Category Archives: judgments

January 14, 2026 · 7:59 am

A DSAR disclosure horror story

If anyone who deals with data subject access requests, or disclosure exercises in general, wants to read a horror story, they should look at the recent judgment in Forsters LLP v Uddin [2025] EWHC 3255 (KB).

This was an application for an interim injunction for breach of confidence, seeking delivery up by the defendant of confidential and privileged documents. Forsters, a law firm, act for Mr and Mrs Alloatti, who are in a dispute with their neighbour, Mr Uddin. No doubt in an attempt to advance his case, Mr Uddin made a DSAR directly to Forsters. But instead of disclosing Mr Uddin’s personal data to him, Forsters disclosed the entire contents of the file containing information responsive to a systems search for the name “Uddin”. This resulted not only in the disclosure of personal data of people unconnected to the dispute, but also in disclosure of around 95% (3,000+ pages) of the Alloatti client file, much of it confidential and privileged.

Unsurprisingly, Forsters were successful in their application. This was a very clear case of “obvious mistake” (see Fayed v Commissioner of Police of the Metropolis [2002] EWCA Civ 780). And

where a party to litigation discloses documents to the opposing party which are confidential and privileged and the court is satisfied that it is a case of ‘obvious mistake’, which was either known to or ought to have been known to the receiving party, the Court will intervene by injunction to, so far as possible, put the parties back into the position they would have been had the error not occurred. This will usually involve granting an injunction that requires the recipient to deliver up the documents, to destroy any copies he has made of them and which restrains him from making any use of the information contained in the documents.

Further proof that this was a mistake lay in the fact that Mr Uddin, on receiving the disclosure, immediately notified Forsters of the breaches of confidence and GDPR. Although he later sought to row back on this in order to retain and use the information in his dispute with the Alloattis, his argument that the disclosure was lawful as a DSAR response was doomed.

One argument that found greater favour with the judge was that the “erroneous disclosure to him has undermined the confidentiality and privilege in the information he has seen”. But although the judge accepted that Mr Uddin could not “un-know” some of what he had seen he held that

Nonetheless, the court can help the Claimant to regain control over the 3,300 documents themselves and over the way in which information from those documents is deployed in the two claims. In this way, the court can remedy most of the mischief which this inadvertent disclosure has caused

Accordingly, in addition to delivery up and deletion, he was injuncted from using any of the documents, or information from them, in the underlying claim or in a separate claim in harassment against two Forsters employees.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach of confidence, Data Protection, judgments, subject access

Tagged as

November 29, 2025 · 6:41 am

NCND for personal data – a qualified exemption?

[reposted from my LinkedIn Account]

I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb.

In it, the FTT dismantle the argument (and the decision notice) of the Information Commissioner’s Office that Bolton NHS Foundation Trust were entitled to “neither confirm nor deny” (NCND) holding reviews, including a review by PWC, into the Trust’s governance and management. The PWC review was the subject of an article in the Health Service Journal, and the requester was the journalist, Lawrence Dunhill.

Firstly, the FTT noted that the ICO “case begins with an elementary error of fact. It treats the Trust as having given an NCND response to the entirety of the Request when it did no such thing” (the Trust had only applied NCND in respect of the request for a PWC report, but had confirmed it held other reviews). Oddly, the Trust, in its submissions for the appeal, simply ignored this error (the FTT chose not to speculate on “whether that omission was accidental or tactical”).

Secondly, and notably, the FTT found a fundamental error of law in the ICO’s approach (and, by implication, in its guidance) to NCND in the context of personal data. Section 2(3)(fa) of FOIA provides that section 40(2) is an absolute exemption (therefore not subject to a public interest test). But section 2(3) does not include section 40(5B) (the personal data NCND provision) in the list of absolute exemptions. As far as I know, the ICO has always taken the view, however, that it is an absolute exemption – certainly its current guidance says this).

That approach, held the FTT, is “simply wrong…the exemption under FOIA, s40(5B)(a)(i) is qualified and the public interest balancing test applies”. And but for that error, they said, the ICO might have reached a different conclusion.

As it was, the FTT held that the legitimate interests balancing test under Article 6(1)(f) of the UK GDPR was sufficient to determine the issue: merely confirming or denying whether the PWC review was held would not cause unwarranted prejudice to a named individual when balanced against the requester’s legitimate interests.

It will be interesting to see if the ICO appeal this. Given the strength of the criticism it would perhaps be bold to do so, but it might be that the only alternative will be to have to rewrite their guidance on s40(5), and rethink their long-held view on it.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, NCND, UK GDPR

Tagged as , ,

November 13, 2025 · 5:10 am

Chief Constable in contempt over body-worn-video footage disclosure failures

The Court of Appeal has handed down an extraordinary judgment (Buzzard-Quashie v Chief Constable of Northamptonshire Police [2025] EWCA Civ 1397) in which the Chief Constable of Northamptonshire was forced to admit civil contempt of court, after camera footage, which the police force had repeatedly insisted, including before the lower courts, and also in response to an express order of the county court, did not exist, was found to exist just before the appeal hearing.

The appellant/applicant, Ms Buzzard-Quashie, had been arrested and initially charged with an offence in 2021. The arrest had involved three officers, all of whom had deployed body-worn-video cameras. Ms Buzzard-Quashie had complained about the arrest very shortly afterwards, and had sought copies of the footage. Although the charge was dropped, the force made only “piecemeal” disclosure, before determining that there was no further footage, or what there had been, had been destroyed.

At that point, she complained to the Information Commissioner’s Office, who told her that it had told the force “to revisit the way it handled your request and provide you with a comprehensive disclosure of the personal data to which you would be entitled as soon as possible”. (Here, the court – I believe – slightly misrepresents this as an “order” by the ICO. The ICO has the power to make an order, by way of an enforcement notice, but it does not appear to have issued a notice (and it would be highly unusual for it to do so in a case like this).)

The force did not do what the ICO had told it to do, so Ms Buzzard-Quashie issued proceedings in the Brentford County Court and obtained an order requiring the force to deliver up to her any footage in its possession or, if none was available or disclosable, to provide a statement from an officer “of a rank no lower than Inspector” explaining why it could not. It also required the force to pay her costs.

Remarkably, the force did not comply with any element of this order. This failure led to Ms Buzzard-Quashie initiating contempt proceedings in the High Court. At that hearing the Chief Constable, in evidence, maintained that that a full search had already been performed; all the footage had been produced; no other footage existed; and he was not in contempt. The judge found that Ms Buzzard-Quashie had not succeeded in establishing to the criminal standard that the Chief Constable was in contempt.

Upon appeal, and just before the hearing, primarily through the efforts of Ms Buzzard-Quashie and her lawyers (acting pro bono), the force was compelled to admit that footage did still exist: its searches had been manifestly inadequate.

The CoA found that eight pieces of information and evidence (and this was “only a selection”) had not been true, and that “the Chief Constable had not only failed to comply with the [County Court] Order in both substance and form, but had advanced a wholly erroneous factual case before that court, and before this court as well”. Ms Buzzard-Quashie clearly succeeded in her appeal.

The judgment records that the issue of sanction for the contempt found “must wait until the next round of the process”, which presumably will be a further (or perhaps remitted) hearing.

There are any number of issues arising from this. It is, for example, notable that the data protection officer for the force was involved in the searches (and, indeed, she gave the initial statement that the County Court had ordered be given by an Inspector or above).

But a standout point for me is how incredibly difficult it was for Ms Buzzard-Quashie to vindicate her rights: the police force, for whatever reason, felt able to disregard both the statutory regulator and an order of a court. She and her pro bono lawyers showed admirable tenacity and skill, but those features (and that pro bono support) are not available to everyone. One welcomes the fact that all three judges noted her efforts and those of the lawyers.

The force has referred itself to the Independent Office of Police Conduct, and the Court of Appeal has reinforced that by making the referral part of its own order.

In this post I’ve tried to summarise the judgment, but I would strongly encourage its reading. The screenshot here is merely part of the damning findings.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Body worn video, Data Protection, Information Commissioner, judgments, police, subject access

Tagged as , ,

June 29, 2025 · 8:19 am

Oral disclosure of personal data: a new domestic case

“Pretexting” and “blagging” are forms of social engineering whereby someone attempts to extract information from a source by deception. One (unethical) example is when a journalist purports to be someone else in order to gather information for a story.

A recent misuse of private information and data protection judgment in the High Court deals with a different, and sadly not uncommon, example – where an estranged, abusive partner convinced a third party to give information about their partner so they can continue their harassment of them.

The claimant had worked at a JD Wetherspoon pub, but had left a few months previously. She had given her contact details, including her mother’s mobile phone number, to her manager, and the details were kept in a paper file, marked “Strictly Private and Confidential”, in a locked filing cabinet. During the time she was employed she had been the victim of offences by a former partner of serious violence and harassment which involved subjecting her to many unwanted phone calls. He was ultimately convicted of these and sentenced to 2 ½ years in prison. Her employer was aware of the claimant’s concerns about him.

While her abuser was on remand, he rang the pub, pretending to be a police officer who needed to contact the claimant urgently. Although the pub chain had guidance on pretexting, under which such attempts to acquire information should be declined initially and referred to head office, the pub gave out the claimant’s mother’s number to the abuser, who then managed to speak to (and verbally abuse) the claimant, causing understandable distress.

She brought claims in the county court in misuse of private information, breach of confidence and for breach of data protection law. She succeeded at first instance with the first two, but not with the data protection claim. Wetherspoons appealed and she cross-challenged, not by appeal but by way of a respondent’s notice, the rejection of the data protection claim.

In a well-reasoned judgment in Raine v JD Wetherspoon PLC [2025] EWHC 1593 (KB), Mr Justice Bright dismissed the defendant’s appeals. He rejected their argument that the Claimant’s mother’s mobile phone number did not constitute the Claimant’s information or alternatively that it was not information in which she had a reasonable expectation of privacy: it was not ownership of the mobile phone that mattered, nor ownership of the account relating to it – what was relevant was information: the knowledge of the relevant digits. As between the claimant and the defendant, that was the claimant’s information, which was undoubtedly private when given to the defendants and was intended to remain private, rather than being published to others.

The defendant then argued that there can be no cause of action for misuse of private information if the Claimant is unable to establish a claim under the DPA/GDPR, and, relatedly, that a data security duty could not arise under the scope of the tortious cause of action of misuse of private information. In all honesty I struggle to understand this argument, at least as articulated in the judgment, probably because, as the judge suggests, this was not a data security case involving failure to take measures to secure the information. Rather, it involved a positive act of misuse: the positive disclosure of the information by the defendant to the abuser.

The broadly similar appeal grounds in relation to breach of confidence failed, for broadly similar reasons.

The counter challenge to the prior dismissal of the data protection claim, by contrast, succeeded. At first instance, the recorder had accepted the defendant’s argument that this was a case of purely oral disclosure of information, and that, applying Scott v LGBT Foundation Limited, this was not “processing” of “personal data”. However, as the judge found, in Scott,

the information had only ever been provided to the defendant orally; and…then retained not in electronic or manual form in a filing system, but only in the memory of the individual who had received the original oral disclosure…In that case, there was no record, and no processing. Here, there was a record of the relevant information, and it was processed: the personnel file was accessed by [the defendant’s employee], the relevant information was extracted by her and provided in written form to [another employee], for him to communicate to [the abuser].

This fell “squarely within the definition of ‘processing’ in the GDPR at article 4(2)”. Furthermore, there was judicial authority in Holyoake v Candy that, in some circumstances, oral disclosure will constitute processing (a view supported by the European Court in Endemol Shine Finland Oy).

Damages for personal injury, in the form of exacerbation of existing psychological damage, of £4500 were upheld.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach of confidence, Data Protection, data sharing, GDPR, judgments, misuse of private information, Oral disclosure

Tagged as , ,

June 9, 2025 · 12:36 pm

Defamation rules are applied to UK GDPR claim

An interesting recent judgment in the High Court considers the extent to which rules in defamation law might also apply to data protection claims.

In July 2024 His Honour Judge Lewis struck out a claim in defamation brought by Dale Vince against Associated Newspapers. The claim arose from a publication in the Daily Mail (and through the Mail+ app). The article reported that the Labour Party had returned a £100,000 donation made by another person, who was said to be “a high-flying City financier accused of sex harassment”, but also said that the claimant had donated £1.5m to the Labour Party, but then caused the Party embarrassment by joining an “eco-protest” in London, which had blocked traffic around Parliament Square. The article had the headline “Labour repays £100,000 to ‘sex harassment’ donor”, followed by eleven paragraphs of text, two photographs of the claimant and the caption “Road blockers: Dale Vince in London yesterday, and circled as he holds up traffic with Just Stop Oil”.

The strike-out succeeded on the basis that a claim in libel “may not be founded on a headline, or on headlines plus photographs and captions, in isolation from the related text, and it is impermissible to carve the readership into different groups, those who read only headlines (or headlines and captions) and those who read the whole article”, following the rule(s) in Charleston v News Group Newspapers Ltd [1995] 2 AC 65 (the wording quoted is from the defendant’s strike-out application). When the full article was read, as the claimant conceded, the ordinary reader would appreciate very quickly that he was not the person being accused of sexual harassment.

A subsequent claim by Mr Vince, in data protection, under the UK GDPR, has now also been struck out (Vince v Associated Newspapers  [2025] EWHC 1411 (KB)). This time, the strike out succeeded on the basis that, although the UK GDPR claim was issued (although not served) prior to the handing down of judgment in the defamation claim, Mr Vince not only could, but should have brought it earlier:

There was every reason why the UKGDPR and defamation claims should have been brought in the same proceedings. Both claims arose out of the same event – the publication of the article in Mail+ and the Daily Mail. Both claims rely on the same factual circumstances, namely the juxtaposition of the headline, photographs and caption, and the contention that the combination of the headline and the photograph created the misleading impression that Mr Vince had been accused of sexual harassment. In one claim this was said to be defamatory, in the other the misleading impression created was said to comprise unfair processing of personal data

This new claim was, said Mr Justice Swift, an abuse of process – a course which would serve only “to use the court’s process in a way that is unnecessary and is oppressive to Associated Newspapers”.

Additionally, the judge would have granted Associated Newspapers’ application for summary judgment, on the grounds that the rule in Charleston would have applied to the data protection claim as it had to the defamation claim:

in the context of this claim where the processing relied on takes the form of publication, the unfairness relied on is that a headline and photographs gave a misleading impression, and the primary harmed caused is said to be reputational damage, the law would be incoherent if the fairness of the processing was assessed other than by considering the entirety of what was published

This last point, although, strictly, obiter, is an important one: where a claim of unfair processing, by way of publication of personal data, is brought in data protection, the courts are likely to demand that the entirety of what was published be considered, and not just personal data (or parts of personal data) in isolation.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, defamation, fairness, judgments, UK GDPR

Tagged as , ,

June 6, 2025 · 8:44 am

Hinkley Point C construction company is a public authority under the EIR

The Information Tribunal has ruled that the Nuclear New Build Generation Company, a subsidiary of EDF Energy, created to construct s new nuclear power plant at Hinkley Point C (HPC), is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR)

In the last fifteen years or so, a very interesting body of case law has been built up regarding the extent to which certain private persons have accrued, or have been conferred upon them, the status of a public authority for the purposes of the EIR. Some of the bodies who have been held to be public authorities (at least in a limited EIR sense) are water companies, BT, public gas transporters, and port authorities. Some which have not been held to be include Heathrow Airport and housing associations.

The EIR create a scheme for public access to environmental information held by public authorities, which runs in parallel to the scheme under the Freedom of Information Act 2000 (FOIA). Where FOIA, though, specifically designates public authorities, the EIR (which implemented an EU Directive, emanating in turn from the 1998 UNECE Aarhus Convention) define a public authority by virtue of its actions and powers.

Whether a person is a public authority will often turn on whether it “carries out functions of public administration”. The tests for this derive from the “Fish Legal ” in the CJEU: whether they are “entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and…are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law”

In NNB Generation Company (HPC) Ltd v Information Commissioner & Anor [2025] UKFTT 634 (GRC), the Tribunal, considering an appeal by HPC from a decision by the Information Commissioner’s Office that it was an EIR public authority (and in which Fish Legal were again the applicant), held that the relevant Development Consent Order, and the electricity and nuclear licences granted to HPC constituted entrustment with the performance of public services in relation to the environment, and the powers accruing from that entrustment “go far beyond what a private person without the benefit of such powers would be able to do in those circumstances, for example in empowering HPC to make byelaws, even if it opts not to do so”.

Decisions of this sort are nuanced and complex, and for that reason, often amenable to appeal. I would not be surprised if this one goes to the Upper Tribunal.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, FOIA, Information Commissioner, Information Tribunal, judgments

Tagged as

May 27, 2025 · 7:42 am

Liz Truss leadership election not amenable to JR

Was the leadership election in which Liz Truss was elected as leader of the Conservative Party (and as a result of which she was recommended to the Queen by the outgoing Boris Johnson, and appointed by the Queen as her Prime Minister) a decision amenable to judicial review?

Whether a person is a public authority for the purposes of the Freedom of Information Act 2000 is, in principle, a relatively straightforward issue: is it listed in Schedule 1 to FOIA?; or has it been designated as such by order under section 5?; or is it wholly owned by the public sector?

Whether a person is a public authority under section 6 of the Human Rights Act 1998, or whether a person is a public authority amenable to judicial review, are more complex questions.

It was the last of these that the Court of Appeal had primarily to consider in Tortoise Media Ltd, R (On the Application Of) v Conservative and Unionist Party [2025] EWCA Civ 673. Tortoise Media had written to the Party seeking certain information in relation to the leadership election process, and argued that the public effects of the leadership election meant that, in those circumstances, the Party was exercising a public function for the purposes of CPR 54.1(2). The follow-on argument was that the judgment of the ECtHR in Magyar Helsinki Bizottság v Hungary meant that the domestic courts should read down Article 10 of the ECHR (as incorporated in domestic law in the HRA) as imposing, in some cases, a positive obligation on a body to provide information to the media, who act as “watchdogs” in the public interest.

Perhaps unsurprisingly, though, the Court of Appeal did not accept that the effects and circumstances of the Party leadership election made the decision of the Party amenable to JR:

the nature of the act of electing a party leader…is at all times a private act. The fact that it has important, indirect consequences for the public does not transform a private act into a public one.

For that reason, the Court did not need to consider the Article 10/Magyar arguments (but on which, one feels – having regard to the submissions on behalf of the Duchy of Lancaster, as intervener, which argued that the Supreme Court’s decisions in Sugar and in Kennedy (which did not follow the reasoning in Magyar) bound all inferior courts – the claimants would have in any case lost).

It’s an interesting read, even if it was – to put it mildly – an ambitious case to bring.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Article 10, Freedom of Information, human rights, judgments, judicial review

Tagged as ,

April 17, 2025 · 7:17 am

FOIA s11 – All or nothing or a sliding scale?

When a public authority receives a request for information it must, under the Freedom of Information Act 2000, determine and communicate whether the information is held (subject to any exemption which removes the obligation to confirm or deny whether it is held), and then determine whether any exemptions to disclosure apply. These latter exemptions include the procedural ones at ss12 and 14 of FOIA (costs grounds and vexatiousness or repeatedness) and the substantive ones at Part II (ss21 to 44). It is only then that, if the requester has requested the information in a specific format (such as a specific software format) the public authority must, under s11, consider whether it must “so far as reasonably practicable” give effect to that preference.

That this is the correct order of things is confirmed by an important (albeit quite niche) judgment of the Upper Tribunal, in Walawalker v The Information Commissioner & Anor [2023] UKFTT 1084 (GRC). Both the ICO, and the First Tier Tribunal, had elided/confused the staged process above, with the result that the appeal before the Upper Tribunal was on the meaning of s11, despite prior findings not having been fully made on the application of exemptions.

Nonetheless, what the Upper Tribunal had to decide was, where (for instance as was the case here) a request was for transcripts of a 50-odd audio recordings of distress calls at sea, and the act of transcribing them would be very resource-heavy, did the obligation to give effect to the preference for transcripts “so far as reasonably practicable” impose an “all or nothing” or a “sliding scale duty”? In this example, did the Maritime and Coast Agency have to transcribe as many of the calls as it could before it became no longer reasonably practicable, or did the exercise as a whole constitute something that was not reasonably practicable?

It was the latter, said the judge: s11 applies to “the information” requested (what the ICO in its submissions, described as being a “unitary concept” – and the judge said this was a “helpful perspective”) not a subset of extract of the information. What Mr Walaker had requested was “all calls”, and it was that “unitary concept” which as at issue in the s11 analysis. It was not reasonably practicable to transcribe all calls, and so the s11 duty did not apply.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Freedom of Information, Information Commissioner, Information Tribunal, judgments, Section 11, UK GDPR

Tagged as ,

April 14, 2025 · 8:51 am

Personal use of work devices – an Irish judgment

A frequent headache for data protection practitioners and lawyers is how to separate (conceptually and actually) professional and personal information on work devices and accounts. It is a rare employer (and an even rarer employee) who doesn’t encounter a mix of the two categories.

But, if I use, say, my work phone to send a couple of text messages (as I did on Saturday after the stupid SIM in my personal phone decided to stop working), who is the controller of the personal data involved in that activity? I’d be minded to say that I am, (and that my employer becomes, at most, a processor).

That is also the view taken by the High Court in Ireland, in an interesting recent judgment.

The applicant was an employee of the Health Service Executive (HSE), and did not, in this case, have authority or permission to use his work phone for personal use. He nonetheless did so, and then claimed that a major data breach in 2021 at the HSE led to his personal email account and a cryptocurrency account being hacked, with a resultant loss of €1400. He complained to the Irish Data Protection Commissioner, who said that as his personal use was not authorised, the HSE was not the controller in respect of the personal data at issue.

The applicant sought judicial review of the DPC decision. This of course meant the application would only succeed if it met the high bar of showing that the DPC had acted unlawfully or irrationally. That bar was not met, with the judge holding that:

The DPC did not purport to adopt an unorthodox interpretation of the definition of data controller. Instead, against the backdrop of the factual matrix before it, it found that the HSE had not “determined the purposes and means 28of the processing” of the data relating to the Gmail, Yahoo, Fitbit and Binance accounts accessed by the applicant on his work phone. That finding appears to me to be self-evident, where that use of the phone clearly was not authorised by the HSE.

I think that has to be correct. But I’m not sure I quite accept the full premise, because I think that even if the HSE had authorised personal use, the legal position would be the same (although possibly not quite as unequivocally so).

In genuinely interested in others’ thoughts though.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under controller, Data Protection, employment, GDPR, Ireland, judgments, Uncategorized

Tagged as

April 2, 2025 · 5:02 am

The legality of data processing in the course of litigation

There is very convoluted litigation taking place which has as its focus a witness statement, prepared by a solicitor acting for a number of insurance companies who are defending personal injury claims arising from road traffic accidents (RTAs). And part of the argument (and a satellite claim) has now become about compliance with data protection law.

Five original claims were made for damages arising from RTAs. The defendant insurance companies were represented by law firm DWF, and one of DWF’s solicitors prepared a witness statement which contained an analysis of claims data collected by DWF in relation to a number of claims submitted by claimants represented by the solicitors who acted on behalf of the five claimants. The statement sought to adduce that in an unusually high number of the claims claimants had been referred for further psychological assessment, by a doctor who in 100% of those cases diagnosed a psychiatric condition and in two thirds of those cases said that the recovery period would be over two years. In short, a large number of claimants in the relevant RTAs appeared to develop long-term psychiatric conditions.

The claimant sought unsuccessfully to debar the witness statement, although the judge (on appeal) noted that it would be “for the Judge at trial to make of this evidence what they will [although] there are questions as to the extent to which this evidence assists without more in proving fundamental dishonesty”.

Notwithstanding this, an initial 317 (now reduced to three) claims were then made by people whose personal data was accepted to have been processed by DWF for the purposes of preparing the witness statement above. The claims here are for various breaches of the UK GDPR (such as excessive processing, and lack of fairness, lawful basis and transparency).

In a judgment handed down on 1 April, on an application by the claimants for specific disclosure in the UK GDPR claim (and an application by the defendant to amend its defence and strike out a witness statement of the claimants’ solicitor) Mrs Justice Eady DBE dismissed the disclosure applications (made under various headings), on the basis that much of the information would clearly be privileged material, or not relevant, or that the application was a fishing expedition.

If this gets to trial it will be interesting though. This sort of processing of personal data takes place in the course of (non-data-protection) private litigation routinely. It is generally not assumed that any issues of illegality arise. Any ultimate findings would be notable for litigators, and those who need to advise them on data protection compliance.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, litigation, UK GDPR

Tagged as