YSL v Surrey and Borders Partnership NHS Foundation Trust

The claim concerned alleged unlawful processing, disclosure, retention and inaccuracy of the claimant's patient records under the Data Protection Act 1998, the Data Protection Act 2018, the EU/UK GDPR and Article 8 ECHR. The court found that a 2016 settlement (a Form of Receipt and Discharge) barred the parts of the present claim complaining of disclosure by Child and Adolescent Mental Health Services staff and struck those complaints out as an abuse of process under the rule in Henderson v Henderson and Johnson v Gore Wood & Co. The remaining allegations were considered on their merits and dismissed.

On the merits the judge held that the Trust had lawful bases for processing the claimant's health data (Article 6(1)(e) UK GDPR and the Article 9(2)(h)/(i) conditions, and the DPA 2018 statutory framework), that risk assessments received from Surrey Police via MASH were lawfully retained for assessment, that the right to erasure was displaced by the exceptions in Article 17(3) (notably public‑health/healthcare and defence of legal claims), and that complaints about accuracy primarily complained of clinical opinion which cannot be remedied under the accuracy principle. The claim as a whole failed and judgment was entered for the defendant.

Background and parties

• The claimant (referred to as YSL under an anonymity order) was a former CAMHS patient who complained about records and information held and processed by the defendant Trust arising from contacts beginning in about 2011 and continuing thereafter. He brought causes of action under data protection legislation, misuse of private information/confidentiality and Article 8 ECHR seeking damages, erasure and injunctive relief.
• Procedurally the claim was issued in March 2022. The defendant applied to strike out parts of the claim shortly before trial on grounds including that a 2016 compromise had settled relevant matters and that later litigation was an abuse of process. A trial of the strike-out/summary judgment application and the substantive case took place in June 2023.

Relief sought

• The claimant sought damages (including aggravated damages), erasure of his records, correction/rectification, and an injunction to restrain further processing.

Issues framed by the court

• Whether the November 2016 compromise prevented the claimant from bringing (and whether particular pleaded allegations constituted) an abuse of process.
• Whether, on the merits, the Trust had lawful bases for processing and retaining the claimant's health and other personal data under the DPA 1998, DPA 2018 and the EU/UK GDPR (notably Articles 5, 6, 9, 17 and 21) and related domestic provisions.
• Whether Surrey Police risk assessments received via the MASH were lawfully processed by the Trust.
• Whether the 20‑year retention period in the NHSX Records Management Code was disproportionate in breach of Article 8 and unlawful, and whether the claimant was entitled to erasure.
• Whether pleaded inaccuracies (notably assertions of autistic traits) were capable of remedy under the accuracy principle.

Court’s reasoning and disposition

• The court construed the 23 November 2016 settlement as compromising all claims that the claimant might have had arising out of disclosure of his personal information by CAMHS staff. Those parts of the claim referring to such disclosures were struck out as an abuse of process because they were matters the claimant had compromised. The court explained the contractual interpretation approach and relied on the rule in Henderson v Henderson / Johnson v Gore Wood on repetition and harassment by successive litigation.
• As to the remainder, the judge held that the Trust had lawful bases for processing health‑related special category data: processing was necessary for performance of public tasks/exercise of official authority (Article 6(1)(e)), and the Article 9(2)(h)/(i) conditions applied for medical and public‑health purposes together with Article 9(3) safeguards (professional confidentiality) and the statutory conditions in the DPA 2018 (including s10 and Schedule 1 conditions for health/social care purposes). The risk assessments from Surrey Police were received by the Trust via MASH and uploaded for clinical assessment; that receipt and retention was lawful for health/social care purposes and did not amount to an actionable disclosure by the Trust.
• Requests for erasure were rejected. Article 17(3) exceptions applied: processing was necessary for public‑health/healthcare purposes (Article 17(3)(c)) and for establishment/defence of legal claims (Article 17(3)(e)), the latter being material given the claimant’s longstanding complaints and threatened litigation, and the retention period in the NHSX Code was not disproportionate. The court applied the proportionality test and afforded due weight to NHSX’s institutional competence in setting retention periods.
• Claims of inaccuracy were unsustainable because they predominantly challenged clinical opinion or were insufficiently particularised; the accuracy principle concerns incorrect or misleading matters of fact, not professional evaluation.

Conclusion

The court struck out and dismissed the disclosure complaints covered by the 2016 compromise and dismissed the remainder of the claim on the merits. Judgment was entered for the defendant.

The claim is dismissed and judgment is entered for the Defendant. The court struck out those parts of the claim that alleged unlawful disclosure by CAMHS staff as an abuse of process because they were compromised by the claimant’s 23 November 2016 settlement; the remaining allegations were considered on their merits and dismissed because the Trust had lawful bases for processing and retaining the claimant’s health and other data under the DPA 1998/DPA 2018 and the UK GDPR (notably Article 6(1)(e) and Article 9(2)(h)/(i)), the retention and processing of police risk assessments via MASH were lawful, Article 17 exceptions (public health/healthcare and defence of legal claims) disapplied any right to erasure, the NHSX 20‑year retention period was proportionate, and accuracy complaints primarily challenged clinical opinion and had no real prospect of success.