Data Protection Rules In The Context Of Litigation Disclosure: Some High Court Guidance

• Author: Ms Maura McIntosh and Jan O'Neill
• Law Firm: Herbert Smith Freehills
• Published date: 15 May 2023

A recent High Court decision is a welcome addition to the limited case law considering the interplay between data protection legislation and the disclosure of documents in connection with litigation in the English courts: Dixon v North Bristol NHS Trust [2022] EWHC 3127 (KB).

This issue has caused some unease amongst litigants and practitioners since the issue of data protection was thrown into prominence by the EU General Data Protection Regulation (GDPR) in 2018 (now largely retained in UK domestic law as the UK GDPR, as modified by the Data Protection Act 2018).

In particular, while the legislation includes various exemptions/justifications regarding the use of data for legal proceedings and other legal-related purposes, each of these only applies to particular parts of the legislation (often only identifiable via rather opaque cross-referencing), and only to the extent that processing the data is "necessary" for the legal-related purpose. This creates a risk that a strict or narrow interpretation could limit the exemptions' operation.

In the recent decision, the High Court refused an interim injunction to restrain an individual's former employer from disclosing documents concerning a professional misconduct investigation against him to prospective claimants at the pre-action stage of clinical negligence proceedings. While the claims were framed mainly in breach of confidence and misuse of private information, the court also rejected submissions that the proposed disclosure would breach the data protection legislation in a number of respects. In briefly dismissing those arguments, the court:

• Stated that the data protection legislation should be applied purposively, not mechanically. "It does not give a data subject a 'veto' on what data can be disclosed".
• Rejected a submission that the statutory lawful basis for processing that is "necessary for compliance with a legal obligation" should be construed narrowly. The court accepted it was likely that there would be sufficient legal obligation under the relevant pre-action protocol despite the disclosure being entirely voluntary.
• Considered that the circumstances were likely to attract a key exemption which applies where disclosure of data is necessary for the purpose of legal proceedings or otherwise for the purpose of establishing, exercising or defending legal rights (but without analysing which of the alleged breaches it would apply to).

Although only an interim decision, the judgment adds weight to...