Wed 18 Mar 2026

Mixed ownership of personal data - who can exercise rights?

In a significant ruling for data controllers, the Sheriff Appeal Court has clarified how data protection rights apply where personal data relates to more than one individual.

The Sheriff Appeal Court has recently examined the question of the ownership of personal data and who can enforce rights in connection with that data (East Dunbartonshire Council v "Paul Paton" [2026] SAC (Civ) 17).

The appeal arose from a claim for damages brought under the UK GDPR and the Data Protection Act 2018 against East Dunbartonshire Council (the "Council"). The claimant, a parent, alleged that the Council had breached his rights by failing to correct inaccurate personal data causing him loss and damage. The central question on appeal was whether the personal data in question belonged to the claimant (the parent) or to his daughter, Caitlin (not her real name), a primary school pupil.

Factual background

In 2019, Caitlin was subjected to bullying at her primary school. Her father raised concerns with the head teacher who then prepared a risk assessment. That assessment recorded certain risk priority ratings for Caitlin's physical safety and emotional wellbeing. The Council subsequently produced a second version of this risk assessment which differed from the original. Following a number of steps taken by the claimant, he wrote to the Council in June 2024 seeking rectification of the second version on the basis that the emotional wellbeing rating had been incorrectly recorded. The Council accepted that the data was incorrect but declined to rectify it, taking the position that the data belonged to Caitlin and not to the claimant. The claimant raised proceedings against the Council. The Council conceded that the disputed data was incorrect and should be rectified. The Council agreed to rectify its records however it maintained that the data was not the claimant's personal data and that his compensation claim should therefore fail. The claimant was successful before the Sheriff at first instance and obtained compensation. The Council appealed.

The Sheriff Appeal Court's decision

The appeal was refused. The Court held that the personal data in the risk assessment was mixed personal data as it belonged to more than one data subject simultaneously. The Court found it obvious that the risk priority rating for emotional wellbeing was Caitlin's personal data as it comprised a scoring amounting to an opinion by a Council employee about a specific risk posed to her wellbeing and she was identifiable from the information held by the Council.

However, the data was also the personal data of the claimant. The purpose of the data was not only to inform Council employees about Caitlin's safety; it was also to satisfy the claimant as the person holding parental responsibilities that those matters were being adequately addressed. The claimant was identified at the outset of the risk assessment as the parent who raised concerns and the recommended control measures directly involved him in protecting his daughter.

In circumstances where Caitlin was a primary school pupil, the claimant as her father necessarily exercised parental responsibilities for her wellbeing and safety. The personal data was therefore mixed personal data belonging to Caitlin, the claimant and the head teacher involved in the preparation of the assessment. Further, the Council accepted that rectification was required but had refused to correct its records until proceedings were raised. The claimant was accordingly entitled to compensation under Article 82 of the UK GDPR and the Sheriff's award of damages was upheld.

The Court's approach to rights assessment

In reaching his decision, the Appeal Sheriff noted the applicable case law and provides a useful step-by-step approach for determining whether data protection rights arise. The Appeal Sheriff was of the view that once the data controller is identified the following steps should be followed:

  1. Identify the data to which access, rectification or exercise of another data protection right is sought.
  2. Determine whether it is personal data, applying the statutory definition and taking into account that the Court has applied a broad interpretation of that term.
  3. Identify the data subject - who is the identified or identifiable person to whom the data relates?
  4. Determine what rights the data subject holds under data protection legislation.
  5. Ascertain whether those rights have been asserted and exercised - in other words, has the data subject made a valid request for something to be done with their data?
  6. Before refusing the exercise of a right, consider whether there is a legal basis for doing so and whether refusal would give rise to remedies enforceable through the Court (including compensation).

Importance for public authorities & commercial organisations

Public authorities regularly receive requests from individuals seeking access to or correction of personal information held about them. A number of private organisations exercising public authority functions or processing personal data are in a similar situation. Personal data can be as complex as the individuals to whom it relates. This case illustrates that requests concerning data protection rights can be more complex than they first appear.

As the Court noted, it is common for a single piece of information to constitute the personal data of more than one person simultaneously. The UK GDPR and Data Protection Act 2018 make specific provision for such cases of mixed personal data. A binary approach asking simply whether data belongs to person A or person B is therefore likely to be incorrect. In this case, both parties and the Sheriff at first instance framed the issue as a binary choice, an assumption which the Appeal Sheriff found to be wrong.

Organisations which readily refuse enforcement of data protection rights on the basis that the data "belongs to someone else" risk exposing themselves to litigation which may lead to compensation awards. In mixed data situations, disclosure or rectification may be appropriate even if requested by an individual who does not appear to be the primary data subject. This is particularly so where the data has already been shared with the requester or where the other data subjects' interests do not militate against it. In this case, the claimant had already received the data in the exercise of parental rights and had also provided his daughter's written consent when making his formal rectification request.

Growing data protection compensation claims

The case is also reflective of a broader trend of compensation claims being brought under data protection legislation, especially by unrepresented parties pursuing simple procedure claims. Recoverable legal costs incurred by parties (judicial expenses) are ordinarily limited in simple procedure claims so the risk of adverse costs in pursuing a claim is low. That is not the case for a public or private sector organisation which would generally incur the cost of legal representation.

Organisations should take heed and ensure that data protection legislation is followed as the appetite to litigate in this type of case has increased. Where data ownership is ambiguous or where more than one person may have a stake in the same information, organisations should seek specialist legal advice before declining a request for exercise of data protection rights. Early and careful analysis of the legal position is therefore essential to prevent unnecessary and costly litigation.

Related Insights

View All

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice