Data Protection in UK Law

In conformity with the 1981 Convention and the Directive, the purpose of section 7, in entitling an individual to have access to information in the form of his "personal data" is to enable him to check whether the data controller's processing of it unlawfully infringes his privacy and, if so, to take such steps as the Act provides, for example in sections 10 to 14, to protect it.

It follows from what I have said that not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act.

These include: (i) the strength of the possible cause of action contemplated by the applicant for the order: Norwich Pharmacal at p 199F-G per Lord Cross of Chelsea, Totalise plc v The Motley Fool Ltd [2001] EMLR 750 at first instance para 27 per Owen J, Clift v Clarke [2011] EWHC 1164 (QB) paras 14, 38 per Sharp J; (ii) the strong public interest in allowing an applicant to vindicate his legal rights: British Steel at 1175C-D per Lord Wilberforce, Norwich Pharmacal at p 182C-D per Lord Morris of Borth-y-Gest, 188E-F per Viscount Dilhorne; (iii) whether the making of the order will deter similar wrongdoing in the future: Ashworth at para 66 per Lord Woolf CJ; (iv) whether the information could be obtained from another source: Norwich Pharmacal at 199F-G per Lord Cross, Totalise plc at para 27, President of the State of Equatorial Guinea v Royal Bank of Scotland International [2006] UKPC 7 at para 16 per Lord Bingham of Cornhill; (v) whether the respondent to the application knew or ought to have known that he was facilitating arguable wrongdoing: British Steel per Lord Fraser at 1197A-B, or was himself a joint tortfeasor, X Ltd v Morgan-Grampian (Publishers) Ltd [1991] 1 AC 1, 54 per Lord Lowry; (vi) whether the order might reveal the names of innocent persons as well as wrongdoers, and if so whether such innocent persons will suffer any harm as a result: Norwich Pharmacal at 176B-C per Lord Reid; Alfred Crompton Amusement Machines Ltd v Customs and Excise Commissioners (No 2) [1974] AC 405, 434 per Lord Cross; (vii) the degree of confidentiality of the information sought: Norwich Pharmacal at 190E-F per Viscount Dilhorne; (viii) the privacy rights under article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms of the individuals whose identity is to be disclosed: Totalise plc at para 28; (ix) the rights and freedoms under the EU data protection regime of the individuals whose identity is to be disclosed: Totalise plc v The Motley Fool Ltd at paras 18–21 per Owen J; (x) the public interest in maintaining the confidentiality of journalistic sources, as recognised in section 10 of the Contempt of Court Act 1981 and article 10 ECHR: Ashworth at para 2 per Lord Slynn of Hadley.

In my opinion there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data: see recital 2 of the preamble to, and article 1(1) of, the Directive.

The ventilation of the Data Protection Act 1998 issues which I have considered was solely in witness statements and in the course of the trial by argument. The point taken by Mr. Coppel in paragraphs 25 and 26 of his written outline closing submissions was not taken until then. In those circumstances it is perhaps unsurprising that the franchisor had not produced its certificate of registration under the Data Protection Act 1998.

Even so, it is not an obligation to supply documents: Dunn v Durham CC [2012] EWCA Civ 1654, [2013] 2 All ER 213 at [16]. It is of critical importance to distinguish between the two. Although it may be more convenient and cheaper in some cases for a data controller to supply copy documents, there is no legal obligation to do so. This is, I think, borne out by article 12 of the Directive which requires the data controller to inform the data subject of the " categories of data concerned".

It also emphasised the GMC's legitimate interest in transparency and concluded 'Failure to disclose the findings of an independent expert would most likely be a breach of the Human Rights Act in terms of obligations to protecting the health, as well as the rights and freedoms of the data subject (i.e. [P]'s).