " any operation or set of operations which is performed upon personal data, whether or not by automatic means". That provision gives several examples of such operations, including disclosure by transmission, dissemination or otherwise making data available. It follows that the operation of loading personal data on an internet page must be considered to be such processing.

26. It remains to be determined whether such processing is “wholly or partly by automatic means”. In that connection, placing information on an internet page entails, under current technical and computer procedures, the operation of loading that page on to a server and the operations necessary to make that page accessible to people who are connected to the internet. Such operations are performed, at least in part, automatically.

27. The answer to the first question must therefore be that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes "the processing of personal data wholly or partly by automatic means" within the meaning of article 3 of Directive 95/46.”

119.

Buxton LJ concludes that the question posed was limited to whether using the computer to place the list on the internet was processing and that the decision in Lindqvist does not assist the appellant (judgment, para. 33). However, the question referred by the Swedish court to the Court of Justice was not limited to placing data on the internet, but to the listing on a self-made internet page of personal data. Thus the Swedish court did not isolate for consideration the actual means of placing the information on the internet. Moreover, an analysis of the various submissions in response to this question suggests that various intervening parties construed it more broadly. Indeed, the Swedish Government argued that “the processing of personal data wholly or partly by automatic means” in art 3(1) of the directive covered all processing in computer format (see [2004] QB 1032, at [21]). It is also interesting to note that, in their submissions, the Commission argued that the directive applied to all processing of personal data referred to in art 3 regardless of the technical means used and that, accordingly, making personal data available on the internet constituted processing wholly or partly by automatic means, provided that there were no technical limitations which restrict the processing to a purely manual operation (see [2004] QB 1032, at [23]). This would also suggest that an element of automation is sufficient, and that “processing” would only be excluded where there was no automated element whatsoever. Finally, the response of the Court of Justice in paras. 25 and 26 of its judgment also appears to accept the submission of the Commission and to look merely for an element of automation, which was indeed provided by the need to use a server. Accordingly, the judgment of the Court of Justice, provides some, albeit slight, support for the view expressed above that the directive applies to the selection of information and placing of it on to a computer.

(4) The statutory definition of “processing” in the 1998 Act can be interpreted in conformity with the directive

120.

Now I have interpreted the directive, I can take the question of the interpretation of the 1998 Act, which was enacted to implement the directive, more shortly. The relevant statutory provisions are as follows:

“1(1) In this Act, unless the context otherwise requires –

“data” means information which –

(a) is being processed, by means of equipment operating automatically in response to instructions given for that purpose,…

“data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data, or are to be, processed;

“personal data” means data which relate to a living individual who can be identified –

(a) from those data…

“processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-

(b) retrieval, consultation or use of the information or data,…

(2) In this Act, unless the context otherwise requires –

(a) “obtaining” or “recording” in relation to personal data, includes obtaining or recording the information to be contained in the data, and

(b) “using” or “disclosing”, in relation to personal data, includes using all disclosing the information contained in the data.

4…

(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller…

13(1) An individual who suffers damage by reason of any contravention by the data controller of any of that requirement of this act is entitled to compensation from the data controller for the damage…”

121.

It is common ground that the information in the present case did not constitute a filing system for the purposes of either the directive or the 1998 Act. There is no issue but that the MDU is the data controller for the purposes of the 1998 Act in relation to the personal data included in the RAR form and the duty of a data controller in relation to personal data is, subject to any applicable exemption provided for by section 27(1) (none are suggested in this case), to comply with the data protection principles in schedule 1 to the 1998 Act. The crucial issue is whether the selection of material and its insertion into the RAR form, the score sheet and the RAG form constituted processing for the purposes of 1998 Act.

122.

It is clear from the definitions in the 1998 Act set out above that “processing” can occur in relation to either data or information. Likewise, it is clear from the definition of “obtaining” that, “in relation to personal data”, the obtaining can be of information which is to be contained in “data”. I do not agree with Buxton LJ that the only relevant words in the definition of “processing” in this case are the words “or carrying out any operation or set of operations on the information or data.” (judgment, paras.22 and 27). To “obtain” means to “come into possession or enjoyment of; secure or gain as a result of request or effort; acquire, get” (Shorter Oxford English dictionary). Dr Roberts obtained information in this sense when she opened the files and selected the information that she wanted from them and copied that information into the RAR form. In my judgment, it is appropriate to take a wide meaning of “obtaining” because there is no requirement that the information be obtained from any person. If the obtaining has to be by the MDU, rather than Dr Roberts, in my judgment the MDU can still be said for this purpose to be obtaining information when Dr Roberts performs the task explained above. In the same way, an employer can be said to obtain information from his employees when he conducts an inquiry into some matter affecting his organisation, even if that information would have been attributed to him before the inquiry started. If that is wrong, then in my judgment the task she performed constituted the recording of information by her or the MDU. The extended definition in section 1(2) applies to “recording” as much as it does to “obtaining”. The recording of information is the presentation of it for the purpose of Mr Johnson’s allegation in this case.

123.

When Dr Roberts completed the RAR form, she added her own opinions in the score sheet and RAG assessment form. These were not “obtained” from the files but formulated at the end of her work. But for the issue whether copying those expressions of opinion is processing within the 1998 Act, the RAR was a newly created file on the computer and those opinions would undoubtedly be “personal data”. For my own part I cannot see that they were not “recorded” for the purposes of the 1998 Act. Furthermore by the time they were created the RAR form had been created. It would be difficult to say that, since the score sheet and RAG assessment form were separate documents, Dr Roberts’ opinions were not inserted into and thereby presented in “data” for the purposes of the 1998 Act, which includes “information which …is being processed by means of equipment operating automatically in response to instructions given for that purpose” (section1(1) of the 1998 Act).

124.

The extended definitions of “obtaining” and “recording” in section 1(2)(a) of the 1998 Act apply only in relation to “personal data”. The definition of “personal data” in section 1(1) of the 1998 Act is dependent on the term “data”. The definition of “data” requires that the information must be information that is being processed by means of equipment or operating automatically in response to instructions given for that purpose.

125.

The judge reached his conclusion by accepting the submissions of Mr Martin Howe QC, who appeared for Mr Johnson here and below. Mr Howe relied upon the paras 101 to 103 of the judgment of the Court of Appeal in Campbell v MGN Ltd [2003] QB 633, especially para 103. Mr Howe submitted that in Campbell this court had recognized that there could be relevant processing when part of the operation was automatic and part was manual. Mr Howe also relied on the words “whether or not by automatic means” in art 2(b) of the directive. Mr Howe also relied on the similar wording in art 3 of the directive. The judge considered that Mr Howe’s interpretation of the 1998 Act more closely accorded with its wording and that of the directive than that advanced by Mr Spearman.

126.

On this appeal, Mr Spearman submits that the judge was wrong. Mr Spearman submits that “selecting” information does not constitute “obtaining, recording or holding the information or data”. He submits that, accordingly, the act of selecting is only processing within section 1(1) of the Act if it is applied to personal data and at the stage Dr Roberts made her decision there was no “personal data” as defined in section 1(1). There cannot be personal data unless there is information which is actually being processed, by means of equipment operating automatically. That stage is only reached after Dr Roberts has made a selection and has inputted it on to her word processor. Mr Spearman further submits that, by virtue of recitals (15) and (27) and art 3 of the directive, processing can only be carried out by automatic means or by a relevant filing system. This appeal is not concerned with the latter.

127.

It is important to note that under the directive and the 1998 Act the data protection principles can be applied to any step in the operation of processing. They are not required to be applied only to the overall effect of processing. This is because the data protection principles apply to processing (directive, art 6) and the directive defines "processing of personal data" to mean "any operation or set of operations…" thus clearly encompassing individual steps in processing as well as the exercise as a whole. The definition of “processing” in the 1998 Act is differently expressed but in my judgment it is to the same effect. Accordingly, I do not attach significance to the fact that Mr Johnson does not allege that the whole exercise of processing was unfair. It is sufficient if any step in the processing was unfair. In so far as Buxton LJ has come to the contrary conclusion (as to which see para 31 of his judgment), I respectfully disagree. I have proceeded on that basis and accordingly for my purpose it is sufficient that the selection and presentation of Mr Johnson's personal data constituted processing for the purpose of the directive and the 1998 Act, even if the complete exercise also involved for instance transmission of the data to the members of the RAG group.

128.

In my judgment, for the reasons given above, the court's duty is to interpret section 1(2)(a), so far as possible, in accordance with the directive. On the view that I have formed of the meaning of directive, “processing” applies to the act of obtaining personal data to be placed on to a computer, and putting it on to a computer. I consider that section 1(2)(a) can to be interpreted in conformity with the directive because the words “in the data” in section 1(2)(a) refer back to “personal data” as used in the phrase “in relation to personal data”. On that footing, the expression “personal data” in section 1(2)(a) includes putative personal data, that is information which will constitute “personal data” when both the act of obtaining the information to be contained in the data and the act of inputting it onto a computer have been completed.

129.

On that basis, the selection by Dr Roberts of material and the placing of that material on to a computer constituted “processing” for the purposes of section 1 of the 1998 Act. That conclusion is consistent with the directive, and the court is not precluded from coming to the conclusion that the selection of material is capable of being “processing” by reason of the fact that the selection occurs before any information is put on to the computer.

130.

Indeed, if that distinction were made, the question might arise whether processing could be said to occur as soon as some of the information had been put on to the computer. That would be a possible, but not very satisfactory or logical, approach.

(5) My conclusion on processing is consistent with the conclusion of this court in Campbell v MGN

131.

In Campbell v MGN, Miss Campbell complained that, by publishing information and photographs about her attendance at a meeting place for a drug users’ self-help group, MGN were liable to her in damages for breach of confidentiality, and also for compensation, under section 13 of the 1998 Act. We are not concerned with the confidentiality claim. MGN relied on an exemption in section 32 of the 1998 Act for the publication of journalistic material in the public interest. This court held that that the term “processing” included the act of publishing the newspaper in hard copy form, and that for that reason (among others) section 32 applied to that publication. The paragraphs of its judgment where the court dealt with the issue of processing are paras 101 to 103 and 106:

“101. The definition of ‘processing’ in the Directive and the Act alike is very wide. ‘Use of the information or data’ and ‘disclosure of information or data by transmission, dissemination or otherwise making available’ are phrases, given their natural meaning, which embrace the publication of hard copies of documents on which the data has been printed. Is such a meaning consistent with an interpretation that gives effect, in a sensible manner, to the objects of the Act?

102. While the Act extends to certain manual filing systems, it is otherwise concerned with the automated processing of personal information. Almost all of the provisions of the Act relate to activities prior to the moment when that information is transferred to hard copies. It would conflict with the overall nature and object of the Directive and the Act to seek to apply their provisions to the acts of those who distribute and make available to the public the product of prior data processing in which they have not been concerned. Extending ‘processing’ to embrace such activities need not, however, have that result.

103. The Directive and the Act define processing as ‘any operation or set of operations’. At one end of the process ‘obtaining the information’ is included, and at the other end ‘using the information’. While neither activity in itself may sensibly amount to processing, if that activity is carried on by, or at the instigation of, a ‘data controller’, as defined, and is linked to automated processing of the data, we can see no reason why the entire set of operations should not fall within the scope of the legislation. On the contrary, we consider that there are good reasons why it should.” (emphasis in the original)

132.

This court then referred to the provisions in the directive and the 1998 Act on compensation. This court concluded that, if those provisions were to be effective, publication must be treated as part of the operations covered by the requirements of the Act (para 105). Neither counsel has submitted that the ratio decidendi went further than this, though I note that the principle is expressed more widely in para 103 and that that principle would cover this case. This court summarised its conclusion on processing in para 106 of its judgment:

“106. Accordingly we consider that, where the data controller is responsible for the publication of hard copies the reproduced data that has previously been processed by means of equipment operating automatically, the publication forms part of the processing and falls within the scope of the Act.” (emphasis added)

133.

Mr Spearman submits that this court erred in law in para 103 above, on the basis that processing for the purposes of the directive does not apply to information that is produced in hard copy. I do not consider that that submission is open to Mr Spearman in this court as the conclusion in para 106 on the meaning of “processing” for the purposes of the Act is part of the ratio of the decision (see further para 129 of the judgment). In any event I do not accept that submission. For the reasons already given, the provisions of art 3(1) of the directive apply to processing “wholly or partly by automatic means”. Those words are sufficiently wide to cover the situation described by this court in the Campbell case where processing occurs automatically, but there is some essential step, linked to the automatic processing, which is not done by automatic means. The selection and inputting of personal data, such as occurred in this case, is an essential step of this type. It is consistent with the reasoning of this court in para 103 of its judgment in the Campbell case that such selection and inputting should constitute processing on the basis that the same reasoning should apply to non-automated steps which occur before the processing by automatic means as occur thereafter.

134.

I agree with Buxton LJ that this court in the Campbell case was not concerned with the situation that we have in the present case, where the essential issue is whether the manual selection of data prior to its input on to a computer constitutes “processing”. However, I do not consider that the Campbell case can be distinguished because it concerned a claim for breach of confidentiality, whereas Mr Johnson’s claim is that he is entitled to compensation because the fairness principle, as contended for by him, was not applied to the manual part of data processing carried out on behalf of the MDU. I accept that this court in the Campbell case was very concerned not to nullify the effect of the exemption in section 32, which applies only to data, but this court's decision on the meaning of processing was not expressed to be limited to that section. It would have been open to this court to say that some different definition of processing must apply for the purposes of that section since all of the statutory definitions in section 1(1) apply “unless the context otherwise requires”, but that is not the course which this court took.

135.

The approach of this court in the Campbell case to “processing” is consistent with the pragmatic but principled approach that I have adopted to the interpretation of section 1(2) of the 1998 Act, and provides further support for that approach.

Conclusion on processing

136.

It follows that I agree with the judge’s conclusion that the selection and presentation of personal data about Mr Johnson on to the RAR form, the RAG form and the score sheet constituted “processing” for the purpose of the 1998 Act, although I have reached my conclusion for different reasons. The MDU as the data controller thus had a duty to comply with the data protection principles. The only data protection principle relied on is that of fairness. As I have said, I agree with the judgment of Buxton LJ on the application of the principle and merely wish to add some short observations of my own, which I do in the next section of this judgment.

The fairness principle

137.

Art 6 of the directive sets out a number of principles relating to data quality, including the fairness principle set out in art 6(1)(a). This provides that member states must provide the personal data must be “processed fairly and lawfully”. This principle is expressed as separate and additional to the other data protection principles in art 6, which are in general more specific and which do not appear to be in any way subject themselves to the fairness principle.

138.

Art 6(1)(a) is implemented by the fairness principle set out in paragraph 1 of schedule 1 to the 1998 Act. This provides so far as relevant:

“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

i.

at least one of the conditions in schedule 2 is met, and

ii.

…”

139.

Para. 1 of schedule 2 to the 1998 Act includes a condition that the data subject has given his consent and it provides so far as relevant that:

“1. The data subject has given his consent to the processing.”

140.

Mr Howe submits that, if the fairness principle applies, the MDU has to go back and consult the member affected even though the contract gives it absolute discretion to decide whether to withdraw the benefits of membership from any member. Accordingly the application of the fairness principle in this case raises the general issue of the relevance of the contractual relationship between the data user and the data subject to the fairness principle. The rights and obligations in the directive are superimposed on the parties’ contractual relationship without any express indication as to how the two sets of rights and obligations are to interact.

141.

Recital (28) states that “any processing of personal data must be lawful and fair to the individuals concerned”. I do not consider that this excludes from consideration the interests of the data user. Indeed the very word “fairness” suggests a balancing of interests. In this case the interests to be taken into account would be those of the data subject and the data user, and perhaps, in an appropriate case, any other data subject affected by the operation in question.

142.

The directive gives little guidance as to the application of the fairness principle. However para. 1(1) of schedule 2 to the 1998 Act provides:

“1(1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.”

143.

This provision does not appear to implement any specific provision of the directive, but Mr Howe does not suggest that it is inconsistent with the directive. In my judgment, this provision addresses not only the case where a person has been deceived into providing data but also the position where a person has by contract freely agreed to provide information which the other party to the contract wishes to process. The effect of this provision is that when applying the fairness principle the existence of any contract between the parties is a relevant factor even if a party’s consent to the terms of the contract does not amount to the giving by the data subject of an explicit consent to data processing in accordance with provisions for giving such consent in the directive. This factor is likely to be a critical one where the parties have freely entered into a contract, the data user intended to do no more by way of processing of the information than he was entitled to do with it manually under the terms of the contract and the data subject should reasonably have foreseen that the data user might wish to process the information for this purpose. In this situation, the question of fairness has to be approached on the basis that the parties have made their agreement. If this were not so, the “privacy” interest protected by the directive would be privileged over the contractual rights of the other contracting party. The directive concept of fairness does not in my judgment require or permit the conflict between those two interests to be resolved in that way in the case I have postulated.

144.

Mr Johnson’s membership of the MDU, and accordingly access through membership of the MDU to professional indemnity insurance, was on the terms of the memorandum and articles of association of the MDU, which is a company limited by guarantee and not having a share capital. The articles of association gave the board of management the power to manage the affairs of the MDU and thus the right to determine any risk assessment policy. Article 11 of the MDU’s articles provides the material part that:

“11. The Board of Management shall be entitled in its absolute discretion

(a) and subject only to giving 42 days’ prior notice to the member of its intention to do so to refuse to renew the membership of any member with effect from the date on which that member’s current subscription expires (“the expiry date”) and in such event at the end of the expiry date, such member shall cease to be a member of The MDU…”

145.

On the facts found by the judge, professional indemnity cover was provided as one of the benefits of membership of the MDU, but it ceased when the member ceased to be a member of the MDU in respect of occurrences subsequent to the determination of his membership. Moreover, when his membership was renewed, Mr Johnson gave his consent to the processing of personal data for a number of purposes, including risk management. The directive requires consent to be unambiguous (art 7). However, in my judgment, Mr Johnson did not have to know the nature of the MDU’s risk assessment policy to give a valid consent for this purpose.

146.

In this case, the judge reached his conclusion that the fairness principle did not apply to the lead files on the basis that the MDU was entitled to have a risk assessment policy and that the risk assessment policy seemed to him to be one on the evidence that it could properly adopt. The judge referred to para. 2 of schedule 2, which provides:

“2(1) subject to paragraph 3, the purposes of the first principle personal data on not to be treated as processed fairly unless –

(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in subparagraph (3), and

(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in subparagraph (3).

(2)…

(3) The information referred to in subparagraph (1) is as follows, namely --

(a) the identity of the data controller,

(b) if he has nominated a representative of the purpose of this Act, the identity of their representative,

(c) the purpose or purposes for which the data are intended to be processed, and

(d) any further information which is necessary, having regard to the specific circumstances in which the data are all are to be processed, to enable the processing in respect of the data subject to be fair.”

147.

The judge rejected the argument that under subpara.(3) the MDU should have given him further information than it did about the lead files. The judge reached a different conclusion on the non-lead files, where information had been provided by other members. In the case of the non-lead files he held that the MDU, either at the time of or promptly following Dr Roberts’s processing the data in the non-lead files, should have notified Mr Johnson of the existence of that data and at least of the purpose for which it was being or had been processed and his right of access to and to rectify such data (judgment para. 112). This conclusion on the non-lead files follows art 11 of the directive and I agree with it.

148.

However, the judge did not accept Mr Johnson’s submission, either in relation to the lead files or the non-lead files, that the MDU had an obligation to consult Mr Johnson about the processing exercise or to invite his representations upon it.

149.

In my judgment the judge was right to hold that the fairness principle did not require this. For the reasons explained above, as a general proposition a party to a contract cannot in my judgment use the fairness principle as a means of upsetting any contractually permitted use of information where, as here, processing was foreseeable. I see no basis for displacing this general proposition in this case.

150.

The judge also held, after a detailed examination of each of the files, that none of the summaries of the information extracted from the files for the purposes of the MDU’s risk assessment policy was unfair. The presentation of information in the summaries was inevitably assessed by the judge on the basis of that policy and although Mr Howe has taken a number of points of detail on the judge’s conclusions on the summaries he has not in my judgment shown that the judge’s findings on the summaries were not ones which he was entitled to make.

Reference to the Court of Justice

151.

I agree with Buxton LJ that no request should be made to the Court of Justice for a preliminary ruling in this case on the interpretation of the directive. Although I have come to a different conclusion from Buxton and Longmore LJJ on the processing issue, my conclusions on the causation issue mean that, even if I had agreed with him on this issue, the appellant would not have succeeded. The interpretation of the directive is accordingly not critical to the outcome in this case. It is not suggested that any point of Community law arises on causation. Different considerations would have arisen if the meaning of the directive had been critical to this court's decision.

Disposition

152.

For the reasons given above, I would dismiss this appeal but allow the respondent’s notice in part.

Lord Justice Longmore:

153.

My Lord and My Lady have analysed the provisions of the Data Protection Directive (95/46/EC) and the Data Protection Act 1998 in a way that I could not hope to emulate. Since they are divided on the question whether the inputting of information (by an individual such as Dr Roberts) into an automatic computer system constitutes automatic processing for the purposes of the Act, I should express my own view. As I agree that the decision in relation to this point is not decisive for the purpose of the disposal of the appeal, I shall do so only shortly.

154.

Both the Directive and the Act require that any automatic processing of personal data shall be done fairly and lawfully. Article 3(1) of the Directive provides that the Directive is to apply to the processing of date wholly or partly by automatic means. The Act is to the same effect.

155.

To my mind when an individual decides what information to put into an automatic system, he or she is not automatically processing that information either partly or wholly. An exercise of judgment by an individual is not automatic at all. Indeed it is the antithesis of automaticity. It might be different if the information was being automatically inserted into a computer but, in this case, although the RAR form was created on computer by Dr Roberts it was not automatically processed at that stage. It was fed in by the exercise of human judgment.

156.

Mr Howe QC for Mr Johnson had an alternative argument viz that one had to look at the whole process from the origination of a file to the creation of the Risk Assessment Group Pro Forma and, if there were any automatic processing in the course of that operation (which there was), then every part of that process including the exercise of judgment in creating the RAR form would be covered by the Directive and the Act. There is no language in the Directive which would justify that approach. In any event, the issue in any particular case is, in my judgment, whether the processing of the information which is complained of as being unfair is or is not automatic processing. If it is not, that is the end of the matter.

157.

It is for these short reasons that I agree with Buxton LJ on the issue of automatic processing.

158.

One of Mr Johnson’s arguments on the later part of the case was that the MDU policy of taking into account incidents of which they had been informed but not taking into account any outcome or any explanations offered by the member was an inherently unfair policy. As a free-standing submission, it is a submission with which it is possible to have some initial sympathy. But that initial sympathy is rapidly dispelled when one considers the practical implications of any other policy from the point of the MDU as set out by the judge in paragraph 123 of his judgment. It is, moreover, worth adding that assessment of risk by reference to allegations without further reference to explanations or outcomes is by no means unknown to the law.

159.

Thus this court has recently decided in relation to a doctor that there are circumstances in which it may be justifiable to issue an “Alert Letter” to Health Authorities when a number of allegations of sexual assault have been made against him even though the doctor was never convicted in the Crown Court nor disciplined by the General Medical Council in relation to such assaults, see R (Dr D) v Secretary of State for Health [2006] EWCA Civ 989.

160.

Perhaps more relevantly for the purposes of the present case it is almost a truism that in the law of insurance it is necessary for an applicant for insurance to disclose any material allegations that have been made against him or her. This applies not merely to unproved allegations, Brotherton v Aseguradora Colseguros SA [2003] EWCA Civ 705, [2003] 2 All ER (Comm) 298 but even to allegations which, after the placing, have been held to be false, North Star Shipping Ltd v Sphere Drake Insurance Plc [2006] EWCA Civ 378, [2006] 2 Lloyd's Rep 183. The apparent distaste with which the court arrived at the latter conclusion in the circumstances of that case does not detract from the fact that any insurer (and indeed anyone such as the MDU arranging for others to provide insurance) needs to know about incidents more than outcomes or explanations.

161.

Against this legal background it is, in my judgment, impossible to designate MDU’s policy as in any way unfair for the purpose of the first principle set out in part 1 of Schedule 1 to the Data Protection Act 1998, even if the Act otherwise applies.

Johnson v Medical Defence Union

[2007] EWCA Civ 262

Download options

Download this judgment as a PDF (902.4 KB)

The original format of the judgment as handed down by the court, for printing and downloading.

Download this judgment as XML

The judgment in machine-readable LegalDocML format for developers, data scientists and researchers.