Skip to content

Whose data? You decide…

30 July 2018

Do you feel caught between a rock and a hard place when a DSAR from one employee is interwoven with another employee’s data? Good news – the Court of Appeal has clarified how to handle these “mixed data” cases, giving you more freedom to decide and stronger grounds to resist a challenge.

In the case DB v GMC, a patient complained to the General Medical Council (GMC) that his doctor had been incompetent in delaying his cancer diagnosis. The patient submitted a DSAR to the GMC for the full expert report into his complaint. The report contained both the patient’s and the doctor’s personal data, so one could not be disclosed without the other (ie “mixed data”). As required by the (now repealed) Data Protection Act 1998, the GMC undertook a balance of interests test, concluding that the report should be disclosed. The doctor, who had objected, obtained an injunction from the High Court, a decision that has now been overturned by the Court of Appeal.

You are in the driving seat

Finding in favour of the GMC, the Court of Appeal has given helpful guidance on how to approach “mixed data” cases. This is just as relevant, because under GDPR (as under the DPA 2018) you must undertake the same balance of interests judgment when deciding if it is reasonable to disclose third party data without their consent.

According to the Court, when deciding whether disclosure of the third party data without consent is reasonable, you are the primary decision-maker. You have broad discretion when assessing the balance, which factors are relevant, and the weight you give to them. If another employee objects to his or her data being disclosed, this is just one factor to consider (alongside others) but it does not receive automatic priority. Only if you conclude that the interests of both employees are evenly balanced do you then apply a “tie-break” presumption in favour of withholding the data. In this case, the GMC justifiably concluded that the patient’s interests outweighed the doctor’s interests in resisting disclosure, so they should never have got as far as needing to engage the presumption.

Who cares about motive?

Did the fact that the DSAR may have been part of a motive to “fish” for potential claims against the doctor have any bearing? We know that DSARs are motive-blind (Dawson-Damer and Ittihadieh) and it is no different in “mixed data” cases, said the Court. An employee’s interests in seeking data are not devalued, even if their game plan may be to litigate against the other data subject.

Helpfully, Sales LJ and Arden LJ went so far as to say that where there is a possibility that the employee might use the data illegitimately (for example, to tarnish the other party’s reputation on the internet), disclosure could be accompanied with a proviso that they give a binding contractual undertaking not to disseminate it more widely, and any undertaking offered could be factored into the balancing assessment. Arden LJ went even further, suggesting the possibility of a contractual undertaking to the Court. It will be interesting to see how successful any attempts to seek contractual undertakings are in the future, given the Judges’ caveats that these are not to be used in the ordinary course, and the likely reality that requesters will not want to be constrained in how they use their own personal data, even though it may be interwoven with others’ data.

Apply rigour and record

In the GDPR world, where DSARs are on the up, this is a helpful case, allowing employers to take a more robust line in cases involving third party data. That said, some degree of rigour will be required, with a paper trail to support your decision. Although you are in the driving seat, a court may still look into your decision if a challenge is made, so make sure you record what other routes you considered and the reasons why you took the road that you did.

We envisage this sort of situation arising, in particular, where DSARs are connected to sexual harassment allegations or where investigation reports are produced in which employees’ personal data is inextricably mixed.

Related blog topics

Related expertise