Dealing with mixed personal data in subject access requests

A recent case (Dr B v General Medical Council) has provided some welcome clarity on the position of mixed personal data (i.e. information that contains the personal data of more than one person) in the context of data subject access requests (SARs).  Although this case relates to a SAR brought under the Data Protection Act (DPA) 1998, as the position under the DPA 2018 is not significantly different from the position under the DPA 1998, this case provides helpful guidance on how data controllers should approach SARs which involve mixed personal data. 

Background

A patient (P) complained to the GMC about the treatment he received from his GP, Dr B, alleging that Dr B dealt with P incompetently and that his treatment led to an avoidable delay of the diagnosis of bladder cancer.  The GMC consequently instructed an independent expert to investigate Dr B’s fitness to practise and to produce a report setting out the findings.  The GMC sent a summary of the report to P, who then requested a full copy.  The GMC treated the request as a SAR under the DPA 1998.  Dr B, who had previously been sent a copy of the full report by the GMC, refused his consent to the disclosure. 

The GMC carried out a balance of interests test and took the decision to disclose the report on the basis that, as it contained P’s personal data, it should be disclosed to him.  Dr B appealed to the High Court, which held that the report should not be disclosed on the basis that the GMC had “got the balance wrong”.  The GMC then appealed to the Court of Appeal. 

Decision

The Court of Appeal, by a majority, allowed the appeal and ordered disclosure of the report. 

The Court considered each of the GMC’s grounds of appeal.  Its decision confirmed two key general principles for data controllers to consider when dealing with mixed data SARs:

1. When dealing with mixed personal data, the starting point is not a presumption in favour of the objector.  Instead the key question for the data controller to consider, and the starting point for the purposes of the balancing exercise, is whether it is reasonable in all the circumstances to comply with the request without the consent of the third party.  In the event that the data controller has carried out the balancing exercise and it considers that the position of the parties is still exactly equal (although the Court took the view that this is unlikely in practice) only then should the data controller apply a ‘tie-breaker’ presumption against disclosure.
2. There is no general principle that a requester’s interests, in carrying out the balancing exercise, should be devalued because they are motivated by a wish to obtain more information that may assist in litigation.  Instead, the general principle is that an individual’s legal right of subject access to personal data is not dependent on appropriate motivation.  This principle is clear from case law and guidance issued by the Information Commissioner’s Office.  Whilst data controllers may take into account the fact that a requester has in mind actual or proposed litigation when seeking information under a SAR, this should not act as an automatic bar to the request.  In practice, the relevant factors for the data controller to consider and the relative weight given to each factor are for the data controller to decide.  Such relevant factors would depend on the facts and would therefore vary in each case.

Comment

In an employment context, mixed data cases commonly arise in relation to grievance or disciplinary matters, significantly where the relationship between the parties is likely to already be strained.

Regarding the third party, it may, in some circumstances, be appropriate for an employer not to inform the third party that a mixed data SAR has been made or to seek their consent for the disclosure.  Steps taken to seek consent would be a relevant factor to consider when carrying out the balancing exercise.

Dr B v GMC confirmed that data controllers have a considerable margin for assessment when carrying out the balancing exercise in a mixed data case.  In the event of a dispute over disclosure of mixed personal data going to litigation, provided the court is satisfied that the data controller acted reasonably in all the circumstances, it is not for the court to substitute its own view as to what is reasonable.  Rather, the data controller’s decision would prevail, provided that it is within the bounds of reasonableness as set out under the DPA 2018.  It is therefore important for employers to keep in mind the importance of being prepared to demonstrate their reasoning when carrying out the balancing act.  This is likely to involve keeping a record of the decision-making process that clearly shows how the final decision was reached.