On the 28 March 2007, in the case of David Paul Johnson v Medical Defence Union
, the Court of Appeal dismissed Mr Johnson’s appeal against the Medical Defence Union (the “MDU”) which claimed that the MDU had unfairly processed his personal data. The claim centred on the MDU’s risk management policy, which involved a MDU risk manager manually selecting information from files relating to complaints made about Mr Johnson (who was a surgeon) and putting the selected information on to a computer. Mr Johnson argued that the manual selection of information from his files was unfair, because the MDU’s risk policy did not allow his views on the complaints to be taken into account by the MDU’s risk assessment group.
The case is interesting because the Court considers in some detail what constitutes ‘processing’ for the purposes of the Data Protection Act (the “Act”). The majority of the Court of Appeal (1 Judge dissented) concluded that the risk manager’s manual selection of information from Mr Johnson’s files did not amount to processing for the purposes of the Act. The Court also held that even if processing had occurred, Mr Johnson’s claim would still have failed because the data had not been processed unfairly and he did not suffer any damage.This article first appeared in the May 2007 edition of Data Protection Law & Policy, published by Cecile Park Publishing Ltd. To view the full article please click here.