Wed 22 Aug 2018

How do you handle a subject access request involving mixed data when you are suspicious about the requestor's motives?

A subject access request is the term generally applied to a request by an individual looking to engage their legal right to obtain details of their personal data held by an individual or organisation performing the role of a data controller. Personal data of the requestor which also contains personal data of another individual who is identifiable is sometimes referred to mixed data. Responding to subject access requests which involve mixed data can cause headaches for data controllers. Some useful points about the approach to take to these can be taken from the English Court of Appeal's decision from 28 June in the case of B v General Medical Council [2018] EWCA Civ 1497.

Background to case

The case arose following a complaint which a patient had made to the General Legal Council about treatment he received from a doctor. After investigation, the GMC case examiners took the decision that there should be no further action against the doctor. When the patient was informed in writing of this, a summary of an independent report which the GMC had commissioned to look at the doctor's fitness to practice was also provided to him. The patient's solicitors asked for a copy of the full report. The GMC treated the request as a subject access request and asked if the doctor would consent to the disclosure of the report.

The report contained some criticisms of the doctor and he refused to consent to its disclosure, objecting to this for a number of reasons. The GMC, having considered representations made on behalf of the doctor, nevertheless took the decision that the report should be disclosed. However, they agreed to suspend the disclosure pending a challenge to their decision which the doctor raised in the High Court.

The doctor was successful in his initial challenge to the High Court and an injunction was granted restraining the disclosure of the report. The GMC appealed. The Court of Appeal determined (by a majority of two to one) that GMC's appeal should be allowed. When doing so they made a couple of interesting findings in relation to mixed data cases.  These are as follows:

1.  There is no presumption against disclosure in a mixed data case

One of the arguments accepted by the High Court judge had been that in mixed data cases there was a presumption that there should be no disclosure. However the majority of the Court of Appeal considered that it was wrong to identify a basic presumption or starting point against disclosure in these cases. 

Where consent was not given the question should simply be asked whether it was reasonable, in all the circumstances, to comply with a request without consent.  This was the test set out in section 7(4) of the Data Protection Act 1998 which was the governing legislation at the time the request was made. The answer to this question would depend on the particular facts and context.  There was no simple or obvious priority between the rights of the requestor and the rights of another party in a mixed data case, the rights and interests of both were important.

If, after the balancing exercise had been carried out, the data controller reached a perfect equilibrium with nothing to choose been the parties then, at this stage, a presumption against disclosure could operate as a tie-break.

2.  No reliance is to be placed on motive for the request

The High Court had considered that the intention of the requestor was relevant. It held that, where it appeared that the sole or dominant purpose of a request was to obtain a document for the purposes of a claim against the other data subject, this would be a weighty factor in favour of refusal.  It was more appropriate to the use procedure under court rules to obtain disclosure of such a document.  However the majority of the Court of Appeal again did not agree with this.

The majority held that there was no general principle that the interests of the individual who made the request should be treated as devalued, when balanced against the other individual who was objecting to disclosure, because the motivation behind the request was to get information which may assist in a litigation. Rights under section 7 of the Data Protection Act 1998 did not need to be based on an appropriate motivation. Although it would be relevant, as part of the balancing exercise, to have regard to whether the interests of either side may be prejudiced by a decision one way or the other.

The impact of the General Data Protection Regulation (GDPR) on this decision

When analysing the comments in this case it is important to remember that the legislation which applied in this case (section 7 of the Data Protection Act 1998) has been replaced by provisions in the GDPR as supplemented by the Data Protection Act 2018. 

For mixed data cases, the GDPR provides that the right to obtain a copy of personal data shall not adversely affect the rights and freedoms of others. The test which is to be applied to determine whether to disclose in mixed data cases is set out in paragraph 16 of part 3 of Schedule 2 of the Data Protection Act 2018. As was previously the case under section 7, where consent is not provided the data controller must still consider whether it is reasonable to comply with the request without the consent. We would therefore submit that the points made in B v GMC can be of assistance when considering mixed data cases under the new legislation.


There is no doubt that mixed data cases can be difficult. Where consent has been refused, a careful balancing exercise must be carried out to determine whether it is reasonable to disclose the mixed data. The rationale for the decision which is ultimately reached should be accurately recorded.

Carrying out the necessary balancing exercise can be particularly complicated where objections are made by the other party on the basis of the requestor's motive. A final point to mention for these situations is the option, suggest by LJ Sales in B v GMC of seeking assurances from the requestor about what will be done with the mixed data. He suggested this might be appropriate where there are good reasons for the requestor wishing to check the accuracy of personal data but where there are also objective grounds to think the objector may want to use the information for an illegitimate purpose, for example, post it on the internet with the aim of damaging the objector's reputation. It might be open to the data controller to invite the requestor to consider giving a binding contractual undertaking to the data controller, the objector or both to restrict the use to which the mixed data might be put. 

This could certainly be useful in some circumstances. However care would need to be taken in relation to this to ensure that such an undertaking was sufficiently clear and enforceable.

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice