Contains public sector information licensed under the Open Justice Licence v1.0.
England and Wales Court of Appeal (Civil Division)
(Mar 28, 2007)
Copy Cite
[2007] 3 CMLR 9
(2007) 96 BMLR 99
[2007] EWCA Civ 262
[2008] Bus LR 503
Case Information
Click here to read the full judgment
Johnson v. Medical Defence Union
Smart Summary (Beta)
Factual and Procedural Background
This case concerns a claim brought under the Data Protection Act 1998 ("the 1998 Act") by the Plaintiff, a consultant orthopaedic surgeon, against the Defendant, a mutual society providing discretionary professional indemnity cover and advice to its members. The Plaintiff's membership was terminated by the Defendant under a discretionary power, leading to the loss of professional indemnity cover. The Plaintiff accepted that under contract law the Defendant had absolute discretion to terminate membership and that the termination decision itself was not challengeable on that basis.
The Plaintiff's claim is founded on the assertion that the Defendant unfairly processed his personal data in breach of the 1998 Act, specifically in the way information held on computer about him was selected and presented during a risk assessment procedure. He contends that this unfair processing caused the Defendant to terminate his membership and that he is entitled to compensation under section 13 of the 1998 Act.
The Defendant denies unfair processing and contends that the risk assessment policy, which considers allegations made against members without investigating their merits, was fairly applied. The Defendant emphasizes that its risk assessment policy is a commercial judgment aimed at protecting the mutual's funds in the interests of all members, and that the Plaintiff consented to data processing for risk management purposes as part of his membership.
The case has involved detailed examination of the Defendant’s risk assessment procedure, including the manual selection and summarization of data by a risk manager from both electronic and paper files, the scoring of risk factors, and the subsequent consideration by a committee recommending termination of membership. The Plaintiff appeals the trial judge’s findings on fairness and compensation, while the Defendant cross-appeals on whether the manual selection of data constitutes “processing” under the 1998 Act.
Legal Issues Presented
- Did the risk review involve any processing of the Plaintiff’s personal data within the meaning of the Data Protection Act 1998?
- If there was processing, was that processing unfair under the data protection principles?
- If the processing was unfair, has it been shown that the unfairness caused the Defendant to terminate the Plaintiff’s membership?
- If causation is established, to what compensation is the Plaintiff entitled under section 13 of the 1998 Act?
Arguments of the Parties
Appellant's Arguments
- The Plaintiff argues that the 1998 Act creates rights akin to contractual rights and new rights to compensation for breaches.
- He contends that the Defendant’s processing of his personal data was unfair because it applied a risk assessment policy that considered only the existence of allegations, not their merits or the Plaintiff’s explanations.
- The Plaintiff claims that the manual selection and summarization of data by the risk manager, which involved judgment, constitutes “processing” under the 1998 Act.
- He asserts that but for the unfair processing, the decision to terminate his membership would probably not have been made.
- The Plaintiff seeks compensation for pecuniary loss, distress, and damage to reputation under the 1998 Act.
Respondent's Arguments
- The Defendant denies that the manual selection of data by the risk manager constitutes “processing” under the 1998 Act, as it was not performed by automatic means.
- The Defendant contends that the risk assessment policy is a legitimate commercial judgment and that the Plaintiff consented to data processing for risk management purposes.
- It argues that the processing was fair because the policy was uniformly applied and necessary to protect the mutual’s funds.
- The Defendant disputes causation, asserting that even if there were unfairness, the termination decision would have been the same.
- It challenges the amount and basis of compensation claimed, especially damages for distress and reputation.
Table of Precedents Cited
| Precedent | Rule or Principle Cited For | Application by the Court |
|---|---|---|
| R(Countryside Alliance) v Attorney-General [2006] 3 WLR 1017 | Clarification that Article 8 ECHR does not extend protection to loss of employment or insurance cover | Adopted to reject Plaintiff’s argument that loss of membership or cover engaged Article 8 rights |
| Campbell v MGN Ltd [2003] QB 633 | Definition of “processing” includes manual and automatic steps linked to automated processing; publication as processing | Analyzed in detail; court held selection and presentation of data can constitute processing under the 1998 Act |
| Case C-101/01 Lindqvist [2004] QB 1014 | Processing includes manual selection of data when linked to automatic processing; placing data on internet is processing | Considered but held not directly applicable to the unfairness claim; supports broad interpretation of processing |
| IRC v IDT Card Services Ltd [2006] STC 1252 | Principles for interpreting domestic legislation in conformity with EU directives | Applied to interpret the 1998 Act consistently with Directive 95/46/EC |
| Francovitch v Italy [1993] 2 CMLR 66 | State liability for failure to implement EU directives correctly | Referenced in context of interpreting domestic law to comply with EU obligations |
| Ghaidan v Godin-Mendoza [2004] 2 AC 557 | Limits and methods of statutory interpretation to comply with human rights obligations | Used as analogy for interpreting legislation in conformity with EU directives |
| Leander v Sweden (1987) Series A no. 116 | Storage of data relating to private life engages Article 8 ECHR | Referenced to support that personal data processing engages privacy rights |
| Amann v Switzerland (2000) Application no. 27798/95 | Creation and storage of personal data constitutes interference with private life under Article 8 ECHR | Used to show that manual creation of electronic records engages privacy protections |
| Brotherton v Aseguradora Colseguros SA [2003] EWCA Civ 705 | Disclosure obligations in insurance law include unproven allegations | Referenced to support the legitimacy of Defendant’s risk assessment policy |
| North Star Shipping Ltd v Sphere Drake Insurance Plc [2006] EWCA Civ 378 | Obligation to disclose allegations even if later found false in insurance context | Supported Defendant’s policy of considering allegations regardless of outcome |
| R (Dr D) v Secretary of State for Health [2006] EWCA Civ 989 | Justification for issuing alert letters on unproven allegations in professional context | Used to illustrate that assessment by reference to allegations is recognized in law |
Court's Reasoning and Analysis
The court carefully examined whether the manual selection and summarization of personal data by the Defendant’s risk manager constituted “processing” under the 1998 Act. It acknowledged the statutory definition of “processing” as including obtaining, recording, or holding information by automatic means, but also considered the Directive 95/46/EC’s broader definition, which includes processing “whether or not by automatic means.”
The court recognized that the selection performed by the risk manager was a manual exercise of judgment, not automatic processing. However, it concluded that the entire operation, including the eventual recording of the selected data on a computer and its further automated handling, could be interpreted as processing. This interpretation was supported by the Directive’s wording and the principle of interpreting domestic legislation in conformity with EU law.
The court contrasted this with the opposing view that only automatic processing is covered, noting that such a narrow interpretation would produce surprising and impractical results, such as excluding manual selection of data from data protection principles even when linked to automated processing.
Regarding fairness, the court accepted the Defendant’s risk assessment policy as a legitimate commercial judgment aimed at protecting the mutual’s funds and interests of all members. The policy’s reliance on allegations without assessing their merits, and the absence of consultation with the Plaintiff during processing, was held not to render the processing unfair. The court emphasized the contractual context, including the Defendant’s absolute discretion to terminate membership and the Plaintiff’s consent to data processing for risk management.
On causation, the court found insufficient evidence that any unfairness in processing caused the termination decision. Hypothetical alternative policies or outcomes were not adequately pleaded or supported by evidence. Consequently, the Plaintiff failed to establish that unfair processing materially influenced the decision to terminate membership.
On compensation, the court held that pecuniary loss must be proven before damages for distress are recoverable under section 13 of the 1998 Act. The Plaintiff failed to establish significant pecuniary loss attributable to the Defendant’s conduct. Claims for distress and damage to reputation were rejected as unsupported or outside the scope of the Act’s compensation provisions.
The court declined to refer any questions to the European Court of Justice, finding that the issues could be resolved without preliminary rulings and that the outcome would not be affected by such reference.
Lady Justice Arden dissented on the “processing” issue, concluding that the manual selection by the risk manager did constitute processing under the 1998 Act and Directive, aligning with a broad interpretation of data protection principles. However, she agreed with the majority on the fairness and causation issues, resulting in dismissal of the appeal.
Lord Justice Longmore agreed with the majority on the outcome but dissented on the processing issue, holding that manual selection of data by an individual is not automatic processing and thus not covered by the 1998 Act in this context. He also supported the Defendant’s risk assessment policy as not unfair.
Holding and Implications
The court’s final decision was to DISMISS THE APPEAL and ALLOW THE CROSS-APPEAL, thereby upholding the trial judge’s order dismissing the Plaintiff’s claim.
The direct effect is that the Plaintiff’s claim for compensation under the Data Protection Act 1998 fails, as the court found either no relevant “processing” of data within the meaning of the Act or no unfairness causing loss. The Defendant’s risk assessment policy and termination decision stand unaffected.
No new precedent was set beyond clarifying the scope of “processing” under the 1998 Act and the application of fairness principles in the context of discretionary membership termination linked to risk assessment. The decision underscores the importance of the contractual context and commercial judgment in assessing fairness under data protection law.
Click here to read the full judgment
This is a paid feature.
Please subscribe to download the judgment.
Please subscribe to download the judgment.
Size
= Directly proportional to the number of citations
Color = Jurisdiction
U.S. Supreme Court
State Supreme Court
Court of Appeals
District Courts
Line Incoming
= Cited by Outgoing =
Cites
Use AI to get other relevant cases.
Comments