The
MDU is a
non-profit mutual society set up to defend the professional
reputation of its members. It offers a discretionary professional
indemnity policy for its members, but requires that a membership
risk assessment review be carried out if complaints against members
reach a certain level.
This review includes a scoring system in which certain
complaints or allegations are given set points. The system does not
require that any allegation or complaint is proved, but simply that
it is made.
In May 2001 the score sheet belonging to David Paul Johnson, a
consultant orthopaedic surgeon, and a member of the MDU since 1986, reached a level
where a risk assessment of his membership was triggered.
While Johnson had never been the subject of a claim for alleged
professional negligence, he had contacted the MDU over the years
seeking advice over professional problems, including complaints. By
March 2002, the MDU had opened 17 files relating to Johnson.
A panel of senior clinicians considered his case history and in
January 2002 decided not to renew his membership of the MDU when
his existing membership expired on 31st March 2002. They gave no
reasons for the termination.
Johnson’s professional indemnity cover was also terminated,
although he managed to find alternative cover immediately.
But Johnson was unhappy with the way he had been treated,
believing that it had damaged his reputation by showing that the
MDU thought him to
be a serious risk. He filed suit, seeking compensation under the
Data Protection Act 1998 (DPA) on the grounds that the MDU had
unfairly processed data held on him, in breach of the Act's first
principle requirement that data processing must be fair and
lawful.
This was particularly so, he said, because the MDU had based its
assessment on an arbitrary scoring system – without giving him a
chance to give his side of the story.
In response the MDU argued that the termination was carried out
according to the terms of its risk assessment policy – to which
Johnson had signed up.
Sitting in the High Court, Mr Justice Rimer had firstly to
decide whether any of Johnson’s personal data was processed in the
course of carrying out the risk assessment review, bringing the DPA
into play, and if it was, whether this processing had been carried
out unfairly.
He then had to decide whether, if the processing had been
unfair, it would have made any difference to the outcome of the
review if the processing had actually been carried out fairly.
Was the data processed?
At the time at which Johnson’s membership was terminated, the
MDU assessed
membership risk in three ways:
- A risk assessment review (RAR) form – an anonymous form,
prepared by a risk manager, summarising files opened in respect of
the member and containing any allegation, claim or complaint that
had been the subject of a contact by the member with the MDU (lead
files) or the subject of a contact by another member (non-lead
files). Outcomes were included if known, but were not material –
the MDU regarded only the allegations, not their outcomes, as
relevant to a consideration of risk to its funds.
- A ‘score sheet’ – a standard form system of points, measured
according to the type of complaint or claim lodged. It did not
require that any allegation or complaint was proved, but simply
that it was made. In general if the score sheet reached 50 (out of
100) in respect of a particular member then that member was
referred to the risk assessment group for consideration.
- The risk assessment group (RAG) – a panel of senior clinicians
who assessed the risk a particular member posed to MDU funds and
made recommendations to the Board of the MDU. They based their
decisions on the RAG sheet (a summary of the RAR sheet), the RAR sheet and the score sheet.
Manual files were not present at meetings of the RAG, and neither
were the members under consideration.
In Johnson’s case the risk manager was Dr Karen Roberts. She
prepared the forms from 15 lead files and two non-lead files and
awarded Johnson a score of 60, leaving it to the RAG to decide whether to add a
further 20 points because Johnson had ‘failed to change his
behaviour’ in respect of an alleged computer security issue.
In the end the RAG did add the extra 20 points, bringing Johnson
up to 80 points – the level at which termination of membership was
normally recommended.
In court Johnson charged that the documents on which the RAG
based its recommendation were unfairly processed and accordingly
the termination of his membership was unfair.
The court had first to decide if they had been processed at all
– 12 of the files used by Dr Roberts were manual, and therefore
potentially out with the scope of the DPA.
Mr Justice Rimer considered all the files used by Dr Roberts.
Twelve were manual, three were held digitally, one was on
microfiche and the other on CD. Summaries of all the files, known
as ‘day one summaries’, were held on computer.
The Judge found that the manual files and microfiche files did
not fall under the DPA, as they did not amount to a ‘relevant
filing system’. However he considered that:
“Dr Roberts's selection of material from the
various manual and microfiche files and their inputting into a
computer amounted to "processing" within the meaning of the
definition of 'processing'… [under the Act]; and that it makes no
difference that none of such files was or formed part of a
'relevant filing system.' I accept also that her selection of
information from the computerised files for inputting into the
computer similarly amounted to 'processing' within the meaning of
that definition”.
Accordingly all the data had been processed under the DPA.
Was the data processed fairly?
The first principle of the DPA requires that “personal data
shall be processed fairly and lawfully”. According to Johnson, his
data had been dealt with in an unfair manner and the
MDU had acted in
breach of the DPA, but the Judge accepted this argument only to a
very small extent.
Rimer J considered the lead files and non-lead files separately
in reaching his decision.
In his opinion there was nothing in the DPA to require the MDU
to consult with Johnson in relation to data supplied by him. He had
agreed to the use of his personal data for the purposes of risk
assessment when he signed up to renew his membership with the
MDU.
Lawyers for Johnson argued that when he had renewed his
membership, the agreement had not made it clear that the personal
data provided by Johnson, including requests for advice on
professional incidents, could be used against him.
“That submission has caused me some anxiety, because I am
disposed to accept that the average MDU member is unlikely to have
concluded from the reference to 'risk management' in the processing
agreement that his data could or might be used against him in the
way that Mr Johnson's was,” said the Judge.
But the Judge added that, with sufficient care and thought,
Johnson would have worked out that the MDU, like any body carrying
on insurance functions, had to be concerned with internal risk
management, including issues of subscriptions and membership
termination. The agreement was therefore clear enough.
Johnson’s lawyers also argued that the MDU should have sought
Johnson’s opinion on the RAR form, the score sheet and
the RAG sheet.
The Judge disagreed. Neither the Data Protection Directive nor
the DPA required the MDU to consult with Johnson after processing
his data, even though to the layman this might appear to be the
fair thing to do.
“I regard it as no part of the court's function to pass judgment
on the merits of the policy” adopted by the MDU, he said. The MDU
had set its policy and Johnson had signed up to it.
“In the contractual context applicable to this case, the MDU is
entitled first to determine its policy. Having done so, it then has
to ensure that any processing of members' data in line with that
policy is carried out fairly,” he added.
However, the position was different with regard to the non-lead
files, of which Johnson was completely unaware. Here, in order to
comply with the fair processing requirements of the Act, Johnson
should have been allowed to access and, if necessary, rectify, the
files. The processing carried out by the MDU in respect of these
two files was therefore unfair.
But Justice Rimer added: “for like reasons already given in
relation to the lead files, I do not regard the fair processing of
the non-lead files also to have required the MDU to consult with Mr
Johnson about the processing exercise or to have invited his
representations upon it”.
He then considered the files individually, and found that in
preparing the summaries, Dr Roberts had not processed any of the
files unfairly.
Would it have made a difference if Johnson had been allowed to
access and rectify the non-lead files?
No, said Justice Rimer. He explained:
“Neither of the non-lead files carried any
score and each was fairly summarised in line with the MDU risk
assessment policy. Had Mr Johnson been given the opportunity to
comment on these files, or make proposals for their rectification,
I have no doubt that he would have taken it up. I do not accept,
however, that his representations in relation to them would be
likely to have made any difference to the ultimate decision to
terminate his membership”.
The Judge considered the question of compensation for Johnson,
who had claimed that the termination of his membership had
tarnished his reputation, and that he had suffered distress.
Even if Johnson had shown there to be a breach of the DPA, there
was nothing in the Act giving Johnson a right to compensation for a
general loss of reputation, said the Judge, pointing to the law of
defamation as the appropriate vehicle for such a claim.
He would, however, have been able to claim for pecuniary losses
and subsequently for distress, if the MDU had been shown to be
infringing the DPA.
