Data processing for risk review was fair, says High Court

The MDU is a non-profit mutual society set up to defend the professional reputation of its members. It offers a discretionary professional indemnity policy for its members, but requires that a membership risk assessment review be carried out if complaints against members reach a certain level.

This review includes a scoring system in which certain complaints or allegations are given set points. The system does not require that any allegation or complaint is proved, but simply that it is made.

In May 2001 the score sheet belonging to David Paul Johnson, a consultant orthopaedic surgeon, and a member of the MDU since 1986, reached a level where a risk assessment of his membership was triggered.

While Johnson had never been the subject of a claim for alleged professional negligence, he had contacted the MDU over the years seeking advice over professional problems, including complaints. By March 2002, the MDU had opened 17 files relating to Johnson.

A panel of senior clinicians considered his case history and in January 2002 decided not to renew his membership of the MDU when his existing membership expired on 31st March 2002. They gave no reasons for the termination.

Johnson’s professional indemnity cover was also terminated, although he managed to find alternative cover immediately.

But Johnson was unhappy with the way he had been treated, believing that it had damaged his reputation by showing that the MDU thought him to be a serious risk. He filed suit, seeking compensation under the Data Protection Act 1998 (DPA) on the grounds that the MDU had unfairly processed data held on him, in breach of the Act's first principle requirement that data processing must be fair and lawful.

This was particularly so, he said, because the MDU had based its assessment on an arbitrary scoring system – without giving him a chance to give his side of the story.

In response the MDU argued that the termination was carried out according to the terms of its risk assessment policy – to which Johnson had signed up.

Sitting in the High Court, Mr Justice Rimer had firstly to decide whether any of Johnson’s personal data was processed in the course of carrying out the risk assessment review, bringing the DPA into play, and if it was, whether this processing had been carried out unfairly.

He then had to decide whether, if the processing had been unfair, it would have made any difference to the outcome of the review if the processing had actually been carried out fairly.

Was the data processed?

At the time at which Johnson’s membership was terminated, the MDU assessed membership risk in three ways:

• A risk assessment review (RAR) form – an anonymous form, prepared by a risk manager, summarising files opened in respect of the member and containing any allegation, claim or complaint that had been the subject of a contact by the member with the MDU (lead files) or the subject of a contact by another member (non-lead files). Outcomes were included if known, but were not material – the MDU regarded only the allegations, not their outcomes, as relevant to a consideration of risk to its funds.
• A ‘score sheet’ – a standard form system of points, measured according to the type of complaint or claim lodged. It did not require that any allegation or complaint was proved, but simply that it was made. In general if the score sheet reached 50 (out of 100) in respect of a particular member then that member was referred to the risk assessment group for consideration.
• The risk assessment group (RAG) – a panel of senior clinicians who assessed the risk a particular member posed to MDU funds and made recommendations to the Board of the MDU. They based their decisions on the RAG sheet (a summary of the RAR sheet), the RAR sheet and the score sheet. Manual files were not present at meetings of the RAG, and neither were the members under consideration.

In Johnson’s case the risk manager was Dr Karen Roberts. She prepared the forms from 15 lead files and two non-lead files and awarded Johnson a score of 60, leaving it to the RAG to decide whether to add a further 20 points because Johnson had ‘failed to change his behaviour’ in respect of an alleged computer security issue.

In the end the RAG did add the extra 20 points, bringing Johnson up to 80 points – the level at which termination of membership was normally recommended.

In court Johnson charged that the documents on which the RAG based its recommendation were unfairly processed and accordingly the termination of his membership was unfair.

The court had first to decide if they had been processed at all – 12 of the files used by Dr Roberts were manual, and therefore potentially out with the scope of the DPA.

Mr Justice Rimer considered all the files used by Dr Roberts. Twelve were manual, three were held digitally, one was on microfiche and the other on CD. Summaries of all the files, known as ‘day one summaries’, were held on computer.

The Judge found that the manual files and microfiche files did not fall under the DPA, as they did not amount to a ‘relevant filing system’. However he considered that:

“Dr Roberts's selection of material from the various manual and microfiche files and their inputting into a computer amounted to "processing" within the meaning of the definition of 'processing'… [under the Act]; and that it makes no difference that none of such files was or formed part of a 'relevant filing system.' I accept also that her selection of information from the computerised files for inputting into the computer similarly amounted to 'processing' within the meaning of that definition”.

Accordingly all the data had been processed under the DPA.

Was the data processed fairly?

The first principle of the DPA requires that “personal data shall be processed fairly and lawfully”. According to Johnson, his data had been dealt with in an unfair manner and the MDU had acted in breach of the DPA, but the Judge accepted this argument only to a very small extent.

Rimer J considered the lead files and non-lead files separately in reaching his decision.

In his opinion there was nothing in the DPA to require the MDU to consult with Johnson in relation to data supplied by him. He had agreed to the use of his personal data for the purposes of risk assessment when he signed up to renew his membership with the MDU.

Lawyers for Johnson argued that when he had renewed his membership, the agreement had not made it clear that the personal data provided by Johnson, including requests for advice on professional incidents, could be used against him.

“That submission has caused me some anxiety, because I am disposed to accept that the average MDU member is unlikely to have concluded from the reference to 'risk management' in the processing agreement that his data could or might be used against him in the way that Mr Johnson's was,” said the Judge.

But the Judge added that, with sufficient care and thought, Johnson would have worked out that the MDU, like any body carrying on insurance functions, had to be concerned with internal risk management, including issues of subscriptions and membership termination. The agreement was therefore clear enough.

Johnson’s lawyers also argued that the MDU should have sought Johnson’s opinion on the RAR form, the score sheet and the RAG sheet.

The Judge disagreed. Neither the Data Protection Directive nor the DPA required the MDU to consult with Johnson after processing his data, even though to the layman this might appear to be the fair thing to do.

“I regard it as no part of the court's function to pass judgment on the merits of the policy” adopted by the MDU, he said. The MDU had set its policy and Johnson had signed up to it.

“In the contractual context applicable to this case, the MDU is entitled first to determine its policy. Having done so, it then has to ensure that any processing of members' data in line with that policy is carried out fairly,” he added.

However, the position was different with regard to the non-lead files, of which Johnson was completely unaware. Here, in order to comply with the fair processing requirements of the Act, Johnson should have been allowed to access and, if necessary, rectify, the files. The processing carried out by the MDU in respect of these two files was therefore unfair.

But Justice Rimer added: “for like reasons already given in relation to the lead files, I do not regard the fair processing of the non-lead files also to have required the MDU to consult with Mr Johnson about the processing exercise or to have invited his representations upon it”.

He then considered the files individually, and found that in preparing the summaries, Dr Roberts had not processed any of the files unfairly.

Would it have made a difference if Johnson had been allowed to access and rectify the non-lead files?

No, said Justice Rimer. He explained:

“Neither of the non-lead files carried any score and each was fairly summarised in line with the MDU risk assessment policy. Had Mr Johnson been given the opportunity to comment on these files, or make proposals for their rectification, I have no doubt that he would have taken it up. I do not accept, however, that his representations in relation to them would be likely to have made any difference to the ultimate decision to terminate his membership”.

The Judge considered the question of compensation for Johnson, who had claimed that the termination of his membership had tarnished his reputation, and that he had suffered distress.

Even if Johnson had shown there to be a breach of the DPA, there was nothing in the Act giving Johnson a right to compensation for a general loss of reputation, said the Judge, pointing to the law of defamation as the appropriate vehicle for such a claim.

He would, however, have been able to claim for pecuniary losses and subsequently for distress, if the MDU had been shown to be infringing the DPA.