Kul v DWF Law LLP

Abstract

The claimants brought proceedings based on processing of their personal data by the defendant law firm (D) in personal injury litigation arising from road traffic accidents.

D acted for a large number of insurers who were substantive defendants to road traffic accident claims brought by individuals represented by a firm of solicitors (E). The claimants instructed E, who obtained reports from a psychiatrist (Y) containing personal information about them and their injuries, including special category data. The first claimant later abandoned her psychological injury claim and D consequently pursued a finding of fundamental dishonesty in the County Court.

A few months before the trials were due to commence, D served a witness statement (JS1) from the insurer's head of organised fraud (S) who had reviewed the data relating to claims issued or threatened against its clients by 372 individuals represented by E. Many of those involved reports by Y, who diagnosed a recognised psychiatric condition in each case. The data from which the conclusions were drawn was exhibited in a spreadsheet and included the names and ages of the claimants and details of any psychological or psychiatric referral. Information in the spreadsheet was not redacted or subjected to any form of pseudonymisation.

D contended that the data processing in JS1 fell within the exemptions under Regulation 2016/679 (UK GDPR), supplemented by the Data Protection Act 2018 Sch.2, as being necessary for the purpose of legal proceedings. E applied for an order to debar D from relying on JS1 in the E claims. The application was refused on the basis that JS1 constituted admissible similar fact evidence. E sent letters before action to D on behalf of the potential claimants, complaining of JS1 as a serious data breach. D pseudonymised the information when an alternative means was identified such that the subjects referenced in JS1 could be identified by E's client reference numbers instead of by their names.

The claimants submitted that the processing in JS1 was not necessary, that the data had limited value in relation to the identified objective, and that the processing lacked transparency.

Held

Claims dismissed.

Purpose of processing - By means of JS1, D had processed the claimants' personal data without their consent. However, it had done so on its clients' instructions arising from concerns as to how claims pursued by the same law firm and using the same medical experts were being pursued: there were multiple claims of lengthy psychological injury, which raised suspicion of exaggeration and fraud. Given those concerns, the purpose of the JS1 data processing was clear: it would be open to a defendant to rely on similar fact evidence in seeking to establish exaggeration or fraud in an individual claim, O'Brien v Chief Constable of South Wales [2005] UKHL 26, [2005] 2 A.C. 534, [2005] 4 WLUK 730 followed, Kerseviciene v Quadri [2022] EWHC 2952 (KB), [2022] 11 WLUK 250 applied. The data processing was for a specified, explicit and legitimate purpose, carried out in performance of D's professional obligations to its clients for the public interest task of ensuring the proper administration of justice, and in the legitimate interests of its clients pursuant to art.6(1)(c), art.6(1)(e) and art.6(1)(f) of the UK GDPR. Moreover, other than the limited number of individuals within D who were involved in the data processing or who otherwise had a reason for seeing JS1, the only disclosure of the data by D was to E and the courts. The further disclosure of the data to other individual claimants listed in the spreadsheet which formed part of JS1 was by E, not D (see paras 80-83, 88 of judgment).

Necessity and proportionality - The claimants argued that the information could have been presented in a pseudonymised form, thus meeting D's objectives without breaching their right to privacy. S was unable to use D's case management system, which referenced accidents and not individuals; nor was he able to use initials or surnames, because those involved in road traffic accidents were likely to be members of the same family with the same name. He also considered that requests would inevitably be made for further clarification and copies of source material if he attempted to summarise the information. Given that he would be providing data to solicitors who had been instructed to act for all those named within the spreadsheet attached to JS1, and who therefore already had the information in question, S took the view that this was a necessary and proportionate means of processing the data. The processing was necessary for the pursuit of D's legitimate objectives, which were not outweighed by the claimants' interests or fundamental freedoms (paras 90-92).

Given the primacy afforded to open justice, the claimants could reasonably have expected that the information in issue would be disclosed in open court with a view to embarking on litigation. D was not responsible for E's failure to redact the information after JS1 was filed with the court. The claimants' interests did not take precedence over the legitimate interests of D's insurer clients in putting the JS1 data before the court to support the plea of fundamental dishonesty. JS1 fell within the exception allowed by art.9(2)(f) relating to special category data and was necessary for a lawful processing condition (paras 93-94, 96-97).

Fairness - The claimants were not deceived or misled by D when the data was obtained. Had they looked at D's website, they would have been advised of the potential use of their personal information in order to perform services for its clients, and that elements of that information might be disclosed to third parties. The impact of D's processing of that data was minimal and did not give rise to an unjustified detriment: it was undertaken for lawful purposes and was necessary and proportionate. Accordingly, no unfairness arose from the processing involved in the creation of JS1 and its limited disclosure by D (paras 100-102).

Transparency - The claimants contended that the processing involved in JS1 was not transparent because it was not inherently foreseeable and went further than might reasonably be expected in a personal injury claim. However, D had not acted in a way contrary to what might reasonably be expected in drawing E's attention to the evidential basis for its concerns and in putting that before the court in support of its clients' pleas of fundamental dishonesty (paras 104-105).

Data minimisation, storage limitation, integrity and confidentiality - Given that the processing of personal data should be limited to that which was necessary in relation to the purpose of the processing, kept in a form which permitted identification of the data subject for no longer than necessary and processed in a manner that ensured appropriate security, pseudonymisation would be a potentially relevant means of complying with those obligations. However, no breach of those requirements arose in this case. No issue had been identified regarding D's processing or storage of the claimants' personal data prior to the disclosure of JS1. The use of names was necessary at the point JS1 was disclosed to E and the court, although it was not necessary for the further disclosure by E and D had duly pseudonymised the information when an alternative means was identified (paras 108-109).