A recent High Court decision is a welcome addition to the limited case law considering the interplay between data protection legislation and the disclosure of documents in connection with litigation in the English courts: Dixon v North Bristol NHS Trust [2022] EWHC 3127 (KB).

This issue has caused some unease amongst litigants and practitioners since the issue of data protection was thrown into prominence by the EU General Data Protection Regulation (GDPR) in 2018 (now largely retained in UK domestic law as the UK GDPR, as modified by the Data Protection Act 2018).

In particular, while the legislation includes various exemptions/justifications regarding the use of data for legal proceedings and other legal-related purposes, each of these only applies to particular parts of the legislation (often only identifiable via rather opaque cross-referencing), and only to the extent that processing the data is "necessary" for the legal-related purpose. This creates a risk that a strict or narrow interpretation could limit the exemptions' operation.

In the recent decision, the High Court refused an interim injunction to restrain an individual's former employer from disclosing documents concerning a professional misconduct investigation against him to prospective claimants at the pre-action stage of clinical negligence proceedings. While the claims were framed mainly in breach of confidence and misuse of private information, the court also rejected submissions that the proposed disclosure would breach the data protection legislation in a number of respects. In briefly dismissing those arguments, the court:

  • Stated that the data protection legislation should be applied purposively, not mechanically. "It does not give a data subject a 'veto' on what data can be disclosed".
  • Rejected a submission that the statutory lawful basis for processing that is "necessary for compliance with a legal obligation" should be construed narrowly. The court accepted it was likely that there would be sufficient legal obligation under the relevant pre-action protocol despite the disclosure being entirely voluntary.
  • Considered that the circumstances were likely to attract a key exemption which applies where disclosure of data is necessary for the purpose of legal proceedings or otherwise for the purpose of establishing, exercising or defending legal rights (but without analysing which of the alleged breaches it would apply to).

Although only an interim decision, the judgment adds weight to the expectation that the court will be unlikely to apply the legislation in a manner that involves a substantial departure from established litigation practice and principles. The status of the material under data protection legislation may be relevant in balancing the competing interests but is unlikely to be decisive as a freestanding ground for objection.

It should be noted, however, that the court's analysis of the data protection issues in this decision was very brief and many of the complexities regarding the legislation are yet to be properly explored. Parties should continue to ensure they are alert to data protection issues when handling personal data at all stages of the litigation process and be able to justify their conduct under the legislation.

Background

The issue arose in the context of numerous clinical negligence proceedings brought or threatened against an NHS Trust by former patients of an employed surgeon.

At the pre-action stage, the Trust proposed to disclose to the patients and their solicitors two documents that had been generated in the context of an investigation into the allegations against the surgeon. They included details of the investigation and the outcome of the process (which had resulted in the surgeon's dismissal).

The surgeon sought an interim injunction restraining the disclosure, arguing that it would cause him substantial harm and would constitute a breach of confidence (under both his contract and equitable principles), a misuse of private information, and a breach of various aspects of the UK GDPR (read together with the DPA 2018).

Decision

The court (Mr Justice Nicklin) refused the injunction. It was "wholly unpersuaded" that the surgeon was likely to demonstrate that the disclosure should not be allowed on any of the legal bases advanced.

Breach of contract/confidence, misuse of private information

The court analysed these claims by reference to the specific elements of each cause of action. However, a common feature of its reasoning was its conclusion that, although the surgeon was likely to demonstrate that at least some of the information was confidential and/or private and that he would suffer some detriment from the disclosure, the surgeon's interests were "comfortably outweighed" by: (i) the Trust's interest in disclosing it; and (ii) the public interest in the patients having access to the material.

Notably, in reaching that finding, the court took into account that:

  • The proposed disclosure was not to the world but to a limited group of individuals, all of whom had a direct and legitimate interest in receiving it.
  • Although the surgeon would not be able to legally enforce a request that the patients use the material only for the purposes of their proposed claims, there was no reason to think they would not comply.
  • It was taking too narrow a view to say that disclosing the documents was unnecessary because the patients' claims were not yet at the formal disclosure stage (and would never reach that stage if they were settled early). A party is always free to disclose more to an opponent than the court might order. The Trust's desire to do so here was based on: (i) what it considered appropriate in light of the pre-action protocol and its public authority duties; and (ii) its desire to facilitate possible settlement. That was a matter for it, and was a valid and weighty interest to be taken into account.

Data protection: the submissions

The Trust admitted that it was the relevant data controller and that the proposed disclosure would include processing of the surgeon's personal data in the documents, but denied that it would breach any data protection rules.

With respect to the need to have one of the "lawful bases" listed in Article 6 of the GDPR (which is one of the key requirements for any processing), it submitted that the disclosure qualified as:

  • Processing "necessary for compliance with a legal obligation to which the controller is subject" (Art 6(1)(c)); and/or
  • Processing "necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller" (Art 6(1)(e)). This includes (among other things) processing of personal data that is necessary for "the administration of justice" (s.8 DPA 2018).

The Trust apparently did not rely on an alternative lawful basis under Art 6(1)(f) which permits processing where necessary for the data controller's "legitimate interests" (unless overridden by the data subject's interests). That basis is expressly not available where the processing is "carried out by public authorities in the performance of their tasks".

The Trust also relied generally on the exemptions (from certain GDPR obligations) provided in DPA 2018 Schedule 2, para 5(3) where processing is necessary in connection with current or prospective legal proceedings, the obtaining of legal advice or for the purposes of establishing, exercising or defending legal rights ("the Schedule 2 legal claims exemption").

In response, the surgeon argued that the Trust had not identified any specific basis in law for the alleged legal obligation relied on as a lawful basis. As to the public interest basis, the surgeon submitted that the Trust's negotiation of the settlement of potential claims against it could not be a relevant public task because that did not constitute it being involved in the administration of justice. Further, even if compliance with the pre-action protocol were "a task carried out in the public interest", the disclosure would still need to be "necessary", which the surgeon submitted it was not. He argued that the mere existence of potential claims and the wish to negotiate settlement could not make the processing "necessary" (as opposed to helpful or expedient).

In addition, the surgeon argued that the Trust had to comply with all elements of Article 5. In particular, personal data had to be:

  • Processed not only lawfully, but also "fairly" and "transparently" (Art 5(1)(a)) – he argued that he had been provided with little information about what data was to be provided to whom, and so the processing was not transparent.
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that was incompatible with those purposes (Art 5(1)(b)) – he argued that the data had been collected for the purpose of investigating allegations made against him in the employment context, not for subsequent litigation.
  • Adequate, relevant and limited to what was necessary (Art 5(1)(c)) – he argued that the proposed disclosure was not "necessary" for the purpose for which it was processed.
  • Accurate and, where necessary, kept up to date (Art 5(1)(d)) – he argued that the proposed disclosure contained information that was not accurate.

Data protection: the judgment

Nicklin J dealt with the data protection arguments relatively briefly, beginning by stating:

"In my judgment, [the surgeon's] contention that processing in accordance with a legal obligation must be given a narrow construction is not correct. ... The data protection legislation must be read purposively not mechanically. It does not give a data subject a 'veto' on what data can be disclosed."

He accepted that the disclosure was likely to satisfy Article 6(1)(c) and/or (e). The Trust's clearest legal obligation was a statutory duty of candour applicable to NHS Trusts, but it was also likely that a sufficient duty arose under the relevant pre-action protocol. Further, he noted that the examples of lawful processing in s.8 DPA 2018 were not exhaustive.

The judge also briefly considered and rejected the Trust's submissions based on the other Article 5 requirements. In particular, he did not accept that the purpose for which the data was originally collected excluded the further processing involved in the proposed disclosure. In any event, the court considered it likely that the disclosure fell within the Schedule 2 legal claims exemption, being "a disclosure ... which is necessary in connection with prospective legal proceedings and/or is otherwise necessary for the purposes of establishing, exercising or defending" the legal rights of the patients.

As for the challenge based on alleged inaccuracies, the judge noted that the requirement is for data to be accurate "having regard to the purposes for which they are processed". He observed that some records must be maintained intact because of the nature of the record, notwithstanding that the data in them may subsequently be shown to be inaccurate. Arguably, the document recording the outcome of the investigatory process fell into this category. (The judgment does not expressly rely here on the Schedule 2 legal exemption also applying to data subjects' rights to rectification of inaccurate data).

Damages as an adequate remedy

Nicklin J concluded by noting that, even if he had not held that the surgeon had failed to demonstrate that his claims were likely to succeed, he would have exercised his discretion to refuse an interim injunction on the grounds that damages would be an adequate remedy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.