I have come across several examples in recent practice where great confusion has arisen about the responsibility for complying with court orders which appear to require the disclosure of personal data, often quite sensitive. This can arise where the data controller is a party to the action or where an order has been made as a third party. This then engages the exemption in s35(1) of the Data Protection Act 1998 and the non-disclosure provisions in s27(3) & (4) – disclosures required by the order of a court – and requires a careful consideration of what must be done to comply with the order.
This might arise in all sorts of litigation. Examples I have seen include medical negligence and child protection cases.
The confusion essentially arises for two reasons:
(a) The order is often badly drafted – sometimes appallingly
(b) “Disclosure” in the field of data protection has a very different meaning to that used by the Courts
Information Governance staff who have not been trained in the wiles of litigation may be ill equipped to resolve these issues. It is highly recommended that compliance with such orders is overseen by the lawyers, but even they have been known to err faced with a bad order, so it is well that IG staff and data protection officers in particular understand the issues and can smooth the process.
“Disclosure” is not really defined in the DPA. S1(2)(b) does say that “… disclosing”, in relation to personal data, includes … disclosing the information contained in the data” but that is rather circular. In practice by “disclosure” we actually mean that the information has actually been transmitted or communicated to another person.
The Courts however mean something entirely different. Their focus is initially on documents (widely defined and can include information in databases), not the content. One needs to look at Part 31 of the Civil Procedure Rules and there we can see that “A party discloses a document by stating that the document exists or has existed.” Disclosure does not require that the content is communicated or transmitted at the time of ‘disclosure’. It is not absolute.
The correct procedure from the Rules can be neatly summarised:
1. Court orders ‘disclosure’ to some other person
2. You tell them what you have and whether you object to inspection of any of it – Rule 31.19(3). This might include indicating that you are willing to allow inspection of a redacted copy.
3 Where there are no objections they have a right to ‘inspect’ the documents. In practice they can, and usually do, exercise this right by requesting copies and paying your copying charges
4 Where there are objections if they disagree they must apply to the court Rule 31.19(5)
Objections may be for a number of reasons. The most common is probably legal privilege. Others might include legal prohibitions (Fertilisation and Embryology) or data protection. This might arise if e.g. the documents contain third party personal data which is not relevant to the case – it is a general rule that disclosure should be limited to that which is necessary.
This should be relatively simple but if the Order is defective it can create a very misleading impression.
I have seen recently an Order in a child protection case against Hospital Trust which was not a party to the action and which simply required the Trust “to provide copies” of a named member of staff’s notes to a solicitor for one of the parties. That Order is clearly defective and outside the powers of the Court under part 31. Further Rule 31.17(4) clearly states “An order under this rule must – … require the respondent, when making disclosure, to specify any of those documents … in respect of which he claims a right or duty to withhold inspection.” The particular Order did not do so.
The proviso is clearly an important one as without it someone receiving such an order, without benefit of legal advice (or with benefit of defective advice) would clearly misunderstand what the order required. Having misunderstood it is then impossible to properly apply the s35(1) data protection exemption as it is unclear what is required by the order of the court.
In another example the order was for “disclosure of copies”. That is of course nonsense when you understand what “disclosure” means in a court order. You do not disclose copies – you disclose originals – unless ‘copies’ is all you have – see Rule 31.9. Being pedantic if you only had originals you could comply with such an order with a null response, since no copies exist!
In summary faced with an order of this nature:
1. Make sure you understand what ‘disclosure’ means
2. If you object to actually providing the information you can – whatever the Order may say. If the Order seems black and white it is defective and you may need to apply to the Court for clarification. Refer to your legal team.
3. Until you have this clear you may not have the full protection of s35(1) and in a worst case scenario may breach the data protection principles when you thought you were just doing as the Court ordered.
Phil Bradshaw is one of our expert trainers. Our data protection workshop series contains courses for DP beginners as well DP specialists.