Case No: HC 03 CO 0538
Royal Courts of Justice
Strand, London, WC2A 2LL
B e f o r e :
THE HONOURABLE MR. JUSTICE LADDIE
DAVID PAUL JOHNSON | Claimant |
- and - | |
THE MEDICAL DEFENCE UNION LIMITED | Defendant |
Based on the tape transcription by Marten Walsh Cherer Ltd.,
Midway House, 27/29 Cursitor Street, London EC4A 1LT.
Telephone No: 020 7405 5010. Fax No: 020 7405 5026
Mr. Ashley Roughton (instructed by Messrs. Charles Russell) for the Claimant
Miss Jacqueline Reid (instructed by Messrs. Fladgate Fielder) for the Defendant
Judgment
Mr. Justice Laddie:
In this action David Paul Johnson is the claimant. He is a consultant orthopaedic surgeon. The defendant is the Medical Defence Union (“the MDU”).
In circumstances I will describe below, Mr. Johnson made what is known as an “access request” of the MDU under section 7 of the Data Protection Act 1998 (“the DPA”). It is said that the MDU has failed to comply properly with that request. It is that assertion which lies behind this application. In the terminology of the DPA, Mr. Johnson is the “data subject” and the MDU is the “data controller”.
As is well known, the MDU is a body which provides medico-legal advice and support to its members, who are all members of the medical profession. I have been told that there are at least two similar organisations offering similar services to medical practitioners in this country. In any event, the MDU is well known as is its function of supporting its members.
One of the services provided by the MDU is access to professional indemnity insurance, written by a major insurance company. MDU members obtain a discount on their premiums. This policy is, so I understand, only available to MDU members. Insurance is also available through other insurance companies outside this discounted scheme.
The articles of the MDU contain a number of provisions in accordance with which it can refuse to continue the membership of any member. In particular, Article 11(a) purports to bestow on the MDU’s board of management an absolute discretion to refuse to renew the membership of any member subject to a requirement to give 42 days prior notice.
In January 2002, the MDU decided not to renew Mr. Johnson’s membership, in accordance with the provisions of Article 11(a). This had obvious repercussions for Mr. Johnson. He was forced to find alternative insurance cover because he was no longer eligible for the special insurance available through the MDU. Furthermore, Mr. Johnson was extremely concerned that what he regarded as his expulsion from the MDU would be likely to convey to others, including medical colleagues, the impression that he was either incompetent or had done something wrong which was sufficiently grave to justify exclusion from the MDU.
As Mr. Johnson is anxious to point out, he has been in practice for over 20 years and in all that time he has never been sued for negligence. Furthermore, in that period there have been only two occasions on which he has been reported to the General Medical Council (“GMC”). On both, the complaint was dismissed at a preliminary stage. He says that he is a highly competent surgeon and that until January 2002 he had an unblemished reputation. That was changed, in his view, when he was excluded from the MDU in January of that year.
For its part, the MDU denies that it has ever impugned Mr Johnson’s competence as a surgeon. That was reaffirmed before me by the MDU’s counsel, Miss Reid. Nevertheless, the MDU says that it was entitled to refuse to renew his membership.
The access request was made in January 2002. The MDU responded to that in March of that year. It provided Mr. Johnson with a number of documents, but some of them were heavily redacted. It was also apparent that some documents which related to, or on which there was a reference to, Mr. Johnson were not provided at all. Mr. Johnson took the view that the MDU had failed to comply properly with his request. This resulted in the commencement of these proceedings in February 2003.
Mr. Johnson seeks three major forms of relief. First, because he considers the MDU to have failed to respond properly to his access request of 22 January 2002, he claims relief pursuant to section 7(9) of the DPA. That is to say, he asks for an order requiring the MDU to comply properly. Second, he applies under the provisions of section 10(4) of the DPA for an order, in effect, to prevent the MDU from improperly processing personal data about him and an order under section 14(4) of the DPA for the rectification, blocking or destruction of certain data. Third, he seeks financial compensation under the provisions of section 13(1) and (2) of the DPA for damage suffered by him and distress caused to him by the allegedly improper processing by the MDU of his personal data.
Logically, the second and third heads of relief are dependent upon an identification of all personal data concerning Mr. Johnson processed by the MDU and a knowledge of how those data were used by the MDU. For that reason, at a case management conference before Master Moncaster on 12 August 2003, the parties agreed that the question of compliance with the access request should be dealt with as a preliminary issue. Accordingly, the Master made an order that the following preliminary issue be determined:
“Whether and to what extent the defendant has complied with its obligations under section 7 of the Data Protection Act 1998, pursuant to the request made by the claimant of the defendant and dated 22nd January 2002.”
It is that preliminary issue which is before me now. Both parties have served evidence on this application. It should also be mentioned that since its first purported compliance with Mr. Johnson’s request in March 2002, the MDU have made certain further disclosures. Some of these take the form of removing some of the redactions which have been applied to the documents as originally disclosed.
Since the case management conference there has been a major development in this area of law. On 8 December of last year, the Court of Appeal gave judgment in Durant v. The Financial Services Authority [2003] EWCA Civ 1746. That clarifies many important features of the DPA. It has had a profound impact on the understanding of this legislation. In some respects, Durant construes the DPA narrowly, so as to restrict the rights of those (like Mr. Johnson) making access requests. As a consequence, the MDU sought to amend its defence to rely upon points which, prior to Durant, it had not thought it could rely on. Because of the timing of Durant, that request for permission to amend was made only shortly before this hearing. Mr. Johnson had little time to respond in the form of a reply. On the other hand, neither Miss Reid nor Mr. Ashley Roughton, who appears for Mr. Johnson, have suggested that it is possible to deal with this preliminary issue without paying due regard to the Durant decision. Further, neither side expressed any desire for an adjournment. In the result, I allowed the amendment.
Before turning to the specifics of the dispute, there is one general point which should be made. The DPA is concerned with the processing and access to “personal data” about the data subject; in this case Mr. Johnson. The meaning of this expression will be considered below. However, for present purposes it should be noted that section 7(1) provides, insofar as material:
“(1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled --
(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b) if that is the case, to be given by the data controller a description of --
(i) the personal data of which that individual is the data subject,
(ii) the purposes for which they are being or are to be processed, and
(iii) the recipients or classes of recipients to whom they are or may be disclosed,
(c) to have communicated to him in an intelligible form --
(i) the information constituting any personal data of which that individual is the data subject, and
(ii) any information available to the data controller as to the source of those data”.
As Auld LJ pointed out in Durant, what the data subject is entitled to is personal data that is to say, information. As he said:
“The intention of the Directive, faithfully reproduced in the Act, is to enable an individual to obtain from a data controller’s filing system, whether computerised or manual, his personal data, that is, information about himself. It is not an entitlement to be provided with original or copy documents as such, but, as section 7(1)(c)(i) and 8(2) provide, with information constituting personal data in intelligible and permanent form. This may be in documentary form prepared for the purpose and/or where it is convenient in the form of copies of original documents redacted if necessary to remove matters that do not constitute personal data (and/or to protect the interests of other individuals under section 7(4) and (5) of the Act).”
This passage draws the distinction between the entitlement to disclosure of documents in an action from a response to an access request. Here it is not alleged that the MDU is guilty of breach of contract, although that was suggested at one time in the correspondence. Nor, for example, is it asserted that the MDU owed Mr. Johnson a duty of care and that it has been breached. If any such cause of action had been in issue, questions as to the scope of disclosure to be given might have arisen. As it is, all that I have to consider is whether personal data exists and, if so, whether the MDU has failed to communicate them to Mr. Johnson in intelligible form and, if it has, whether it was justified in so doing.
In Durant, the Court of Appeal concentrated on four issues under the DPA. They were expressed as follows:
“The appeal raises four important issues of law concerning the right of access to personal data provided by sections 7 and 8 of the 1998 Act:
1) The personal data issue - What makes ‘data’, whether held in computerised or manual files, ‘personal’ within the meaning of the term ‘personal data’ in section 1(1) of the 1998 Act so as to entitle a person identified by it to its disclosure under section 7(1) of the Act -- more particularly in this context, to what, if any, extent, is information relating to the FSA’s investigation of Mr. Durant’s complaint about Barclay’s Bank within that definition?
2) The relevant filing system issue - What is meant by a ‘relevant filing system’ in the definition of ‘data’ in section 1(1) of the 1998 Act, so as to render personal information recorded in a manual filing system ‘personal data’ disclosable to its subject under section 7(1) -- more particularly here, was the FSA’s manual filing such a system so as to require it to disclose to Mr. Durant from those files information that would, if it were in computerised form, constitute ‘personal data’ within section 1(1)?
3) The redaction issue - Upon what basis should a data controller, when responding to a person’s request for disclosure of his personal data under section 7(1), consider it ‘reasonable in all the circumstances’, within the meaning of that term in section 7(4)(b), to comply with the request even though the personal data includes information about another and that other has not consented to such disclosure?
4) The discretion issue - By what principles should a court be guided in exercising its discretion under section 7(9) of the Act to order a data controller who has wrongly refused a request for information under section 7(1), to comply with that request?”
Each of these issues may arise for consideration in this case. Although it may be thought to be out of order, it is convenient to consider the second of these topics first. The DPA is concerned with “personal data”. That is defined in section 1(1) as:
“‘personal data’ means data which relate to a living individual who can be identified --
(a) from those data; or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
This refers to “data”, an expression which is also defined in section 1(1). Insofar as material, that definition reads as follows:
“‘data’ means information which --
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.”
It will be seen that subparagraph (c) refers to a “relevant filing system”. That expression is also defined in section 1(1) of the DPA as follows:
“‘relevant filing system’ means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.”
In Durant it was pointed out that the data controller is only given a short time (namely 40 days) within which to respond to an access request and that he is only to be paid a fee of £10 for being put to the trouble of producing the required data. The emphasis is on recovering data which are kept in such a way that they can be recovered quickly and cheaply. The Court of Appeal was also taken through the history of the legislation and, in particular, the close relationship between the DPA and Directive 95/46/EC of 24 October 1995 On The Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data (“the 1995 Directive”).
Auld LJ considered this in detail. He said, amongst other things:
“The parliamentary intention to which [counsel for the defendant] Mr. Sales referred is, in my view, a clear recognition of two matters: first, that the protection given by the legislation is for the privacy of personal data, not documents, the latter mostly retrievable by a far cruder searching mechanism than the former; and second, of the practical reality of the task that the Act imposes on all data controllers of searching for specific and readily accessible information about individuals. The responsibility for such searches, depending on the nature and size of the data controller’s organisation, will often fall on administrative officers who may have no particular knowledge of or familiarity with a set of files or of the data subject to whose request for information they are attempting to respond. As Mr. Sales pointed out, if the statutory scheme is to have any sensible and practical effect, it can only be in the context of filing systems that enable identification of relevant information with a minimum of time and costs, through clear referencing mechanisms within any filing system potentially containing personal data the subject of a request for information. Anything less, which, for example, requires the searcher to leaf through files to see what and whether information qualifying as personal data of the person who has made the request is to be found there, would bear no resemblance to a computerised search.”
He also said:
“And it is only to the extent that manual filing systems are broadly equivalent to computerised systems in ready accessibility to relevant information capable of constituting ‘personal’ data that they are within the system of data protection.”
Also:
“It is plain from the constituents of the definition considered individually and together, and from the preface in it to them, ‘although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose’, that Parliament intended to apply the Act to manual records only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system. That requires a filing system so referenced or indexed that it enables the data controller’s employee responsible to identify at the outset of his search with reasonable certainty and speed the file or files in which the specific data relating to the person requesting the information is located and to locate the relevant information about him within the file or files, without having to make a manual search of them. To leave it to the searcher to leaf through files, possibly at great length and cost, and fruitlessly, to see whether it or they contain information relating to the person requesting information and whether that information is data within the Act bears, as Mr. Sales said, no resemblance to a computerised search. It cannot have been intended by Parliament -- and a filing system necessitating it cannot be ‘a relevant filing system’ within the Act. The statutory scheme for the provision of information by a data controller can only operate with proportionality and as a matter of common-sense where those who are required to respond to requests for information have a filing system that enables them to identify in advance of searching individual files whether or not it is ‘a relevant filing system’ for the purpose.”
Finally, he concluded as follows on this issue:
“Accordingly, I conclude, as Mr. Sales submitted, that ‘a relevant filing system’ for the purpose of the Act, is limited to a system:
1) in which the files forming part of it are structured or referenced such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it under section 7 is held within the system and, if so, in which file or files it is held; and
2) which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.”
Miss Reid says that this has a major impact in this case. She accepts that any information kept on computer hard disks or, for example, on CDs is capable of being electronically searched with great ease and constitutes data within the meaning of the DPA. However, save in cases where there are very sophisticated indices, manual records of paper documents are excluded from the legislation. The same applies to photographic records of documents retained in microfiche. They are no more readily searchable than the original documents and, as a consequence, their contents cannot be treated as data. She provided a useful schedule which identified about half of the MDU documents which had been identified as containing some reference to Mr. Johnson and of which he wants, in effect, copies, as being manual in this sense.
As a result, according to Miss Reid, the MDU is under no obligation to disclose suc manual records or any part of the information within them. This distinction between electronic and non-electronic records apparently had not occurred to the MDU before the publication of Durant. The result is that it disclosed a number of documents to Mr. Johnson which, it now believes, it was under no obligation to disclose. Some of them were partially redacted. It does not seek the return of any of this material but it does dispute Mr. Johnson’s request to remove the redactions, both on the grounds that non-electronic records are outside the ambit of the DPA and because, even if these records are within the ambit, the redactions were justified. It also disputes the need to disclose information contained in certain other manual files from which no disclosure has been given to date.
Interestingly, in Durant, the defendant data controller also had disclosed non-electronic files before realising that it did not need to. Here, as there, it is not suggested that any form of estoppel arises as a result of what may have been too generous a response to the access request.
I do not understand Mr. Roughton to dispute Miss Reid’s submissions in relation to the exclusion of such manual or non-electronic records. However, he argues that some or all of the manual records identified in Miss Reid’s schedule are not to be excluded on this basis for two reasons. First, he says that any document which has at any time been recorded in electronic form (for example, by having been typed on a computer and saved on to its hard disk, or having been sent or received by e-mail, which would also involve retention of a digital copy on the computer) is not to be treated as manual. Second, his client challenges the MDU’s assertion that the relevant documents were only retained in non-electronic form.
At what date must information be “data” within the meaning of s 1(1) DPA for it to be discloseable?
Mr. Roughton bases his first argument on the way in which “data” is defined in the DPA. In particular, he relies on the reference to information which “is recorded with the intention it should be processed” and “is recorded as part of a relevant filing system.” He says that information which is recorded in that way becomes relevant data. There is nothing which removes it from that status. It does not matter that it was never processed; it is sufficient that it became searchable electronically. Once it is data, it cannot be removed from that status by subsequent action of the data controller.
The importance of this is that it is clear that some of the documents which have been disclosed in a redacted form to Mr. Johnson were produced by the MDU by use of word processors. Mr. Roughton argues that, on a balance of probabilities, they must have been saved on to the computer hard disks, even if only for a short period. Similarly, in the other files from which his client seeks data, and which he has not seen at all, he says it is likely that there are such documents.
There is no dispute as to the relevant facts. It is clear that some documents were prepared on word processors and were likely to have been retained in electronic form at some time. Indeed, Mr. Nicholas Bowman, company secretary of the MDU, who gave two witness statements on this application and was cross-examined by Mr. Roughton, confirmed that the MDU has a policy, called its “Evergreen policy”, which involves erasing documents such as correspondence from the hard disks of its computers on a rolling basis. Many of the documents in issue would have been stored electronically by the MDU at some stage.
Miss Reid argues that the data controller can only be required to search through data which he has at the time the access request comes in. In my view, Miss Reid is right. The terms of section 7(1) are only consistent with her construction. Thus, the data subject is entitled to be informed whether personal data “are being processed” by the data controller (section 7(1)(a)). If that is so, he is entitled to be given the personal data of which he “is” the data subject and to be told the purposes for which they “are being or are to be” processed. None of this readily covers information which was data but is not so now. Furthermore, there is no justification for extending the scope of the provision.
As Auld LJ pointed out in Durant, the DPA is designed to impose on the data controller an obligation of disclosure where the data is retained in a form which will allow it to be searched for and produced quickly and cheaply. There must be ready access. As he said in paragraph 48 of his judgment, cited above, the statutory scheme for the provision of information by a data controller has to work proportionally and in a common-sense manner. The data controller’s employees must be able to identify relevant data at the outset with reasonable certainty and speed and without having to make a manual search. As this case demonstrates, if Mr. Roughton’s argument were correct, it would be necessary to make laborious manual searches through each document contained within non-indexed files simply because at some time in the past some of them were probably recorded temporarily on a hard disc. Furthermore the searcher would presumably have to make inquiries to discover which documents in a file had been recorded in this manner in the past. That is not what is required by the Act.
Is the MDU correct in its assertion that certain identified documents and files are retained only in manual form?
I can therefore turn to Mr Roughton’s second argument. Is the MDU correct in its assertion that certain identified documents and files are retained only in manual form? Mr. Roughton says that his client just does not believe that all the documents listed in Miss Reid’s schedule as being in manual files only are in manual files only. In relation to some of the documents in issue, as explained above, Mr. Johnson has at least seen partly redacted copies. However, there are a number of other files which have not been disclosed to him. Accordingly, his criticism of the MDU’s assertion in relation to the latter has to be made in ignorance of the facts. Mr. Roughton argues that in deciding whether to go behind the MDU’s assertions on this and other topics, it is necessary to bear in mind that section 15 of the DPA gives the court power to call for the disputed material for inspection. However, that section makes it clear that the inspection is to be carried out by the court. Neither the data subject nor his lawyers are allowed to see the material. He says that his client’s hands are, in effect, tied behind his back. It seems to me that this is a real disadvantages to the data subject and the court must allow him reasonable leeway to challenge the data controller and his witnesses on the subject. Furthermore, it must be open to the court to press the data controller for further information, if necessary out of sight of the data subject and his representatives, relating to the issue. In the end, however, the court must decide on the material before it and on a balance of probabilities whether or not the files are manual.
In this case that is not difficult. In the amendment to the MDU’s defence, in the evidence of Mr. Bowman and in Miss Reid’s skeleton argument, it was made clear that the MDU asserted that the identified documents were non-electronically stored. Although Mr. Bowman was cross-examined, the contrary was not put to him, or indeed to any other witness. Furthermore, having looked at both the redacted material and the files which Mr. Johnson has not seen, there is nothing about them which leads me to suspect that the MDU’s assertions on this issue were not to be believed. It follows that the preliminary issue is to be answered in the affirmative in relation to all these documents and files.
This still leaves the question of the redactions of the documents which the MDU admits were retained in electronic, and therefore easily searchable, form. This brings into play the other points about the scope and effect of the DPA which were clarified in Durant. As Miss Reid points out, and Mr. Roughton does not dispute, all the obligations on a data controller created by the DPA are tied to what the Act calls personal data. Thus, under section 7(1)(a), the trigger which allows a data subject to call for disclosure is the fact that the data controller is processing personal data of which the requesting party is the data subject. If that is the case, then the data subject can ask to be informed what the personal data are and, as an adjunct to that, a description of the recipients or classes of recipients to whom if personal data are being or will be disclosed and available information as to the source of such personal data. If what is sought are not personal data, neither the data nor the source or addressees of it are disclosable.
The definition of personal data in the DPA is set out in paragraph 18 above. In Durant, Auld LJ construed this in the light of the equivalent provisions in the 1995 Directive. He pointed out, at paragraph 27 of his judgment, that the function of the legislation was not to create an automatic key to any information on matters in which the data subject may be named or involved. The expression “personal data” is to be construed narrowly. He went on to emphasise as follows:
“28. It follows from what I have said that not all information retrieved from a computer search against an individual’s name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity.”
Auld LJ then applied that meaning to the facts in Durant. He said:
“30. Looking at the facts of this case, I do not consider that the information of which Mr. Durant seeks further disclosure - whether about his complaint to the FSA about the conduct of Barclays Bank or about the FSA’s own conduct in investigating that complaint - is ‘personal data’ within the meaning of the Act. Just because the FSA’s investigation of the matter emanated from a complaint by him does not, it seems to me, render information obtained or generated by that investigation, without more, his personal data. For the same reason, either on the issue as to whether a document contains ‘personal data’ or as to whether it is part of ‘a relevant filing system’, the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it under the Act.”
Finally on this subject, he pointed out that what Mr. Durant was trying to gain access to was not his personal data but information about his complaints and the objects of them: Barclays Bank and the FSA. It appears to me that the words “without more” in paragraph 30 of Auld LJ’s judgment set out above are significant. In the Durant case, complaints had been made by Mr. Durant about Barclays Bank. The way in which this was processed no doubt contained much information about the bank, but the fact that it had been instigated by him and, for that reason, referred to him did not turn that information into Mr. Durant’s personal data. They were not data about him. To use Auld LJ’s words, they did not have Mr. Durant as their focus; they did not impinge upon or affect his privacy. However, it would not be difficult to imagine similar circumstances in which Mr. Durant’s personal data would have been involved. If, for example, on receiving a complaint from Mr. Durant about the bank, the FSA had not only investigated the latter, but had also enquired into Mr. Durant (for example by checking his credit record and trying to find out whether he was a persistent complainer), the latter, not the former, would be Mr. Durant’s personal data, which would fall within the scope of section 7 of the DPA.
Miss Reid argues that none of the data sought by Mr. Johnson is personal data as explained in Durant. In fact, the argument needs to be a little more sophisticated than that. The vast majority of the redactions which Mr. Johnson wants removed are clearly, from the context, the identities of people by whom or to whom a document or information was sent. Mr. Roughton does not argue that those identities are his client’s personal data. He reminds me of the terms of section 7(1)(b) and (c) and points out that what his client is entitled to is not simply his personal data but ancillary information relating to them; namely, the sources and addressees of that data. In other words, the section entitles his client to be told not only what personal data the data controller are processing, but information concerning those involved in the transmission of those data. I agree with the generality of this submission.
It follows that before any redaction can be removed so as to reveal the masked information, it must be demonstrated that the persons whose identities have been hidden were either transmitting or receiving personal data. There is, unfortunately, no short-cut to determining this issue in this case. It is necessary to consider each of the documents of which complaint is made. On doing that, I am driven to the conclusion that many documents do not relate to Mr. Johnson’s personal data at all. For example, C1/32 is simply a record sheet which contains no comments or data concerning Mr. Johnson. Similarly, C1/62 is an e-mail in which amendments to a draft letter are being discussed. Although, from the title of the e-mail, it appears that this comes from a file on Mr. Johnson, the e-mail contains nothing which could be said to focus on him or affect his privacy. Similarly, C2/1 and 2 appear to be telephone call and letter logs. They contain no information about Mr. Johnson. C3/9/188 is a file note of a conversation between Mr. Johnson and someone at the MDU in which Mr. Johnson is recorded as complaining about the way a medical insurance company, BUPA, had treated him. He wanted the MDU to write to the chief executive of BUPA on his behalf. A note records that the MDU was of the view that this was a matter in which it should not become involved. Once again, none of this focuses on Mr. Johnson or is about him. It does not affect his privacy. It contains none of his personal data.
On the other hand, there are some documents which, in my view, do contain his personal data. For example, C2/1/3 is a case summary relating to Mr. Johnson. Among other things, it records that BUPA considered that he had breached their procedures and were proposing withdrawal of recognition from him as a BUPA consultant. This, in my view, is information focused on Mr. Johnson and a matter which affects his privacy. It is his personal data, even if much of the rest of the material on this page is not personal data and need not have been disclosed. C2/1/6-7 is a case summary concerning Mr. Johnson. It contains a lot of information about him. For example, it records that his admitting rights at a particular hospital were suspended. It refers to complaints about him; that he tried to log on to hospital computers, which is described as a breach of hospital regulations. It also refers to there being conflicts between Mr. Johnson and colleagues. In my view, this also is Mr. Johnson’s personal data.
There is one category of documents which deserves particular mention. C3/13/418-422 is a summary of the occasions on which Mr. Johnson sought advice or assistance from the MDU. It sets out an extremely brief precis of the date and nature of each piece of advice or assistance sought. For example, one incident is recorded by reference to the date, the name of the patient and with the summary “Amorous patient”. It also records who from the MDU was the “lead” in dealing with this matter. The identity of the lead is redacted.
It seems to me that that entry does not contain Mr. Johnson’s personal data. It is equivalent to the report to the FSA by Mr. Durant of his complaints about Barclays Bank. The focus was the patient, not the surgeon. On the other hand, the totality of the document, covering five pages, is clearly about Mr. Johnson. It is an analysis of how much he used the MDU’s services and for what sort of case. This is focused on him. Indeed, Miss Reid explained that one of the factors which the MDU says caused it to decline to renew Mr. Johnson’s membership was the fact that he had used its services so much.
The difference between this type of summary and the individual entries is significant. If the individual entries are not personal data, then section 7(1) does not apply and the data subject has no entitlement either to the data or information about the origin and dissemination of them. On the other hand, if the complete summary is personal data, as I think it is, then section 7(1) does apply. Mr. Johnson is prima facie entitled to be given a description of that personal data and relevant information about the origin and dissemination of that summary.
With the above considerations in mind, I have gone through all the items in issue, in some cases taking advantage of the unredacted documents disclosed to me, but not to Mr. Johnson and his lawyers, under section 15(2) of the DPA. I have come to the conclusion that only the following could be considered as containing his personal data: C1/67; C1/79; C1/86; C1/87; C1/89; C1/91; C1/95; C1/96; C2/1/3; C3/12/401; C3/12/402; C3/13/418; C3/13/419; C3/13/421; C3/14/428; C3/14/430; C3/14/432.
In addition to this, for the reasons set out above, the following case summaries or partial case summaries, which gather together a number of interactions between the MDU and Mr. Johnson and which appear to be primarily concerned with his history, also contain personal data; C2/1/3-5; C2/1/6-7; C2/1/10; C3/12/401-402 and 404; C3/13/418-422.
However, of the latter group, information relating to the source or dissemination of the summary is only redacted and sought by Mr. Johnson on the following pages: C2/1/3; C2/1/6; C2/1/7 (possibly). All other redactions have nothing to do with the circulation of these summaries.
This leads me to the third issue covered by Durant. Namely, in what circumstances is it permissible for the data controller to decline to supply information which can identify a third party? In this case, the data controller (the MDU) has declined to supply such information by redacting names, initials or other information which would help to identify third parties.
As Mr. Roughton points out, section 7(1) is drafted in terms of the data subject’s “entitlement” not only to his personal data, but also to information as to the recipients, or classes of recipients, to whom the data are or may be disclosed, and also as to any information as to the source of these data. However, these provisions must be construed in the context of the legislation as a whole and, in particular, the provisions of section 7(4), (5) and (6) and section 8(7), which are in the following terms:
“7(4) Where a data controller cannot comply with the request” -- that is for information under section 7(1) -- “without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless --
(a) the other individual has consented to the disclosure of the information to the person making the request, or
(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual, or
(c) the information is contained in a health record and the other individual is a health professional who has compiled or contributed to the health record or has been involved in the care of the data subject in his capacity as a health professional. [added by the Data Protection Subject Access Modification (Health) Order 2000 SI 2000/413]
(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
(6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to --
(a) any duty of confidentiality owed to the other individual,
(b) any steps taken by the data controller with a view to seeking the consent of the other individual,
(c) whether the other individual is capable of giving consent, and
any express refusal of consent by the other individual.”
“8(7) For the purposes of section 7(4) and (5) another individual can be identified from the information being disclosed if he can be identified from that information, or from that and any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request.”
As Auld LJ pointed out, there are two major issues which have to be considered when a court comes to determine whether the data controller has complied with these provisions. First, what do the provisions mean and how should they be implemented? Second, what is the nature of the court’s reviewing powers? I shall consider these points separately.
In Durant it was said that the above cited provisions of the DPA appear to create a presumption or starting point that the information relating to the third party, including his identity, should not be disclosed without his consent (see paragraph 55). Auld LJ also pointed out that in deciding whether to release the names of third parties, a balancing exercise may be involved. As he explained:
“The data subject may have a legitimate interest in learning what has been said about him and by whom in order to enable him to correct any inaccurate information given or opinions expressed. The other may have a justifiable interest in preserving the confidential basis from which he supplied the information or expressed the opinion.” (paragraph 54)
However, this balancing exercise only arises where the third party’s identity is an integral part of the personal data. This point was made forcefully in Durant as follows:
“64 It is important for data controllers to keep in mind the two stage thought process that section 7(4) contemplates and for which section 7(4)-(6) provides.
65 The first is to consider whether information about any other individual is necessarily part of the personal data that the data subject has requested. I stress the word ‘necessarily’ for the same reason that I stressed the word ‘cannot’ in the opening words of section 7(4), ‘Where a data controller cannot comply with a request without disclosing the information about another individual who can be identified from the information’. If such information about another is not necessarily part of personal data sought, no question of section 7(4) balancing arises at all. The data controller, whose primary obligation is to provide information, not documents, can, if he chooses to provide that information in the form of a copy document, simply redact such third party information because it is not a necessary part of the data subject’s personal data.
66 The second stage, that of the section 7(4) balance, only arises where the data controller considers that the third party information necessarily forms part of the personal data sought.”
I would add one point to that. The primary objective of the DPA is to make it possible for a data subject to learn what personal data are being processed by others. The entitlement to seek information as to the recipients of the data and the sources of them is ancillary to that. Accordingly, it seems to me that the words “sources of that data” in section 7(1)(c)(ii) should be construed narrowly. It does not cover every hand through which the data have passed. It does not include the postman or the secretarial and administrative personnel whose job it is to do no more than assemble or deliver material.
Auld LJ said that the presumption against disclosure of the third party identification could be rebutted in cases where the data controller considers it reasonable to do so in all the circumstances. Those circumstances include, but are not limited to, those set out in section 7(6), and indeed it is not even necessary for the data controller to seek the consent of a third party before deciding whether to rebut the presumption. Furthermore, Auld LJ said that in deciding how to respond to a request for information about third parties, the data controller;
“… should also be entitled to ask what, if any, legitimate interest the data subject has in disclosure of the identity of another individual named in, or identifiable from, personal data to which he is otherwise entitled.” (paragraph 61).
Mr. Roughton argues that this imposes an obligation on the data controller to enquire of the data subject why he wants information which will identify third parties. The MDU did not do so here. As I understand it, behind this is the suggestion that in the absence of any such enquiry, it should be assumed that the data subject had a good reason for needing this information.
I do not accept that submission. The data controller is entitled to ask himself, based on all the material before him, what are the reasons, or likely reasons, for wanting this type of information, and the relevance and force of any such reasons. In making that assessment, he can take into account any reasons communicated to him by the data subject. Subject to the above matters, whether to disclose third party information is to be determined on all the facts of the case.
This leads to the question of the role of the court. Its powers are derived from section 7(9), which provides:
“If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.”
Auld LJ stated that the court’s function was not of “primary decision-maker on the merits” (see paragraph 60). He also said;
“… the court’s task on an application under section 7(9) would be one of review of the data controller’s decision, but a more intensive Daly – “anxious scrutiny” - type of review than the traditional Wednesbury test. Even if the section 7(9) decision were not strictly one of review, but were to be regarded as a primary decision, the test in such a statutory challenge of a non-judicial decision-taker would be much the same, see SSHD v. Rehman, [2003] 1 A.C. 153, per Lord Slynn at paras. 22 and 26, Lord Steyn at para. 31 and Lord Hoffmann at paras. 49, 50, 57 and 59).” (paragraph 59)
How do those factors apply to the facts of this case? Mr. Roughton says that the information on the third parties whose identity have been obscured is needed because his client believes that there was some kind of conspiracy against him inside the MDU and that the data relating to him had been subject to “spin”.
As Miss Reid points out, there was no trace of this suggestion in Mr. Johnson’s pleadings, nor was it put to any of the three MDU witnesses who were cross-examined by Mr. Roughton. It is not referred to in Mr. Johnson’s witness statement prepared for this application. It arose for the first time in the course of Mr. Roughton’s submissions before me. Furthermore, it is noticeable that no such allegation was made at the time the access request was made to the MDU,. When the MDU responded to the request, Mr. Johnson’s response, dated 4 March 2002, included the following paragraph:
“You have redacted parts of the data. Whilst this may be appropriate to disguise the initials or names of your staff, you have obscured dates, phrases, sentences, sections and whole entries. This is not correct provision of the data to which I am entitled.”
In other words, Mr Johnson was not asserting that he had any interest in the names of the MDU staff or other persons through whom the data had passed or would pass.
In my view there is nothing in Mr Roughton’s point. The data controller is under an obligation to comply with an access request in the circumstances prevailing at the time of the request or compliance. At those times there was no suggestion of a conspiracy. Even had there been such a suggestion, it appears to be vague and unparticularised. The MDU would have been entitled to give it little or no weight.
Having looked at all the redactions, it appears to me that many relate to secretarial or administrative staff and, for the reasons set out above, they are not sources within the meaning of section 7(1). However, even if I am wrong on that I have been unable to find any significant fault in the way the MDU has responded to Mr. Johnson’s request. I am not satisfied that the data controller has failed to comply with the request properly. In view of this, it is not necessary to consider the fourth topic discussed in Durant; namely, the court’s discretion.
For these reasons, the preliminary issue is answered in the affirmative.
I would only add that Mr. Johnson’s understandable distress at the MDU’s decision not to continue his membership should be somewhat assuaged by the fact that, shortly thereafter, he obtained professional indemnity assurance through another organisation, the Medical Protection Society.