Legal update - data protection: best practice


Strict rules govern disclosure of personal or sensitive data, even within legal proceedings. Emma Foxon reviews relevant case law to advise on best practice.

When disclosing documents during legal proceedings, issues arise in relation to records containing personal information and data pertaining to third parties not involved in the litigation.

The majority of concerns arise due to implications of the Data Protection Act 1998, which lays down principles for the way in which personal data must be managed. The Act also provides a framework to ensure such data is handled properly.

Section 35 of the Act specifically states that all the restrictions and requirements imposed by it limiting disclosure of personal data do not apply when the disclosure is for the purposes of legal proceedings — including prospective ones. So, arguably, insurers need not concern themselves with the formalities that would usually be encountered with regards to personal data when the disclosure is within the context of proceedings.

But it is necessary to bear in mind that, aside from the provisions of the Act, there may still be issues of confidentiality behind much of the information and records held by parties to legal proceedings. Consequently, insurers should always err on the side of caution and try to safeguard as much personal and confidential information as possible.

Disclosure in civil proceedings is principally governed by Part 31 of the Civil Procedure Rules. The problem arises when there is confidential data that falls within a defendant's disclosure obligation. CPR 31 makes no mention of confidential data, third-party data or commercially sensitive data; so in order to deal with this issue we have to look at case law.

Confidentiality conundrum
The leading case on disclosure of confidential information is the House of Lords decision in Science Research Council v Nasse (1980). In this sex discrimination case, Ms Nasse sought disclosure of annual assessments relating to two of her colleagues promoted above her.

The House of Lords held that there was no principle of English law by which documents were protected from disclosure by reason of confidentiality alone. However, the court would have regard to the fact that the documents contained confidential information and that disclosure would constitute a breach of confidentiality.

Whether the personal information was relevant was an important factor — but not an automatically sufficient ingredient to compel disclosure and the ultimate test for the court was whether the disclosure sought was necessary for disposing fairly of proceedings. It considered whether the necessary information had been, or could be, obtained by other means that would not involve a breach of confidentiality. Ultimately, the House of Lords accepted that the Science Research Council did not have to disclose the files relating to the other two employees on the basis they held confidential information about those employees and those records were not necessary to dispose of Ms Nasse's case.

Another, more recent case concerning disclosure and data protection is that of Webster & Durnford v Ridgeway Foundation School Governors (2009). This case concerned an action in negligence brought against a school by the parents of a boy attacked by other pupils. The school redacted its disclosure documents so that pupils' names could not be seen.

The claimants sought specific disclosure of names that had been redacted on disclosure documents. But the primary question in the court's view was whether the document in question was relevant and necessary for resolving the matters in dispute.

It considered that the provisions of the Data Protection Act 1998 were irrelevant because they allowed disclosure in legal proceedings. The court also considered Article 8 of the European Convention on Human Rights, the right to private life, balanced with Article 6, the right to a fair trial.

In conclusion, the court erred on the side of protection of personal data, and refused to permit the disclosure of names of other pupils who had been victims of assaults and bullying — on the basis this would have been an interference with their private lives. This case shows there is a high threshold when justifying disclosing personal data relating to children not involved in the case.

The case of Croft House Care, Orchard Home Care and Kelly Park Caring Agency v Durham City Council (2010) involved a dispute over the disclosure of commercial or business sensitive information. The claimants brought proceedings against the council for breaches of a procurement process.

The council did not want to disclose commercially sensitive data provided by those that had tendered, nor disclose information that would prejudice its ability to re-run the procurement process in the future. The High Court held that, when balancing the confidentiality rights of third parties against the necessity of documents to be provided for the purpose of a fair trial, the tender documents should be disclosed. It was found that the data went directly to the pleaded case.

Seeking consent
If the data is necessary, consent should be sought and, if it cannot be obtained, the documents being disclosed should be redacted. If the opponent demands sight of the un-redacted version then the decision rests with the court to balance the considerations and needs of each party, following which it can order disclosure if it deems this to be justified and necessary in the circumstances.

This is likely to be the safest course of action and, should the matter lead to any complaint as to breach of confidentiality, insurers will be better protected because the documentation will have been disclosed pursuant to a court order. Furthermore, any disclosure provided within proceedings can only be used by the parties for the purpose of the proceedings in which it is disclosed — arguably limiting the exposure of the sensitive data concerned.

When dealing with sensitive personal information, if a person cannot be traced to give suitable consent then it is best to insist upon having a court order disclosure to protect the insured's position.

Ultimately, when faced with the question of confidential information disclosure it is always advisable to err on the side of caution and, wherever possible, seek to comply with the requirements of the Data Protection Act by not disclosing any personal data relating to or identifying a third party without their consent. If this is not possible, a court order should provide protection and is the safest way for this often difficult question to be dealt with.

Emma Foxon is a solicitor in the insurance law division at Langleys Solicitors

  • LinkedIn  
  • Save this article
  • Print this page  

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: