The second defendant, a company in the same group as the first defendant, was involved in a project for the development and operation of a software application (“app”) which was designed to analyse both real-time and historical data to assist clinicians to identify and treat patients potentially suffering from acute kidney injury. Pursuant to an information sharing agreement, which identified as its purpose both that project and a wider one which contemplated supporting clinical decision-making across a range of diagnoses and organs, in October 2015 there was a one-off transfer of historical patient-identifiable data from an NHS hospital trust, which was responsible for three hospitals, and a live data feed was also established for subsequent medical records. The app became operational at the trust in February 2017. Pursuant to CPR r 19.6, which subsequently became CPR r 19.8(1), the claimant brought a representative action on behalf of approximately 1.6 million people who had presented for treatment at the hospital trust between September 2010 and September 2015, and/or whose blood tests data had been held by the trust during the same period, seeking damages for misuse of private information. The defendants applied to strike out the claim and/or for summary judgment in their favour on the basis that the circumstances of the class members were so varied that the representative claimant had no realistic prospect of establishing misuse of private information in respect of all members of the claimant class, which was fatal to the claim since it meant that not all members had the “same interest” as the representative claimant as required by CPR 19.8. The claimant contended that the “same interest” test was satisfied as, save for direct care purposes, there was always a reasonable expectation of privacy in respect of information about a person’s health which had been generated in the course of the doctor-patient relationship, and that such information would not be shared without consent or the option to opt out, which meant that all members of the class had a valid claim for more than nominal damages. While accepting that recovery of individualised damages for any member of the claimant class could not be pursued via the CPR r 19.8(1) representative action, it was the claimant’s case that “lowest common denominator” damages for each member of the class, calculated by reference to the irreducible minimum harm suffered by all members, could be recovered.
On the defendants’ applications—
Held, applications granted. (1) For members of the class to have the “same interest”, it was necessary to establish that every member had a realistic prospect of establishing a reasonable expectation of privacy in their relevant data and an unlawful interference with it. Determining that matter in relation to an individual would usually involve an assessment of their particular circumstances, including the effect on them of the matters complained of. Alternatively, pursuit of a representative action under CPR r 19.8, on behalf of large numbers of people whose data had been transferred, required the representative claimant to leave their individualised aspects out of account and to pursue the claim on the basis of the lowest common denominator of circumstances that applied to each of the class members (paras 109, 117–121, 186).
(2) The tort of misuse of private information stemmed from the right to respect for private life guaranteed by article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms. However, not all information related to a person’s private life would automatically be protected and, while certain types of information would normally be regarded as giving rise to a reasonable expectation of privacy, they would not always do so. Furthermore, a de minimis threshold of seriousness applied which needed to be overcome before liability could arise. Consideration of whether information met that threshold was a fact-sensitive exercise to be undertaken on a case-by-case basis, rather than any particular category of information being exempt of the application of the threshold or being treated as always surmounting it. Thus, while information in relation to a person’s physical or mental health contained in doctor-patient records was a highly relevant factor in the assessment of whether the claimant had a reasonable expectation of privacy, information derived from the doctor-patient context did not inevitably give rise to such an expectation irrespective of the circumstances and the content. Accordingly, the representative claimant was unable to overcome the need for individualised assessment by relying on a proposition that a reasonable expectation of privacy existed over all the information contained in the class members’ transferred medical records, irrespective of their content and the circumstances (paras 67–69, 133–134).
(3) In applying the objective test as to whether a claimant had a reasonable expectation of privacy, the purpose of the intrusion was to be assessed at the point that it was alleged the misuse of information had occurred, since that was the event which was said to found the cause of action. Thus, where the complaint involved the transfer and initial storage of patient-identifiable data it was necessary to take into account the defendants’ purpose for the data as it was at that point. Equally, where the alleged interference related to the way in which patient data had subsequently been used, for example in testing the app, it was the defendants’ purpose for the data at that point which was relevant to determining whether there was a reasonable expectation of privacy in respect of it. However, where an intended use of data did not in fact materialise after the initial transfer, the relevance of its intended use could only inform assessment of the extent of the interference and the loss of control (paras 67, 139–140).
(4) The fact that information was already in the public domain could impact on whether there was a reasonable expectation of privacy and was a relevant circumstance to take into account. Where there were variables inherent in the nature and extent to which the content of the data was already in the public domain, either an individualised assessment of each claim was required (so that a representative action was not possible) or, if the claims were to be advanced on a global, irreducible minimum basis by reference to the basic circumstances that would apply to each member of the claimant class, then that irreducible minimum had to reflect a situation in which the patient identifiable information was already in the public domain in its entirety. Taking that matter into account along with other aspects of the “irreducible minimum” scenario, including that very limited, anodyne health-related information had been transferred and stored, that the information had been held securely and not accessed by anyone during the storage period, that the alleged acts of interference outside of patient direct care had been limited to the transfer of the data and to its secure storage for up to 12 months, and that there had been no impact other than the loss of control itself, it could not be said that every member of the claimant class had a realistic prospect of establishing a reasonable expectation of privacy in respect of their relevant medical records or of crossing the de minimis threshold. There was, for similar reasons, no realistic prospect of a court concluding at trial that every member of the class had experienced a wrongful interference with their data and nor could it be said that any member of the claimant class had any viable claim for more than trivial damages for loss of control of their information. It followed that the claim was bound to fail and, there being no other compelling reason to permit the claim to proceed, it would be struck out and summary judgment entered for the defendants (paras 120, 136, 138, 166, 168–169, 187).
Timothy Pitt-Payne KC, Gerard Rothschild and Stephen Kosmin (instructed by Mischon de Reya LLP) for the representative claimant.
Antony White KC and Edward Craven (instructed by Pinsent Masons LLP) for the defendants.
The interested party, LCM Funding UK Ltd, did not appear and was not represented.