Johnson v Medical Defence Union (IDS 830)
The Data Protection Act 1998 (DPA) covers personal data that is processed on a computer. In Johnson v Medical Defence Union (IDS 830), however, the Court of Appeal said that does not include information that is processed manually before it is stored or recorded on a computer.
Section 1(1) of the DPA applies to personal data that is processed “by means of equipment operating automatically in response to instructions given for that purpose” or “is recorded as part of a relevant filing system”.
“Processing" includes obtaining, recording or holding information or data or “carrying out any operation or set of operations on the information or data”. It must also be done fairly, according to the first principle underpinning the DPA.
As a member of the Medical Defence Union (MDU), Mr Johnson was entitled to professional indemnity cover. During his membership, no complaints of professional negligence were made against him, but he sought advice on numerous occasions about different incidents.
As a result of his record, the MDU’s risk management department carried out a computerised assessment review of him in May 2001. Most of the information retrieved by the assessor was held on computer, and the rest was paper-based. She made a computerised summary of the allegations, but made no judgement as to whether the complaints were well-founded.
As Mr Johnson scored highly against a standard form system, his case was referred to a committee of senior practitioners who recommended that his membership be terminated. As a result, his professional indemnity cover ended.
Arguments of the parties
Mr Johnson brought a claim for compensation under section 13 of the DPA, arguing that his expulsion had come about as the result of unfair processing of his personal data by the risk manager. He argued that it had caused him financial loss and damaged his professional reputation.
The union claimed that none of the data had been processed “automatically” by the risk manager. With regard to the electronic files, it argued that she had used her own judgment to make a summary of the files she had read on the computer database. The manual files were irrelevant as they did not form part of a “relevant filing system” and were therefore exempt.
High Court decision
The main question for the High Court was whether the manual selection of information by the risk manager constituted “processing” of personal data under the DPA. The judge said that it did, even though it did not involve any “equipment operated automatically.”
However, the judge decided that, overall, the way that Mr Johnson’s personal data had been processed was fair and dismissed his claim for compensation.
Decision of Court of Appeal
By a majority, the Court of Appeal held that the selection of personal data by the risk manager from different sources did not amount to “processing” of data under the DPA.
It said that data had to be processed automatically to fall within the Act. Although some parts of the risk assessment had been carried out electronically, the assessor had first reached her conclusions from information that she had selected and analysed manually. That process was not caught by the Act.
Otherwise, the Court concluded, anyone who made a decision based on information which they then put on a computer would find themselves covered by the Act. For instance, the reserved judgement of judges once they were typed up on a computer. And “one does not need to stress the oddity of a conclusion that the typing of the judgment brings the decision-making process that preceded the typing within the "fairness" terms of the first Data Processing Principle.”