Is decision-making “processing” under the Data Protection Act?

The case of Johnson v Medical Defence Union has hit the Court of Appeal, with Mr Johnson still pursuing a claim for breach of the Data Protection Act 1998 in relation to the processing of his personal data in relation to his indemnity insurance policy.  The original decision[case via BAILII] was made back in March last year.  The Court of Appeal decisionhas just been published on BAILII.

To recap for those of you who are not familiar with the case, Mr Johnson had had his membership, and therefore insurance, revoked by the Medical Defence Union, something that they were contractually entitled to do.  However, his claim was that the information which lead to this decision had been obtained through unfair processing of his personal data in breach of the Act.  A risk manager had reviewed his claims files, and inputted information from those files onto a summary sheet which incorporated a scoring system.  It was this sheet which, when presented to a committee set up to decide such things, lead to the withdrawal of his membership. 

Case law in this area is scarce, and so judicial interpretation of wide terms such as “processing” and “fairness” as are set out in this decision - even if the judges are divided - are welcome.  Even if it is just so that those of use who work in this sector can breathe a sigh of relief that the courts find as much difficulty in interpreting them as we do!

The court had to consider whether the Act applied, and if it did, if there had been a breach.  Mr Johnson claimed the breach arose from:

“Selecting the information contained in the personal data and thereby presenting a false picture of the situation.”

It was not sufficient to show that there was personal data processed, and the result was unfair.  Mr Johnson had to show which act of processing was in itself unfair. 

“However, that said, the difficulty for Mr Johnson remains that the selection, and thus the carrying out of operations, of which he complains was done by Dr Roberts, using her own judgement, and not by any computer or by any automatic means. To the extent that the material on which she worked was already recorded on a computer Dr Roberts had to operate that computer in order to access the information, but no complaint is made of that: because it is not suggested that in looking at Mr Johnson’s record Dr Roberts shut her mind to, and therefore refused even to look at, any particular data. Similarly, having made her decisions Dr Roberts recorded them, or caused them to be recorded, in electronic form; but by that stage Dr Roberts had already made her decision, so the subsequent mechanical recording of her decision did not add to the alleged unfairness.”

In other words, and to summarise an incredibly complicated analysis in one sentence, the judges held (by a majority) that the act of selecting data was not in itself processing of data for the purposes of the Act - it was not automatic processing. 

An analogy (one of many) which particularly caught my eye was this one:

“Judges when they have decided what their reserved judgments should say place those conclusions on a computer, or dictate those conclusions for typing up by their clerk, again by use of a computer. Judgments tend to contain or to refer to a good deal of personal data in respect of the parties to the case. Judges are for that reason data controllers under the terms of the 1998 Act; but one does not need to stress the oddity of a conclusion that the typing of the judgment brings the decision-making process that preceded the typing within the “fairness” terms of the first Data Processing Principle.”

I have a lot of sympathy with the analysis of Buxton LJ, but Arden LJ, in the minority, disagreed.  Like the definition of personal data before it, as explored in the Durant case, “processing” can mean so many different things in so many different scenarios that the effect of making a firm decision as to its meaning could lead to a whole manner of unjust effects where the facts differ.  Like Durant, I can tell that this case will require some time before its effects are fully understood.

As an aside however, the commentary on the purpose of the Act and indeed the data protection directive contained in this judgement is also of interest.  Buxton LJ draws our eye to recital 10 of the directive, which states that:

“Whereas the object of national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law;”

The judges seemed to agree on this point - the Act is primarily there to protect privacy - not employment related detriment which occurs as a result of a decision taken with reference to personal data.  It is not there to create a new cause of action for an injustice where no other cause would assist.  With the Data Protection Act being held as the reason for so much nonsensical bureaucracy, it is worth bearing in mind this overriding theme.