Most data subject access requests (SARs) are routine, but every now and again one comes along which stretches the law beyond where it would normally go. Rudd v Bridle[1] was such a SAR.
Dr Rudd was a medical doctor, and eminent in his field. He had more than a hundred scientific articles to his name, and he was an expert in the diseases that result from contact with white asbestos (which had been banned in the EU since 2005). Over the years he had been called as an expert witness in a number of cases.
Mr Bridle was retired, but had been a businessman. From time to time he ran an organisation called Asbestos Watch which, despite its name, carried out lobbying-type activities in favour of asbestos manufacturers. Mr Bridle had formed the view that there was no basis to Dr Rudd’s science, that Dr Rudd was a fraudster, and that Dr Rudd had conspired with others to defraud asbestos manufacturers by, amongst other things, giving fraudulent evidence as an expert witness. The judge summarised Mr Bridle’s allegations against Dr Rudd as:
for motives of personal greed, and in order to enable individuals to claim undeserved compensation, Dr Rudd had been party to a massive fraud on the Court and on innocent businesses by deceiving the Court on a number of occasions by (a) falsely claiming expertise in relation to the diseases caused by asbestos, when he had no or insufficient relevant expertise (b) falsifying evidence as to the risks to health associated with the Chrysotile form of asbestos, and manufactured products such as asbestos cement containing chrysotile.
Mr Bridle had been active in making his views about Dr Rudd known. He had written to a number of MPs and had even lodged a complaint with the General Medical Council with a view to getting Dr Rudd censured or even struck off (the GMC refused to intervene).
The case was unusual because of the seriousness of the underlying allegations. As the judge pointed out, in many ways it was akin to an action in defamation. In fact, it is probably safe to assume (though this is not referred to in the judgement), that Dr Rudd was using the SAR as a means by which to get more information in relation to a possible defamation action. In particular, because it seemed that Mr Bridle had not acted alone, Dr Rudd wanted to find out the identities of Mr Bridle’s associates.
Dr Rudd had served a number of SARs on Mr Bridle. Dissatisfied with what he had received as responses to his SARs, he started legal proceedings. After a few initial skirmishes, the case had gone to court. The primary function of the court was therefore to assess whether the responses provided by the Mr Bridle did or did not comply with the law. Although the relevant legislation was the Data Protection Act 1998 (DPA98), the important issues would not have been any different under the GDPR/DPA18 (GDPR/Data Protection Act 2018).
Both sides were represented by lawyers. You might have thought that this would have led to a focus on the issues and a better-marshalled run up to trial but, in fact, the contrary had been the case. According to the judge: “It will be obvious that the parties’ approach to this case has been not only fractious but also undisciplined and disorderly, bordering at times on the chaotic.” The fact that the judge had to do a lot of the work that should have been done by the lawyers (organising the claims, narrowing down the issues etc), may explain why some parts of his judgement do not quite make sense.
The main contribution of the lawyers had been to increase the costs the losing side would have to pay. Mr Bridle, sensing the possibility of defeat and a large bill, had attempted to argue that his company (he had a corporate vehicle with, presumably, few assets) had been the controller all along, not him personally. After a quick review of the facts, this was dismissed as a non-starter by the judge: Mr Bridle was the controller, not his company, and therefore any orders made by the court would be made against Mr Bridle personally.
Mr Bridle then tried to use the regulatory and journalism exceptions in the DPA98 (and which also exist in the GDPR/DPA18) to limit the amount of information he had to disclose. Again, both these defences were quickly dismissed by the judge. Mr Bridle had undertaken no journalism or publication in the usual sense, and to rely on the regulatory exemption one had to be responsible for the discharge of regulatory function: the fact that you might provide information to a regulator was not enough to trigger the exemption.
However, Dr Rudd was not winning every argument. As part of his SARs, he had asked for the documents containing his personal data, not just the information contained in the documents. As the judge pointed out, the DPA98 gave no right to documents, only to information. Some commentators have suggested that this has now changed as a result of the wording of Article 15.3 of the GDPR which makes express reference to copies: “The controller shall provide a copy of the personal data undergoing processing”, but this seems to stretch meaning of copy too far. The personal data provided has to be a copy, otherwise the controller will not have a version itself, but this does not imply that the documents in which the personal data is held also have to be provided.
The remaining arguments in the case where the key ones. Dr Rudd wanted to know the identities of a) the persons that had provided information to Mr Bridle (sources), b) the persons that Dr Rudd was alleged to have conspired with (presumably so that he could alert them to fact that they had been named as committing fraud, and c) the persons to whom Mr Bridle has had sent his allegations (recipients), those persons being people who had (we assume) worked with Mr Bridle to label Dr Rudd as a fraud.
As often occurs in difficult cases, the question was not whether or not the relevant data was personal data, but whether it was data relating to Dr Rudd. Both the DPA98 and GDPR contain the same relating to concept in their definitions of personal data:
DPA98: ‘personal data’ means data which relate to a living individual who can be identified–
GDPR: ‘personal data’ means any information relating to an identified or identifiable natural person
Identities of the persons that had provided information to Mr Bridle (sources)
This was relatively easy for the court to resolve because the wording of the DPA98 is clear (section 7):
“…an individual is entitled – ..(c) to have communicated to him in an intelligible form…..(ii) any information available to the data controller as to the source of those data, …”
The wording of the GDPR is not different in any material way:
where the personal data are not collected from the data subject, any available information as to their source (article 15.1.g)
Therefore, Mr Bridle had to disclose the sources of his information (subject, where the sources were individuals, to the DPA98’s provisions around third party consent).
Identities of the persons that Dr Rudd was alleged to have conspired with
Into this category fell four types of person.
- Those that Dr Rudd was alleged to have conspired with.
- Those that Dr Rudd was alleged to have helped attack others.
- Persons who had been “victims” of Dr Rudd.
- Those who, “within the personal data, are identified as persons to whom allegations of fraud have been made” (paragraph 116 of the judgement).
Persons falling into this category were neither sources nor recipients of personal data (except for category 4, on which see later), and therefore not covered by the source/recipient provisions of the DPA98. Therefore, the identity of these persons need only to be disclosed pursuant to a SAR if their identity formed part of personal data in relation to Dr Rudd.
To answer this question, the judge turned to the old Durant[2] case and cited this passage:
“Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity.”
The judge concluded that the identities falling into this category were personal data in relation to Dr Rudd, and therefore their identities were (subject to the standard rules around third-party disclosure) to be disclosed. He had applied Durant, and had come to the conclusion that the identities of these persons were “integral to the information about him”, and the information “focuses on him and is biographically significant”.
Identities of the persons to whom Mr Bridle had sent allegations of Dr Rudd’s fraud (recipients)
This was the key point for Dr Rudd. He wanted to know the identities of the other persons that had been involved in Mr Bridle’s plans to discredit him.
In relation to recipients, there is an important difference between the wording of the GDPR and the wording of the DPA98. The GDPR provides that, in response to a SAR, the controller has to disclose:
the recipients or categories of recipient to whom the personal data have been or will be disclosed…… (article 15.1.g);
whereas the DPA98 (s.7) provided that:
an individual is entitled—
……
(b) …. to be given by the data controller a description of—
……
(iii) the recipients or classes of recipients to whom they are or may be disclosed [emphasis added].
A description of the recipients would not have given Dr Rudd what he needed: what he needed were the actual identities of the recipients.
However, Mr Bridle could only take refuge in the wording of the DPA98 if the identity of the recipients was not personal data in relation to Dr Rudd. If the identities of Mr Bridle’s recipients were personal data in relation to Dr Rudd, then these would have to be disclosed as part of the general disclosure of personal data.
So – were the identities of Mr Bridle’s recipients personal data in relation to Dr Rudd? This time the judge came to the opposite conclusion: the identities of the recipients were not personal data relating to Dr Rudd.
In my view, he came to the wrong conclusion. To understand why, it is helpful to look at the judge’s reasoning.
The judge had drawn support from the Article 29 Working Party Opinion 4/2007 On The Concept Of Personal Data, and in particular from Example 9 of that paper, which is set out here in full.
Example No. 9: information contained in the minutes of a meeting.
An example of the need to perform the previous analysis with regard to each piece of information separately concerns the information contained in the minutes of a meeting, recording typically the attendance of participants Titius, Gaius and Sempronius; the statements made by Titius and Gaius; and a report of proceedings on certain topics as summarized by the author of the minutes, Sempronius. As personal data relating to Titius one can only consider the information that he attended the meeting at a certain time and place, and that he made certain statements. The presence in the meeting of Gaius, his statements and the proceedings about an issue as summarized by Sempronius are NOT personal data relating to Titius.[emphasis added]. This is so even if this information is contained in the same document, and even if it was Titius who triggered the issue to be discussed at the meeting. It is therefore excluded from Titius’ right of access to his own personal data. Whether and to what extent that information can be considered as personal data of Gaius and Sempronius will have to be determined separately, using the analysis described before.
The judge seemed to be attempting to apply by analogy (though it is not wholly clear), the reasoning set out above. If Sempronius is Mr Bridle, and Gaius is a recipient, then the proceedings about an issue as summarised by Sempronius/Bridle are not personal data relating to Titius (Dr Rudd). Stretching the analogy a bit further, summaries contained in emails sent by Sempronius/Bridle to Gaius/recipient are not personal data relating to Titius/Rudd.
There are two main problems with this reasoning. Firstly, the analogy does not hold. The emails sent by Mr Bridle were not summaries about an issue in a neutral, person-agnostic way. Those emails were clearly about Dr Rudd.
Secondly, it contradicts the reasoning of the WP29 Opinion. In its Opinion the WP29 had, in relation to the relating to wording, set out three different categories where data should be treated as relating to a living individual:
Content, such as an HR file, where the data is clearly about the individual.
Purpose, where the data is used to evaluate an individual, treat an individual in a certain way or influence the status or behaviour of an individual.
Result, where the use of the data results in an effect (i.e. impact) on an individual. In the WP29’s view “It should be noted that it is not necessary that the potential result be a major impact. It is sufficient if the individual may be treated differently from other persons as a result of the processing of such data.”
Applying the results/impact approach advocated by the WP29’s Opinion, and given that the emails were essentially concerned with how to convince the world that Dr Rudd was a fraud, it is hard to avoid the conclusion that the information in the emails – as well as the identities of the persons to whom the emails were sent – would have an effect on Dr Rudd. He would be treated differently from other persons as a result of the sending of those emails. If the emails would have an effect on Dr Rudd then – following the approach recommended by the WP29 – the content of the emails, the date on which the emails were sent, and the identities of the persons to whom the emails were sent, were all personal data relating to him.
In addition to the WP29 Opinion, the judge had applied Durant and concluded, in relation to the identities of recipients: “It is not information relating to him. It is perfectly easy to understand what is being written about Dr Rudd in the extracts provided, without knowing to whom it is being written.”[3]
But even in Durant, the concepts of the biographical data and focus on the individual were not intended to be determinative tests, they were merely tools to help in the analysis. In Auld LJ’s words, they were merely “two notions that may be of assistance”. The key question was summarised as: “In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity”. It is hard to see how the identities of the recipients of Mr Bridle’s emails were not information that had an impact on Dr Rudd in a personal, business and professional capacity.
In fact, the judge was inconsistent on this point. He had previous classified as personal data the identities of “those who, within the personal data, are identified as persons to whom allegations of fraud have been made” – see point 4 above (paragraph 116 of his judgement). He gave following example of a statement which, if it existed in Mr Bridle’s documents, would be personal data: “I have made an accusation to the GMC [a recipient] that Dr Rudd is guilty of fraud”. This leads to the perverse that result that, if Mr Bridle had kept a list of all the recipients to which he had communicated the allegations of fraud, that list would be personal data in relation to Dr Rudd, but that the email records of those communications – even though they hold exactly the same information – are not personal data in relation to Dr Rudd. This cannot be right.
One final point remained for the judge. In his responses to Dr Rudd’s SARs, Mr Bridle had anonymised all third-party names, on the basis that it was not “reasonable in all the circumstances to comply with the request without the consent of the other individual” (DPA98, s7.4). The judge concluded (as per the ICO guidance) that this blanket approach did not comply with DPA98: the assessments had to be made on a case-by-case basis. There is no reason to believe that this will be any different under the DPA18.
[1] https://www.bailii.org/ew/cases/EWHC/QB/2019/893.html.
[2] Durant v Financial Services Authority [2003] EWCA Civ 1746 [2004] FSR 28.
[3] The judge had reached the same conclusion in relation to the sources of information.