This case raises issues relating to the processing of data disclosed in personal injury litigation. When an analysis of data across County Court proceedings has given rise to concerns as to the veracity of the claims, what, if any, should be the limitations on the processing of that data when considering applying for the dismissal of particular claims for fundamental dishonesty? In the current proceedings, the claimants complain of the actions of the defendant in proceedings to which the claimants themselves were not parties, which they say violated their rights as data subjects.

The claims before me are brought under the United Kingdom General Data Protection Regulation (“UK GDPR”); 137 claimants were initially involved but all save the current three claimants (originally the first, thirty-sixth and thirty-seventh claimants) subsequently discontinued their claims. For convenience, when necessary to distinguish between them, I refer to the current claimants as C1, C2 and C3.

The claimants were involved in road traffic accidents; C2 and C3 in an accident on 2 October 2016, C1 in an accident on 19 January 2019. Ersan and Co Solicitors (“Ersan”) were instructed to act for each of the claimants.

C2 was age 10 at the time of the accident; as a minor, in all court proceedings in which he was involved, C2 acted through C3, his father and litigation friend, until he turned 18, on 5 May 2024. A claim notification form in respect of C2 was received by the defendant, acting for the relevant insurer, relating to C2s’s potential claim relating to the 2016 accident. This made apparent that a medical report had been obtained from a Dr Shaikh and a psychiatric report from a Dr Yahli. After pre-action correspondence, on 22 January 2019, C2’s personal injury claim was settled.

C3 also pursued a claim in his own right relating to the same accident. He issued proceedings on 7 July 2017, naming the other driver and their insurer as defendants and claiming damages for physical and psychological injuries, with reliance being placed upon a report from Dr Shaikh, which provided personal information regarding C3 and details of his alleged injuries. Ultimately C3’s claim was settled on 5 October 2017.

On 22 February 2022, C1 issued proceedings in relation to the accident in which she was involved. The pleaded case against the other driver and their insurance company initially included a claim for damages for physical and psychological injuries, in support of which two medical reports were served, one from a Dr Bansal of 3 March 2019, which provided personal information relating to C1 and a summary of her claimed physical and psychological injuries, the second, from Dr Yahli dated 15 October 2019, which provided further personal information regarding C1 and further detail relating to her claimed psychological injuries. At a later stage, C1 abandoned her claim of psychological injury, no longer relying on the report from Dr Yahli. In the defence, reliance was placed on the earlier claim of psychological injury and its abandonment, the defendants inviting the court to make a finding of fundamental dishonesty under section 57 Criminal Justice and Courts Act 2015. C1’s claim remains on-going and there has yet been no determination of the question of fundamental dishonesty.

The defendant is a law firm that acts for some 18 insurers who are substantive defendants to a large number of road traffic accident claims brought by individuals represented by Ersan; those insurers include defendants (or, in C2’s case, a potential defendant) to the claims advanced by the claimants.

In the course of 2021, various applications were considered by the Mayor’s and City of London County Court relating to some 43 separate claims for personal injury and other losses arising from road traffic accidents, in which the claimants were all represented by Ersan (“Ersan claims”). Each claimant initially relied on a psychiatric report from Dr Yahli but had subsequently made clear they no longer wished to do so, applying for leave to obtain alternative psychiatric evidence. For the defendants, applications were made to have all 43 claims case managed and determined by the same judge, it being argued that the Ersan claims were unusual, given the high proportion of claims for damages for psychological injury with (as opined by Dr Yahli) a prognosis of significant duration. The defendant’s application was refused by Her Honour Judge Backhouse, who also refused all but one application to obtain fresh psychiatric evidence (observing there was little or no evidence of psychiatric injury). The Ersan claims were listed for trial, with the first trials due to commence during the latter part of 2021.

A few months before the trials were due to commence, the defendant (acting on behalf of the insurers) served a witness statement (dated 18 June 2021) from its director and head of organised fraud, Mr James Stevens, relating to the Ersan claims; this being done by service of the statement on Ersan, as solicitors for the claimants. The statement was intended to be relied upon in support of the contention made by the insurers in the Ersan claims that the court should make findings of fundamental dishonesty. Mr Stevens explained that, on the instructions of 18 of the defendant’s insurer clients, he had undertaken a review of data relating to claims that had been issued or threatened against those clients by 372 individuals represented by Ersan in respect of road traffic accidents occurring between 22 February 2016 and 1 March 2021. The fruits of that analysis were set out within Mr Stevens’ statement and the exhibits thereto (referred to in the present proceedings as “JS1”).

Mr Stevens explained the composition of the analysed claims as follows:

Summarising his conclusions from reviewing the 340 Ersan CNFs, Mr Stevens observed:

The data from which Mr Stevens drew those conclusions was exhibited in the form of a spreadsheet with a line for each of the claims analysed and data set out under headings that included the name of the claimant, whether they were under 16, dates of any medical examinations, whether there had been a referral to a psychiatrist/psychologist and, if so, the diagnosis and prognosis. Information entered into the spreadsheet was not redacted or subjected to any form of pseudonymisation.

In response to the service of JS1, in or around late July 2021, letters were sent from various of those included within the spreadsheet to the defendant and relevant insurers, objecting to the use of their personal data and contending that this had amounted to a breach of data protection legislation; within those letters, the point was made that pseudonymisation of the various claimants referenced in the data set would have been a less intrusive form of processing the personal data in question. In responding to these objections, the defendant made clear its position that the data processing in JS1 fell within the exemptions under the UK GDPR, as necessary for the purpose of, or in connection with, legal proceedings (or prospective legal proceedings), obtaining legal advice, or establishing, exercising or defending legal rights. It was noted that data subjects had a continuing right to object, but that this was not an absolute right. The various insurers similarly responded in like terms.

In early August 2021, applications were made in the County Court for an order to debar the defendant (acting on behalf of any of the 18 insurer defendants in the Ersan claims) from adducing and relying upon JS1.

The applications to debar were initially advanced on the grounds that JS1 was inadmissible evidence of a quasi-expert nature, was unreliable, and that it ought to be excluded as it contravened the UK GDPR. A skeleton argument (settled by leading and junior counsel) was served in support, which included submissions as to the processing of personal data, including special category data, in JS1, and took issue with the suggestion (made by the defendant) that the processing was necessary for the purposes of establishing, exercising or defending legal rights and thus fell within the exemption permitted by paragraph 5(3) Schedule 2 Part 1 of the Data Protection Act 2018; in addressing the issue of necessity and the litigation exemption, specific reference was made to the fact that the data had not been anonymised.

Addressing these points in a further witness statement (“JS2”), dated 23 September 2021, Mr Stevens provided more detailed explanation as to the reliance placed on the JS1 data analysis and the way this had been compiled, noting that:

And continuing:

As for the evidence gathering process for JS1, Mr Stevens explained:

Having identified who had had sight of the data at each stage of the process, Mr Stevens continued:

Mr Stevens then went on to provide an explanation for each field used in the JS1 spreadsheet. Relevantly (given the way in which the claimants’ cases have developed before me), he addressed the use of the claimants’ names as follows:

Addressing the question of proportionality, Mr Stevens recounted how an earlier, smaller, similar fact exercise had been carried out, with the resulting statistical data having then been provided to Ersan, which had led to an application for disclosure of each document used to compile the statistical evidence. As Mr Stevens explained:

The debarring applications in five of the Ersan claims were listed before HHJ Backhouse on 5 October 2021, at which stage the claimants’ interests were represented by a different leading counsel, Mr Coppel QC, acting alone. At that stage, the case for the Ersan claimants was advanced solely on the basis that JS1 amounted to quasi-expert evidence that was inadmissible and/or unreliable; arguments relating to breaches of data protection rights were not pursued, Mr Coppel explaining:

HHJ Blackhouse dismissed the application to debar, essentially on the basis that JS1 constituted admissible similar fact evidence and any issues concerning reliability would be a matter for the trial judge. Recording that reliance was no longer placed on any alleged breach of data protection legislation, HHJ Backhouse observed:

A subsequent appeal against HHJ Backhouse’s decision was dismissed by Freedman J in a judgment handed down on 21 November 2022 ( Kerseviciene v Mide Quadri and anor and four other appeals [2022] EWHC 2951 (KB)). Although expressing reservations as to the probative value of JS1, Freedman J accepted that the defendant insurers in the county court proceedings were entitled to run a case relying on what was essentially similar fact evidence, seeking to derive patterns from a much larger body of evidence. There was no attempt to reinstate the data protection points before Freedman J.

As well as seeking to debar reliance on JS1 in the County Court proceedings, in or around September 2021, Ersan had raised complaints with the Information Commissioner’s office (“ICO”) regarding JS1, which had been further escalated during the course of November 2021. On 5 January 2022, the ICO had responded, stating that no evidence had been identified that demonstrated that the defendant had breached the requirements of data protection legislation.

Returning to the County Court claims, those proceedings had been stayed pending determination of the appeal; at a hearing before HHJ Backhouse on 20-21 March 2023, the stay was lifted, various applications addressed, and directions given for future case management of the claims.

For the claimants, an application had been made for disclosure of the information relied on in the creation of JS1. That was refused, on the basis that the information in question was already in the possession of Ersan (JS1 having been drawn up by reference to documents previously disclosed by the claimants); it was, however, noted, that:

This pseudonymisation of the names referenced in JS1 was recorded in HHJ Backhouse’s order from the 20-21 March 2023 hearing and a further version of JS1 was served on 31 March 2023, with the name of each individual replaced by Ersan’s reference number.

Addressing the practical question of how the evidence contained in JS1 would be adduced, HHJ Backhouse observed:

The assurance thus given to HHJ Backhouse was duly included as a recital to the order, in the following terms (“the Ersan undertaking”):

As for where matters now stand in relation to the Ersan claims before the County Court, I am told that the particular claims that were the subject of the appeal to the High Court have since been discontinued, although contentions as to fundamental dishonesty remain to be determined. More generally, Ersan claims have now been reserved to HHJ Saunders, who, by order of 26 October 2023, directed that they are to progress via a lead claimant, with the other claims being stayed; the plea of fundamental dishonesty advanced by the insurers will thus be tried as part of that lead claim. JS1 and JS2 will be relied upon, albeit that names have been replaced by Ersan reference numbers in the dataset exhibited to JS1. Mr Stevens will attend trial for questioning and submissions as to the cogency of JS1 and its implications for the RTA claims can thus be tested as part of the lead claim.

On 29 July 2024, an application was, however, made for the lead claim to be stayed pending determination of the claimants’ claims before the High Court (the claims before me). That application was refused pursuant to an order of HHJ Bloom dated 17 October 2024. An appeal was lodged on the basis (relevantly) that HHJ Bloom had erred in law in finding the lead claimant was in any way bound or affected by the undertaking recorded in the order from the hearing on 20-21 March 2023. In refusing the application for permission to appeal, by order of 17 March 2025, Constable J reasoned as follows:

For completeness, I also note that an application was made in the County Court proceedings for HHJ Saunders to recuse himself from hearing the Ersan claims. That application was refused on 6 June 2024, and permission to appeal was refused on 16 August 2024 by Farby J, who certified the application as being totally without merit.

In or around mid-September 2023, Ersan sent letters before action to the defendant on behalf some 372 potential claimants (including the current claimants), which complained of JS1 as a serious data breach. This again included an objection that the named claimants had not been pseudonymised. The current proceedings were issued on 23 October 2023 (initially under CPR Part 8, but transferred to Part 7 by order of Nicklin J on 16 November 2023). On 21 December 2023, the claims of all but C1, C2 and C3 were discontinued. The particulars of claim were amended on 24 October 2024, and an amended defence (the original being dated 29 January 2024) was served on 4 December 2024.

At a hearing on 11 March 2025, I determined various applications relating to disclosure and to the statement of Mr Gadd (witness for the claimants); I also allowed an application to re-amend the defence. My order and judgment of 1 April 2025 set out my decisions in these respects.

At the trial of the claims, I was presented with documentary evidence in an agreed bundle of some 2,310 pages, together with two supplemental bundles (one from the claimants of 96 pages; one from the defendant of 67 pages). I was also provided with an agreed authorities bundle, which comprised two lever arch files. In support of the claims, each of the claimants gave evidence, as did Mr Christopher Gadd, a consultant solicitor. For its part, the defendant called Mr Michael Henman, a solicitor and a partner at the defendant firm.

Each of the claimants testified that, when the data set attached to JS1 had been drawn to their attention (I understand that this would have been by Ersan), they had been very concerned about what they saw as a serious data breach, which they did not see as mitigated by the fact that they were each just one of some 372 named individuals on the spreadsheet. Acknowledging that they had themselves brought (or threatened) personal injury claims (albeit C2 was a child and so acted through his father, C3), and had chosen to pursue the current proceedings, the claimants considered their personal data should only have been used for the purpose of their own claim/s (or, in C2’s case, potential claim); if they had known that the insurers would seek to rely on JS1, they would have tried to stop that. Each claimant was asked whether Ersan was supporting these claims financially; none admitted this was the case, but equally none was prepared to explain how the case was being funded or who had paid the earlier costs orders, with reference being made only to there being “ an arrangement ” with Ersan, which none of the claimants was willing to detail.

C1 and C3 gave evidence through a Turkish interpreter. It was put to C1 that, in thus using an interpreter (and otherwise speaking in Turkish), she was giving an inaccurate impression to the court as her LinkedIn profile showed that she was a certified translator and qualified teacher in English as a second language (“ESL”), with a BA(Hons) degree from Anglia Ruskin University. C1 disputed that she was seeking to mislead the court, explaining that she did some voluntary ESL work at a basic level for refugees, and she had not wanted to be misunderstood in court. C1 accepted that she had an on-going personal injury case in which the defendant had alleged fundamental dishonesty; she did not feel, however, that this justified the use of her data in other cases. C1 explained that Ersan had told her that her data had been used but that she had herself determined to pursue this litigation. As for C3, he could not recall whether he had seen the spreadsheet in Turkish but said it had been read to him in Turkish, although he could not remember when that was; in any event, he said he was particularly distressed because his son’s (C2’s) data was included. C2 gave evidence in English, explaining he had been acting in his own name (making his own decisions in the litigation) since he turned 18, in May 2024.

In his statement, Mr Gadd was described as a consultant solicitor at Ersan; asked (by Mr Hopkins) why this was not recorded by the Law Society, Mr Gadd said he had consultancies at a number of firms and may have failed to keep the Law Society record up to date. He further explained that his consultancy at Ersan had started in November/December 2024, and was for a discrete purpose, namely to provide a witness statement in these proceedings. As he had no prior involvement in the matters to which these claims related, Mr Gadd acknowledged that he was giving evidence about something of which he had no knowledge other than that he had been told or shown by others. Asked why he was giving evidence at all, Mr Gadd responded: “ I don’t know, I was asked to do so; I was paid to do so ”.

For the defendant, Mr Henman had provided a statement to address a small number of discrete points: (1) his check of the defendant’s records had shown that insurer consent had been obtained for the processing of data for the purposes of JS1; (2) the personal data contained within JS1 had only been disclosed by the defendant to Ersan and to the courts dealing with the relevant claims; (3) in February 2022, the General Medical Council (“GMC”) had initially made a request to the defendant for certain data relating to JS1 but this was not pursued and the defendant did not disclose the data in question; (4) in April 2021, the defendant had provided certain data relating to the Ersan claimants to the Insurance Fraud Bureau (“IFB”), at the IFB’s request, but that had not included the personal data of C1, C2 or C3. The defendant also adduced in evidence a print-out of the privacy notice that was on its website at the time JS1 was composed. This provides detailed information as to the personal data collected and received by the defendant, and how that is obtained, stored and used. For those who are “ an opposing party ”, it is explained that the defendant may “ use your personal information in order to perform services for our clients ” and that elements of that information “ may be shared with or disclosed to third parties as part of our work in relation to that matter ”.

In these proceedings, the claimants’ claims are limited to declaratory relief and compliance orders; no compensation is sought. As pleaded, the claimants’ positive case identified the following breaches of the UK GDPR: (1) under article 5: none of the processing involved in JS1 was lawful, fair or transparent (article 5(1)(a)), it constituted further processing in a manner incompatible with the specified, explicit and legitimate purpose relied on (defending the claimants’ claims) (article 5(1)(b), it violated the data minimisation principle (article 5(1)(c)), and, in relation to the claims of C2 and C3 (those claims having been concluded “ years before ” JS1), the defendant had no legitimate purpose in processing their personal data (article 5(1)(e)); under article 6: the defendant had not sought the consent of any of the claimants for the data processing involved in JS1; under article 9(1): the defendant had processed the claimants’ “ sensitive personal data ” (that is, data concerning the claimants’ health); under article 14: no personal data having been obtained directly from any of the claimants, the defendant had failed to provide the claimants with information as required under that provision; under article 17: the defendant had unlawfully retained and used the claimants’ personal data beyond the purpose for which it was collected (that is, the claimants’ own claims).

At the hearing, Mr Hanstock (who had not settled the pleadings), put the claimants’ case as centred on three propositions: (1) lack of necessity, specifically in the use of the claimants’ personal, and special category, data in County Court proceedings without pseudonymisation; (2) the limited value of the data in purported pursuit of the identified objective; and, on the basis of (1) and (2), (3) the unfairness of, and lack of transparency in, the processing. The claimants’ case related to the entirety of the processing involved in JS1 (as explained in JS2), and engaged article 5(1)(a)(c) and (e), article 6 (relevant to lawfulness), article 9 (offending the prohibition on the processing of special category data), and articles 14, 17, and 25. In submissions, Mr Hanstock’s focus was on the defendant’s failure to pseudonymise the claimants in JS1, stating that the objection in this regard was to the provision of JS1 to Ersan, to the court and to the other claimants in the County Court proceedings. The claimants thus sought a declaration of unlawfulness/breach of the UK GDPR in relation to the use of their names in JS1, and a compliance order such that JS1 could only be used with their names redacted.

Addressing the question of necessity, even if desirable to use the claimants’ names, that was not enough: the test was objective, requiring a proportionality assessment, having regard to the parties’ resources, the availability of less intrusive alternatives (here, pseudonymisation, as had subsequently occurred), and remoteness. It was the claimants’ case that JS1 was of so little probative value (see Freedman J’s observations in Kerseviciene ) that the processing was not in fact necessary.

These were, moreover, points that also went to the question of fairness: even if reasonably necessary, the use of the claimants’ names (at least by the time JS1 was disseminated to Ersan, the County Court, and the other claimants) was unfair. The data involved in JS1 was important to the claimants, and included special category data, including that of a child (C2). The defendant’s object was to use the data to pursue allegations of fraud; as such, it was obviously reputationally damaging. Moreover, the claimants had raised their objections, in their letters of 2021 and in the letters before action in 2023, expressly identifying pseudonymisation as a less intrusive means of processing the data. Those letters amounted to requests for erasure of personal data (including by means of pseudonymisation) for the purposes of article 17.

Allied to this point, although similarly requiring separate consideration, was the question of transparency. This was also expressly (and separately) engaged by article 14, and the obligations to which that gave rise (given no personal data had been obtained directly from the claimants). In this regard, it was no answer for the defendant to rely on the privacy notice on its website: (i) the evidence did not establish that the notice was in place prior to 2020; (ii) the claimants could not reasonably have been expected to have known to look at the defendant’s website (in particular given that C2 was then a child and his case had been settled directly with the insurer); (iii) even if the claimants’ involvement in (proposed) County Court proceedings ought to have put them on notice as to some processing of their personal data, the extent of JS1 went beyond what might reasonably have been expected.

On the question of abuse (raised by the defendant), this was not a case that properly fell within Henderson v Henderson ( Henderson v Henderson (1843) 3 Hare 100): (i) none of the prior claims in which UK GDPR rights were raised as a bar to the admissibility of JS1 concerned C1, C2 or C3; (ii) the Ersan undertaking arose in proceedings that did not involve C1, C2 or C3, and did not apply to them; (iii) neither the earlier determination (on admissibility) nor the Ersan undertaking took effect in rem ; (iv) the earlier determination did not render the GDPR issues in this claim res judicata . Abuse of process was not properly before the court at this stage (at most, it could only have relevance to costs). In any event, claimants had given evidence as to why they were pursuing these claims, rejecting the suggestion this was at the bidding of Ersan; Ersan’s motive thus had no relevance to these claims.

The defendant did not dispute that, for relevant purposes, it was a data controller, liable for the acts and omissions of Mr Stevens, and, in processing personal data, was subject to the duties provided by the UK GDPR. It further accepted that, in the compilation of JS1, it had processed the claimants’ personal data – including special category data (relating to the claimants’ health) - and had not sought their consent. The defendant disputed, however, that it thereby acted in breach of the UK GDPR. Specifically, it contended: (i) pursuant to article 6(1)(c) (by virtue of the defendant’s duties to the court) and (e) (furthering of the administration of justice in the public interest), the processing was reasonably necessary for the performance of a task carried out in the public interest, namely the administration of justice; further/alternatively (ii) pursuant to article 6(1)(f), the processing of the claimants’ personal data as part of JS1 was reasonably necessary for the purposes of the legitimate interests of the insurers and of the defendant (acting for the insurers) in defending the Ersan claims, which were not outweighed by any interests, rights or freedoms of the claimants, not least because (a) by bringing/threatening their claims, they should reasonably have expected that their personal data would be used by the defendant and put before the courts in open proceedings, and (b) they did not allege that they suffered any compensable damage or distress as a result of the processing of which they complained.

As for the current iteration of the claimants’ case, this had shifted ground: the focus was now on the question of the necessity of using the claimants’ names without pseudonymisation (not expressly pleaded or requested as part of the claim for declaratory relief). To the extent it was open to the claimants to now advance this case, it went nowhere: (i) the probative value of JS1 was to be tested in the County Court proceedings (the County Court and (on appeal) the High Court having accepted it was sufficiently reliable to be admissible); (ii) there was a clear evidential justification for each element of the data that went into JS1 (see JS2), which explained why it had been reasonably necessary to include the claimants’ names when creating JS1 and when providing this to Ersan and the court (further disclosure to individual claimants was by Ersan); (iii) the article 9(1) prohibition against special category data processing did not apply given JS1 was necessary for the establishment, exercise or defence of legal claims (see article 9(2)(f)); (iv) more generally, reasonable necessity did not mean “strictly” necessary, but allowed for a range of reasonable responses, and the data processing in JS1 met the proportionality test; (v) it could not be said that, in bringing legal claims against insurers, the claimants should not reasonably have expected the data they disclosed would not be probed and analysed in this way; (vi) there could be no objection to the data in JS1 being disclosed to the County Court and Ersan; (vii) had pseudonymisation been the claimants’ real objective, this could have been achieved without litigation - the defendant had agreed to this when the County Court proceedings resumed in March 2023, sending the pseudonymised spreadsheet to Ersan on 31 March 2023, before these proceedings commenced; (viii) more generally, given they were willing to put their personal data (including special category data) into open court in their (proposed) County Court claims and/or in the present proceedings, the claimants’ evidence as to their upset was properly to be described as confected.

The complaints regarding fairness and transparency added nothing: (i) the defendant was entitled to rely on the privacy notice on its website (no complaint was made in respect as to the content of that notice), but, in any event, the investigation of data provided in legal proceedings was to be expected; (ii) it would not have been proportionate for the defendant to contact each (potential) Ersan claimant with its privacy notice; (iii) there had been no valid request under article 17, which, in any event, did not apply to processing necessary for the establishment, exercise or defence of legal claims (article 17(3)(e)); (iv) more generally, articles 14 and 17, and corresponding provisions within article 5, were subject to the like exemption at paragraph 5(1)(c) of Schedule 2 to the Data Protection Act 2018; (v) there was generally no unfairness in putting arguments on a client’s instructions (see the unreported judgment of the Deputy Master in claim KB-2023-001056 Dowding v Laddie (23 October 2023)).

Otherwise, while accepting that the claimants’ claims strictly fell outside the rule in Henderson v Henderson , the defendant contended that these proceedings were an abuse, amounting to an attempt by Ersan to use the claimants’ UK GDPR rights: (i) to relitigate issues raised but not pursued in other proceedings; and/or (ii) to collaterally circumvent the outcome of those other proceedings, and/or (iii) to circumvent the Ersan undertaking. Had the three claimants been party to the proceedings before HHJ Backhouse, these claims would undoubtedly fall to be struck out on a Henderson v Henderson basis. This litigation was an attempt by Ersan to achieve the same end (the undermining of the defendant’s, and its insurer clients’, ability to rely on JS1) via a different claim between different parties. Even if not an immediate answer to the claims, this would be relevant to any remedy and/or costs.

The UK GDPR, as supplemented by Part 2 of the Data Protection Act 2018 (“DPA 2018”):

See article 1 UK GDPR.

Having regard to the recitals to the UK GDPR (albeit taking into account the guidance provided in R(M) v Chief Constable of Sussex Police [2021] EWCA Civ 42 at [87]), I note the balance that is to be struck between the protection of data rights and other fundamental rights, as provided by recital (4):

“ Personal data ” is that which is referable to an identified or identifiable natural person (“data subject”): article 4(1) UK GDPR. A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data is a “ controller ” for the purposes of the UK GDPR: article 4(7).

Those who process or control the processing of personal data must do so compatibly with the rules laid down by the UK GDPR, which set the standard for processing by reference to six principles as set out at article 5 of the UK GDPR, relevantly as follows:

As for what “ processing ” is “ lawful ”, that is made clear by article 6, which provides (again, so far as relevant for present purposes):

The lawfulness of processing is also addressed by at section 2 DPA 2018, where, in relation to article 6(1)(e), it is explained that this will include processing of public data that is necessary for (relevantly): “(a) the administration of justice ”.

Article 9 of the UK GDPR identifies “ special categories ” of personal data as necessitating heightened protection; this includes “ data concerning health ” (article 9(1)), which is defined as meaning “ data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status ” (article 4(15)). As acknowledged by recital (51) to the UK GDPR:

The heightened protection afforded to special category personal data takes effect by a prohibition on the processing of such data (article 9(1)) except where, and to the extent that, a lawful processing condition under article 9(2) applies. Relevantly, such conditions include:

Under Chapter III UK GDPR, specific provision is made for particular “ rights of the data subject ”. The claimants in the present proceedings place reliance on articles 14 (right to information) and 17 (right to erasure).

Article 14 applies where (as here) personal data has been obtained other than from the data subject themselves. The right to be informed includes being told of the purpose of any intended processing, the legal basis for that processing, and any legitimate interest relied on; it also provides for an obligation to inform the data subject of their right to object to the processing (and article 21 provides for an express right to object). The rights provided by article 14(1)-(4) will not apply, however, where the obligation to information about intended data processing would be likely to render impossible, or seriously impair the achievement of the objectives of that processing; in such cases, the controller is required to take “ appropriate measures to protect the data subject’s rights and freedoms and legitimate interests ” (article 14(5)(b)). Article 14 is also to be read subject to the exemptions provided under schedule 2 DPA 2018 (see further below).

Article 17 provides a right to erasure, sometimes referred to as a “ right to be forgotten ”. The right is to request erasure of personal data where (relevantly):

By article 17(3), however, it is made clear that this right:

More generally, paragraph (5) of schedule 2 to the DPA 2018, provides that the “ listed GDPR provisions ” will not apply to personal data where disclosure of the data:

The “ listed GDPR provisions ” are those set out in paragraph 1 of the schedule, and include (relevantly) articles 14 and 17, and article 5, so far as it provisions corresponds to rights and obligations provided in articles 13-21, and to the article 5(1)(a) requirement of lawful, fair and transparent processing (other than the lawfulness requirements provided by article 6) and to the purpose limitation thereunder.

Under Chapter IV, the UK GDPR sets out obligations on data controllers and processors. In the current proceedings, the claimants place reliance on article 25, which provides (more relevantly):

The reference to “ pseudonymisation ” has a specific legislative definition under the UK GDPR, as provided by article 4(5), as follows:

Unlike anonymised data, pseudonymised data thus remains personal data (the data subject will be indirectly identifiable), but pseudonymisation can reduce the risks to the data subjects concerned (see recital (28) UK GDPR) and should be done “ as soon as possible ” (recital (78). Practical guidance in relation to the pseudonymisation of personal data is provided by the ICO.

The first processing principle, as provided by article 5(1) UK GDPR, is that personal data shall be processed “ lawfully, fairly and in a transparent manner ” (article 5(1)(a)).

Data will be processed “ lawfully ” if, and to the extent that, at least one of the six bases provided by article 6 applies. This is not a case where it is suggested that the claimants gave their consent to the processing in question; reliance is, however, placed on sub-paragraphs (c), (e), and/or (f).

In understanding what is required to establish a legal obligation for the purpose of article 6(1)(c), or a task carried out in the public interest or the exercise of official authority under article 6(1)(e), recital (45) provides assistance: the processing should have a basis in domestic law, although it need not be pursuant to a specific legislative provision. The legal obligation to comply with the duty of candour has been recognised as falling within this provision ( Dixon v North Bristol NHS [2022] EWHC 3127 at [104]); similarly, I would accept (and it has not seriously been disputed) that these are provisions that would also apply to a solicitor’s overriding obligation to act on their client’s instructions and to protect their best interests (Solicitors Regulation Authority Code of Conduct for Solicitors etc (“SRA Code”) at [3.1]), and, as an officer of the court, to draw the court’s attention to procedural irregularities which are likely to have a material effect on the outcome of proceedings (and, thus, the administration of justice) (SRA Code at [2.7]).

As for what might constitute a “ legitimate interest ” for the purpose of article 6(1)(f), the UK GDPR does not seek to limit what might properly to be considered under this provision and a wide range of interests is, in principle, capable of being regarded as legitimate (see UF v Land Hessen (Joined Cases C-26/22 and C-64/22 [2024] 3 CMLR 4 at [76]; Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Personnsgegevens (Case C-621/22) [2025] 4 WLR 7 at [38]). That said, the establishment of a legitimate interest is only the first step; the question will then arise as to whether the processing was necessary for the purpose of pursuing that interest, and, if so, whether it was proportionate – a condition arising from the condition of necessity and the express requirement to evaluate whether the interests relied on are not overridden by the interests or fundamental rights and freedoms of the data subject (see further below).

Turning to the requirements of fairness and transparency, these are distinct, albeit overlapping, considerations. By recital (39) UK GDPR, it is emphasised that:

Whilst not a statutory code (and thus having no special status), the ICO’s Guide to the UK GDPR identifies potentially relevant factors going to the question of fairness, as follows: (i) how the data was obtained (whether anyone was deceived or misled); (ii) how the processing of the data concerned affects the interests of the data subjects, either as a group or individually; (iii) whether the processing has given rise to an unjustified detriment; (iv) how the data subjects concerned have been treated when seeking to exercise their data protection rights.

What is required for personal data to be processed “ in a transparent manner ” for article 5(1) purposes is not expressly specified, although reference can be made to the provisions at article 12-14, which specifically address the question of transparency. Again, recital (39) assists, providing that:

It is, however, apparent that information relating to the processing of personal data can be provided by way of a general communication, including a privacy notice on a website (see recital (58) and, by way of example, Information Commissioner v Experian Ltd [2024] UKUT 105 (AAC) at [137] and [164]).

The second processing principle under article 5(1) UK GDPR requires that personal data shall be “ collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ” (article 5(1)(b)). As part of the transparency obligation under article 14(1)(c) a controller must inform a data subject of the purposes of the intended processing.

In assessing whether a subsequent purpose is “ incompatible ” with the original purposes, assistance is provided by recital (50), which identifies the following factors as potentially relevant: (i) the links between the purposes; (ii) the context in which the data was collected; (iii) the reasonable expectations of the data subjects about the use of their data; (iv) the nature of the data; and (v) the consequences of the intended further processing and the existence of safeguards for the data subjects.

As already observed, however, by virtue of paragraph (5) of Schedule 2 to the DPA 2018, the purpose limitation will not apply to personal data where disclosure of the data “ is otherwise necessary for the purposes of establishing, exercising or defending legal rights ” and the application of the limitation would prevent the controller making the disclosure.

The third, fifth and sixth processing principles under article 5(1) give rise to requirements of “ data minimisation ” (article 5(1)(c)), “ storage limitation ” (article 5(1)(e)) and “ integrity and confidentiality ” (article 5(1)(f)). These can be seen (both individually and collectively) as giving expression to the requirement of proportionality: the processing of personal data should be limited to that which is “ necessary ” in relation to the purpose of that processing, kept in a form which permits identification of that data subject/s for no longer than is “ necessary ”, and processed in a manner that ensures appropriate security. I address the question of necessity below, but there is a potential relevance to these principles of concepts of anonymisation and pseudonymisation. The former will mean that the data subject is no longer identifiable and, as such, the data is no longer “ personal data ” ( per article 4(1)), which would thus limit the processing. Where that is not possible, pseudonymisation might provide appropriate security of the personal data (the reduction of risks referenced by recital (28)).

As will be apparent from the recitation of the various provisions of the UK GDPR and DPA 2018 above, the necessity of the particular processing will often be key to determining whether there has been a relevant breach of personal data protections. Thus, in the present case, questions arise as to whether the processing involved in JS1 was limited to what was “ necessary ” for the purpose of the data minimisation requirements or storage limitation requirements of article 5(1); whether it was “ necessary ” for the obligation, task or purpose relied on under article 6(1)(c), (e) (as further clarified by section 2 DPA 2018) or (f); whether, in respect of information relating to the claimants’ health, that processing was “ necessary ” to the establishment, exercise or defence of legal claims, as provided by article 9(2)(f); and, similarly, whether it was “ necessary ” for the purposes identified under article 17(3) and/or paragraph 5 of Schedule 2 to the DPA 2018.

As is common ground between the parties, what is “ necessary ” in each of these respects is to be understood as meaning “ more than desirable but less than indispensable or absolutely necessary ”: Cooper v National Crime Agency [2019] EWCA Civ 16 at [89]-[90]. This imports a proportionality approach, which is familiar in the balancing of potentially conflicting rights and expressly acknowledged in recital (4) of the UK GDPR (and see the observations of Baroness Hale in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 at [25]-[27]).

More specifically, where a controller contends that processing was necessary for the purpose of a legitimate interest, pursuant to article 6(1)(f) UK GDPR, a three-fold test arises: the court will need to be satisfied not only (i) that the controller was indeed pursuing a legitimate interest, and (ii) that the personal data was processed for that purpose, but also (iii) that the interests or fundamental freedoms of the data subject did not take precedence over that legitimate interest, something that will require consideration of the reasonable expectations of the data subject as well as the scale of the processing and its impact on that person (see the observations of the Court of Justice in Meta Platforms Inc (Case C-252/21) [2023] 5 CMLR 22 at [106]-[110] and Koninklijke Nederlandse at [37]-[45] and [54]).

In any data protection claim, paragraph 9 of Practice Direction 53B (Media and Communications Claims) requires that the claimant must specify in the particulars of claim: (1) the legislation and the provision the claimant alleges the defendant has breached; (2) any specific data or acts of processing to which the claim relates; (3) the specific acts or omissions said to amount to such a breach, and the claimant’s grounds for that allegation; and (4) the remedies which the claimant seeks.

The claimants’ case as pleaded was wide-ranging, albeit with a focus on the purpose for which the processing had been undertaken. By the time of the hearing, the claimants’ arguments had crystallised down, essentially focusing on the absence of pseudonymisation in JS1. Responding to the objection that this had not been pleaded, Mr Hanstock contended that it was encompassed within the complaints formulated under articles 5, 9, 14 and 17, arguing that this was relevant to arguments on necessity and proportionality, fairness and transparency, to whether the processing complied with the purpose limitation principle, and in assessing compliance with the principles of data minimisation, storage limitation, and integrity and confidentiality.

Accepting that the issue of pseudonymisation may well be relevant to an assessment of compliance with the data processing principles identified at article 5(1), and to questions of compliance with other provisions of the UK GDPR, I cannot see that the case now put on behalf of the claimants was clearly foreshadowed in the pleadings. Contrary to the requirements of Practice Direction 53B, the failure to pseudonymise was not specifically identified as an omission that had given rise to the UK GDPR breaches of which the claimants complained. While it is understandable that pseudonymisation was not sought as a remedy (by the time these proceedings commenced that had already occurred), if this was to be relied on as a basis for the claims, that ought properly to have been pleaded.

Although objecting to the way in which the claimants’ case has thus developed, the defendant did not seek to suggest that it was prejudiced in now dealing with the issues identified. I have therefore proceeded to consider the claims on the basis on which these have been presented to me at trial.

Before going on to consider the legal questions that arise, it is helpful to first be clear as to the factual basis for these claims.

There is no dispute that, by means of JS1, the defendant processed the personal data of the claimants, including special category data, without first obtaining their consent. Equally, however, it is apparent that the defendant undertook that processing on the instructions of its clients, which were insurer defendants to claims, or threatened claims, made by a number of claimants, including C1, C2 and C3. Those instructions arose from concerns as to the way in which a large number of claims, represented by the same firm of solicitors (Ersan) and generally using the same medical experts, were being pursued; specifically, there were a very high number of claims of lengthy psychological injury, which raised suspicions of exaggeration and possibly fraud. Although the claims of C2 and C3 had been compromised prior to JS1, and the formal proceedings in C1’s case were only issued subsequently, the claim notification forms received from Ersan had made clear that they were seeking to pursue personal injury proceedings relating to road traffic accidents falling within the period under review (22 February 2016 to 1 March 2021), and the information in the claimants’ claim notification forms was thus included in the JS1 dataset (whether or not individual claims raised the particular issues that had given rise to the defendant insurers’ concerns, it was obviously necessary to include all claims/potential claims falling within the relevant time period; indeed, not to do so would (rightly) have been open to the criticism that the defendant had been improperly selective in creating the data pool).

The purpose of the JS1 data processing has thus been clear throughout: given the concerns that had arisen in relation to the Ersan claims, this evidence, taken from some 372 claims or threatened claims, was to be used in support of applications by insurer defendants in the County Court proceedings for the dismissal of claims on grounds of fundamental dishonesty pursuant to section 57 Criminal Justice and Courts Act 2015. There is no dispute that this can be an entirely proper application to make in personal injury proceedings (indeed, the importance to the administration of justice of combatting exaggerated and/or fraudulent claims has been recognised in numerous cases; see the observations made in Liverpool Victoria Insurance Co Ltd v Zafar [2019] EWCA Civ 392 at [47]-[50]) and it would clearly be open to a defendant to rely on similar fact evidence – information drawn from a much larger body of evidence to demonstrate a particular pattern of conduct - in seeking to establish what is said to be an exaggeration or fraud in an individual claim (see O’Brien v Chief Constable of South Wales Police [2005] UKHL 26 at [4]-[5], and (relating to the current proceedings) Kerseviciene v Quadri [2022] EWHC 2952 (KB) at [35]). As for the individual claimants: fundamental dishonesty is expressly pleaded in the defence to C1’s claim; the information provided in respect of the claims/proposed claims of C2 and C3 is simply part of the overall dataset comprising the evidential base for JS1.

Thus identifying why the defendant undertook this data processing, I am satisfied that this was for a specified, explicit and legitimate purpose, carried out in performance of the defendant’s professional (and regulatory) obligations to its clients, for the public interest task of ensuring the proper administration of justice, and for the purpose of the legitimate interests of the defendant’s clients.

It is also helpful at this preliminary stage to be clear as to the extent of the processing involved in JS1, which is explained in some detail in JS2. There is no issue with the initial sharing of data between the defendant and individual insurers as defendants/potential defendants to the notified claims (that would be an inevitable part of the giving/taking of instructions in litigation involving insurer clients); the dispute relates to the use of data drawn from a large number of claims in the creation of JS1. Although the claimants initially had concerns that this data set had been shared with the different insurers and with other third parties, such as the IFB and the GMC, I accept the evidence of Mr Henman that this was not the case: other than the limited number of individuals within the defendant who were involved in the data processing or who otherwise had a reason for seeing/overseeing JS1, the only disclosure of that data by the defendant was to Ersan and to the relevant courts. I return below to the specific complaints made in respect of the processing in this case, but it is relevant to note that, on the evidence, the further disclosure of this data to other individual claimants or potential claimants (that is, to all those listed in the spreadsheet which formed part of JS1) was by Ersan, not the defendant.

As for the claimants’ particular objections, I am prepared to accept that each of the claimants is genuinely aggrieved that their personal data – in particular their names and details of medical referrals – has appeared on a spreadsheet which is intended to be used in court proceedings other than their own. There is, however, a question as to the extent of that grievance and as to whether it can be said to be justified or reasonable. Again, these are points to which I return below. At this stage, however, it is necessary to address some of the particular issues arising from the evidence given by, and on behalf of, the claimants.

Although I am prepared to accept that C1 may have used a translator when giving evidence because she lacked confidence using English (not her mother tongue) in court proceedings, given that she chose to communicate with the court solely in Turkish, had the defendant not investigated the position, I would have been unaware that she had a degree from an English university, was ESL qualified, and held herself out as an ESL teacher. These are matters that could have been volunteered by C1, explaining why she nevertheless preferred to give her evidence through an interpreter; the fact that she did not do so gives the impression that C1 was not necessarily fully open in her testimony. As for the substance of C1’s evidence, given that the question of fundamental dishonesty has been expressly raised as an issue in her on-going personal injury claim, I am unable to see any reasonable basis for her objection to the disclosure of her personal data, in the form of JS1, to either Ersan (C1’s own solicitors, and the original source of the data from the defendant’s point of view) or the court. To some extent, C1 acknowledged this in her evidence, focusing on the fact that “ other people ” – referring to others in the Turkish/Kurdish community in this country who were also listed on the JS1 spreadsheet – would have been able to see her sensitive data, albeit apparently not understanding that it would not have been the defendant that disclosed JS1 to those “ other people ”.

C2 and C3’s evidence focused on the fact that they had believed their claims had been resolved and they did not see why their personal data, in particular given that it related to C2 when he was a child and (in both cases) included otherwise private medical information, should be used in cases involving other claimants. All three claimants were clear that they were not simply bringing these proceedings to assist Ersan, but equally all three were reluctant to explain how the claims were being funded, suggesting only that there was an arrangement in place with Ersan in this regard. Accepting, as I do, that the three claimants each have some sense of grievance about the processing of their data in JS1, I am nevertheless left with a question as to whether that grievance has been encouraged in some way.

Turning then to the evidence of Mr Gadd, it is hard to do other than accept the defendant’s description of his evidence (in closing submissions) as extraordinary. Mr Gadd was unable to explain why he was giving evidence in these proceedings other than the fact that he was being paid to do so. That was a remarkable admission, in particular given the earlier dispute relating to his statement and the questions that had been raised regarding his status as a witness (issues addressed in my judgment of 1 April 2025). Moreover, given that the defendant has at all times made clear its view that these claims are an abuse, motivated by Ersan’s wish to undermine reliance on JS1 in the remaining claims before the County Court, the only sensible inference would seem to be that Mr Gadd was advanced as a witness to avoid having to call someone from Ersan with direct involvement in the conduct of these proceedings.

As I have already indicated, identifying why the defendant undertook the data processing involved in JS1 establishes a prima facie lawful basis for that processing. Accepting that the claimants had not given their consent to the processing in question (although they had disclosed their personal data when intimating their intention to pursue a personal injury claim, there is no suggestion that they had done anything more than agree to the processing of that data in relation to their own claims), I am satisfied that the defendant has established that it was acting in compliance with its obligation to act on its clients’ instructions and in its clients’ best interests (article 6(1)(c)), that it was thereby acting in the public interest in ensuring the proper administration of justice (article 6(1)(e)), and that the processing was for the purposes of the legitimate interests of the defendant’s clients (article 6(1)(f)).

To a large extent, having regard to how the claimants’ case has developed, there is no real dispute in relation to these points. The more significant question, as identified by the claimants, is whether the processing was limited to that which was necessary. At the heart of the claimants’ complaint at trial is their contention that, absent pseudonymisation, the processing could not be said to be “ necessary ” for any of the purposes identified, and that, in particular given the weak evidential value of JS1, it was not proportionate given their interests and fundamental rights and freedoms.

Turning then to the way the case is put on necessity and proportionality, accepting that it was necessary to carry out the data analysis involved in JS1 for the purposes identified (a legal obligation; the public interest in the administration of justice; the legitimate interests of the defendant’s clients), the claimants contend that there was, however, no necessity in the use of their names: the information (which included information of a personal and sensitive nature) could have been presented in pseudonymised form, which could have been used in the County Court proceedings – thus meeting the objectives identified by the defendant – without breaching their right to privacy (a fundamental right under article 8 of the European Convention of Human Rights (“ECHR”)) and, more generally, their interest in not adding to the numbers of those aware of information disclosed in their claim notification forms. The claimants further say that intimating an intention to bring a County Court claim, and even commencing proceedings, does not give rise to a reasonable expectation that the personal data thereby disclosed will be used in other claims (to which the claimants are not themselves parties) and for a different purpose. To the extent the defendant’s privacy notice warned of such a possibility, each of the claimants says they were unaware of this: they had not thought to look at the defendant’s website and C2’s claim had been settled sufficiently early that dealings had still been with the insurer.

In order to determine whether the processing in this case – specifically, the use of the claimants’ names – was “ necessary ”, the first question must be why was this done? The answer to that is provided in JS2 at [52], where Mr Stevens explained how he was unable to simply use the defendant’s case management system, which references accidents not individuals (as many accidents will give rise to multiple claims from those present, this would impact on the clarity and reliability of the data), nor could he use initials or even just surnames (inevitably those involved in a road traffic accident may well be members of the same family, who had been travelling together, and who will often share names). Moreover, having reflected on Ersan’s reaction to an earlier, smaller, similar fact exercise (see JS2 at [58]), Mr Stevens considered that requests would inevitably be made for further clarification and for copies of all source material if he attempted to summarise the information. Given that he would be providing the data to solicitors who had been instructed to act for all those named within the spreadsheet attached to JS1, and who had thus already had the information in question (Ersan’s own claim notification forms having been the defendant’s source for JS1), Mr Stevens took the view that this was a necessary and proportionate means of processing the data. Accepting that another way of processing the information – pseudonymising names by using Ersan’s client reference numbers – was subsequently deployed, I do not consider that means that the original presentation of data was not “ necessary ” ( per Cooper v NCA ). Even if it could not be described as “ absolutely necessary ”, using individual names was not “ merely desirable ” but was required at that stage to meet the problems that Mr Stevens had identified (a point made good by the detailed criticisms then made by Ersan as to the reliability of JS1). After the information had been filed with the court and served on Ersan, it was possible to agree an alternative way of presenting the data; before that initial step, however, I am satisfied that the processing undertaken in JS1 was “ necessary ” for UK GDPR purposes.

Moreover, understanding “ necessary ” to require an assessment of proportionality, for the reasons explained in the paragraphs that follow, I am satisfied that the processing in issue was both necessary for the pursuit of the defendant’s legitimate objectives and that those objectives were not outweighed by the interests or fundamental freedoms of the claimants (questions that are expressly raised when considering whether the processing was necessary for the purposes of a legitimate interest, pursuant to article 6(1)(f)).

In thus assessing the question of proportionality, it is relevant that the processing in issue related to data that had been provided by the claimants with a view to commencing personal injury claims before the court. Given the primacy afforded to open justice in court proceedings, it would have been a reasonable expectation that the information in question – including special category data for article 9 purposes - would thus be disclosed in open court (certainly, there was no suggestion that anonymity orders were to be sought). Even if (as in C2’s case) the proposed claim was compromised before issue, each of the claimants would reasonably have expected the information they were seeking to rely on (including medical information relevant to the claims) to be disclosed to the lawyers acting for the insurers, and for that information to then be investigated and analysed, with a view to any potential defence. Had the claimants looked at the defendant’s website, this point would have been made express through its privacy notice; allowing, however, that not all individuals who bring claims against the defendant’s clients could reasonably be expected to take such a step, I still have to consider the question of proportionality in light of the fact that the data in question was disclosed by the claimants with a view to embarking on litigation in open court, with all that that implies.

It is also relevant for me to have regard to the scale of the processing in issue, and its impact on the claimants. Although the analysis that led to JS1 plainly involved a large number of individuals, all were claimants, or potential claimants, in (proposed) County Court proceedings, and they would have been aware that their data was to be disclosed to the defendant and (if proceedings were commenced) to the court. As for the defendant’s disclosure, that was very limited: JS1 was filed with the court and sent to Ersan. Although Ersan could reasonably be expected to then take instructions on JS1 and/or to inform its clients about it, that could have been done without the provision of all the names in the spreadsheet: Ersan could have redacted all information but for that relating to the particular client to whom it was being sent; I cannot see that the defendant can be held responsible for Ersan’s failure to take that obvious step.

For the claimants it is further contended that, to the extent the defendant’s processing of data was in pursuit of a lawful purpose falling within article 6, the unreliability of JS1 was such that the balancing exercise at the heart of the proportionality assessment (whether undertaken for article 6(1)(f) purposes or, more generally, through the prism of assessing necessity in this case) must weigh against the defendant. The difficulty with that submission is, however, that all attempts to debar reliance on JS1 on reliability grounds have failed, and Ersan have undertaken not to pursue further applications; whatever observations have been made as to the potential evidential difficulties relating to JS1, the defendant is entitled to rely on it in the County Court proceedings and it forms an important part of the plea of fundamental dishonesty that has been made in a number of those claims.

In these circumstances, given what the claimants might reasonably have expected to be the consequence of commencing (or threatening to commence) their personal injury claims, and balanced against the limited scope of the processing (disclosed by the defendant only to the court and to Ersan, and subsequently subject to pseudonymisation), I do not consider that the interests or fundamental freedoms of the claimants took precedence over the legitimate interest of the defendant’s insurer clients in putting the data contained within JS1 before the court to support pleas of fundamental dishonesty in the County Court proceedings.

In reaching this conclusion, I have taken into account that JS1 involved data relating to a child, C2, which is expressly identified as a relevant consideration for the purposes of article 6(1)(f), and that it further included data relating to the health of each of the claimants, thus engaging article 9 UK GDPR. Taking the latter point first, although article 9(1) prohibits the processing of such special category data, that prohibition is lifted where, and to the extent that, a lawful processing condition under article 9(2) applies; in the present case, given that the processing was necessary for the establishment of the plea of fundamental dishonesty, and thus for the defendant’s clients’ defence of legal claims, JS1 fell within the exception allowed by article 9(2)(f). As for C2’s position as a child, he was protected at the relevant time by the involvement of his father, C3, as his litigation friend, who had (on C2’s behalf) agreed to the notification of a proposed personal injury claim. In the circumstances, having regard to the matters I have already identified, I am both satisfied that JS1 was necessary for a lawful processing condition, as identified by article 9(2)(f), and that C2’s status as a child does not alter the balancing exercise under article 6(1)(f) in this case.

Having addressed the conditions relevant to the question of lawfulness under the first processing principle identified by article 5(1) UK GDPR, I turn to the questions of fairness and transparency. As Mr Hanstock observed in oral argument, while there is a considerable overlap between these factors and, indeed, those relevant to the question of lawfulness, these are distinct matters that must be the subject of separate, cumulative assessment.

As for whether the processing in this case was fair, I have kept in mind that this related to C2 as a child and, for each claimant, included special category personal data; I have proceeded on the basis that the data in question engaged the claimants’ article 8 ECHR rights, and have taken into account the likely disparity in resources between the claimants and the insurer clients of the defendants. Moreover, although not a statutory code, when assessing the issue of fairness, I have found it helpful to consider the questions identified in the ICO’s Guide to the UK GDPR.

Asking first how the data involved in JS1 was obtained, I do not consider this is a case where it can be said the claimants were deceived or misled by the defendant. Had they looked at the defendant’s website, they would have been advised of the potential use of their personal information in order to perform services for its clients, and that elements of that information might be disclosed to third parties. Even allowing that the claimants might reasonably not have taken that step, I am satisfied they would have been aware (albeit C2 would then have been acting through his father as his litigation friend) that information disclosed in (proposed) litigation would be the subject of scrutiny and investigation by the lawyers acting for the insurer defendants, and would be utilised in open court proceedings.

As for how the defendant’s processing of the data in question affected the claimants’ interests (either as a group or individually), given that the defendant only disclosed that data to the relevant courts and to the claimants’ own solicitors (or former solicitors), I cannot see that the impact on the interests of the claimants was more than minimal. Although the claimants have attested to having serious concerns about the inclusion of their data in JS1: (i) such concerns have to be seen in the context of the original disclosure of this data with a view to embarking upon person injury litigation in open court proceedings; (ii) in C1’s case, the data will be the subject of scrutiny in her on-going personal injury claim, in particular in the determination of the question of fundamental dishonesty in those proceedings; (iii) the objections expressed were largely focused on the disclosure of the data to the other claimants in the Ersan claims, which was not part of the processing undertaken by the defendant; and (iv) given the unsatisfactory responses as to how these proceedings were being funded, questions remain as to whether those concerns have been encouraged by Ersan.

I am, moreover, unable to see that the processing in issue has given rise to an unjustified detriment: the processing involved in JS1 was undertaken for lawful purposes and was necessary and proportionate for those purposes (see my reasoning, above). I am also unable to see that there can be any substantive complaint as to how the claimants have been treated when seeking to exercise their data protection rights. In this regard, I do not consider that the claimants are assisted by the right to erasure of data provided by article 17: even if a question arose as to the retention of data relating to C2 and C3 (as C1’s personal injury claim is still on-going, the same point cannot be made in her case), a right of erasure under article 17 does not apply where the processing is necessary for the “ establishment, exercise or defence of legal claims ” (article 17(3)); that, I am satisfied, is the position here. More generally, once the issue of admissibility had been resolved, and the Ersan claims returned to the County Court, the defendant offered to pseudonymise the data contained within JS1 for all future purposes (something that was done before the present proceedings commenced). Taking into account the obligations imposed by article 25, and the need to reduce the risks of wider disclosure of the claimants’ personal data as soon as possible (article 28; recital 78), I am satisfied that no unfairness arose from the processing involved in the creation of JS1 and its very limited disclosure by the defendant.

Separately considering the question of transparency, this is not a case where article 14 UK GDPR provides additional rights; even if the provision of information to the claimants would not have rendered impossible, or seriously impaired, the objectives of the processing involved in JS1, so as to engage article 14(5)(b), such rights are again exempted where, as here, the disclosure of the data in issue was necessary for the purposes of “ establishing, exercising or defending legal rights ” (paragraph (5)(c) Schedule 2 DPA 2018).

More generally, the claimants contend that the processing involved in JS1 was not transparent because it was not inherently foreseeable: acknowledging that those who pursue, or threaten, personal injury claims might reasonably expect a detailed investigation of their personal data, the claimants argue that the processing undertaken in this case went much further. Even if the premise of that objection is accepted (although, to the extent that questionable patterns are seen to emerge in a number of personal injury claims, where the claimants share some common denominator, I am not sure why an analysis of data across the different proceedings would not be an entirely reasonable expectation), this would still have to be assessed in light of the scope of the particular processing in issue. In this case, the disclosure undertaken by the defendant was limited to the claimants’ own solicitors and to the court. I cannot see that the defendant thereby acted in a way contrary to what might reasonably be expected in drawing Ersan’s attention to the evidential basis for its concerns, and in putting this before the court in support of its clients’ pleas of fundamental dishonesty in the County Court proceedings.

Having thus looked at the questions of lawfulness, fairness and transparency individually, I have then stepped back to consider, on a more holistic basis, whether the defendant can be said to have complied with the first data processing principle. In carrying out this assessment, it is important to consider the processing in issue in accordance with the proportionality principle; that, it seems to me, is a principle that runs like a thread through the protections provided by the UK GDPR (see recital (4)). Having identified the lawful purposes for which the defendant undertook the processing involved in JS1, I am satisfied, that, having regard to the requirements of fairness and transparency, this was limited to that which was necessary and proportionate to those purposes, and was not outweighed by the fundamental rights and interests of the claimants.

By their pleaded case, the claimants had focused on the question of purpose, contending that the use of their personal data beyond their own claims breached the purpose limitation under article 5(1) UK GDPR. Although not expressly conceding the issue, this was not an argument Mr Hanstock sought to develop at trial. It is, in any event, a bad point. The purpose limitation under article 5(1) is to be read subject to paragraph (5)(c) schedule 2 DPA 2018, which provides that the limitation will not apply to the disclosure of data necessary for the purposes of establishing, exercising or defending legal rights to the extent it would otherwise prevent that disclosure. Understanding that the original collection of the claimants’ data occurred as part of their own proposed claims for damages for personal injury, there was no continuing purpose limitation on the defendant’s disclosure of that data in the form of JS1 given that was (as I have already found) both necessary and proportionate for its furtherance of the plea of fundamental dishonesty that formed part of its clients’ defence in the County Court claims. Similarly, as I have previously observed (under “ transparency ”), the same point can also be made in respect of the claimants’ reliance in this regard on the transparency obligation under article 14(1)(c) (whereby a controller must inform a data subject of the purposes of the intended processing): that too is subject to the same, “ legal rights ” exemption.

Finally, I turn to the third, fifth and sixth processing principles under article 5(1), and the requirements of data and storage minimisation (5(1)(c) and (e)), and of integrity and confidentiality (5(1)(f)). As I have previously noted, at trial, the claimants’ case under these headings crystallised down to the objection that the data involved in JS1 ought to have been the subject of pseudonymisation; it is the claimants’ case that the use of names was unnecessary and failed to ensure security.

Given that the processing of personal data should be limited that which is necessary in relation to the purpose of that processing, kept in a form which permits identification of the data subject for no longer than is necessary, and processed in a manner that ensures appropriate security, I accept that pseudonymisation would be a potentially relevant means of complying with these obligations, not least as it could provide appropriate security of the personal data and the reduction of risk (see recital (28)). Having regard to the detailed explanation provided (see JS2), I am, however, satisfied that no breach of these requirements arises in the present case. No issue has been identified regarding the defendant’s processing or storage of the claimants’ personal data prior to the disclosure of JS1. Allowing that the defendant was entitled to rely on the analysis within JS1 to pursue its clients’ case as to fundamental dishonesty, the claimants’ objection is to its failure to pseudonymise their data when seeking to do so.

For the reasons I have already identified, however, it is apparent that the use of names was necessary at the point JS1 was disclosed to Ersan and the court (see the explanations at JS2 [52] and [58]). Although I cannot see that it was necessary for the non-pseudonymised data to then be disclosed to the claimants listed in the spreadsheet that formed part of JS1, that was done by Ersan not the defendant. Moreover, on the evidence before me, I am satisfied that, at the point that an alternative means was identified such that the data subjects referenced in JS1 could be identified by alternative means (Ersan’s own client reference numbers), the defendant duly pseudonymised the information.

Although the defendant has made clear its view as to the existence of an ulterior, and abusive, motive for these claims, it has not applied for the proceedings to be struck out, and has acknowledged that it cannot be said that the claims brought by C1, C2 or C3 are properly to be treated as res judicata . In putting the defendant’s case in this regard, Mr Hopkins submitted that the point might nevertheless be relevant to any question of remedy or costs.

Given my findings on the claims, no question of remedy arises. As for whether this is an issue that has any bearing on any application for costs, that would seem to me to be something that would need to be separately addressed, having regard to the findings that I have made. I have given directions for how any consequential matters are to be addressed below; in the first instance, any submissions in this regard will be considered on the papers.

For all the reasons provided, the claimants’ claims are dismissed.

A draft of this judgment having been circulated to the parties’ legal representatives prior to hand down, it is further directed that: (1) at least two working days before the date fixed for the handing down of judgment, the parties are to send to the court an draft minute of order; (2) to the extent that there are any points of dispute in respect of the order, those should be made clear on the face of the draft, and the parties’ respective positions (and arguments) set out in written submissions; (3) to the extent that the parties seek to pursue any applications arising in consequence of the decision reached on these claims, these should also be set out in writing, with concise written submissions in support; (4) any written submissions provided in accordance with sub-paragraphs (2) and (3) shall be limited to a total of four sides of A4; (5) any further applications/submissions in this matter, made pursuant to the directions provided above, shall be considered on the papers, with a view to determination without need for a further hearing.