Yesim Kul & Ors v DWF Law LLP

This decision determines claims under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 arising from the compilation and use by the defendant of a spreadsheet (JS1) analysing data from multiple personal injury claims. The court held that the defendant, acting on instructions from insurer clients and in the public interest of the administration of justice, had a lawful basis to process the claimants' personal data under article 6 (including 6(1)(c), 6(1)(e) and 6(1)(f)) and that special category health data fell within the article 9(2)(f) exception for establishment, exercise or defence of legal claims. The processing was assessed as "necessary" and proportionate for the purposes relied upon, and the defendant's limited disclosure of JS1 was not unfair or non-transparent in breach of article 5; the defendant also took steps to pseudonymise the dataset once practicable. The claimants' wider complaints under articles 14, 17 and article 25 did not succeed because the processing was necessary for legal claims and subject to the Schedule 2 DPA 2018 exemptions.

This is a first instance High Court claim by three individuals (from an original group of 137) who challenged the defendant law firm's compilation and use of a spreadsheet (JS1) analysing data from some 372 claims handled by their solicitors, Ersan & Co. The spreadsheet included names and medical information and was prepared by the defendant's organised-fraud team for insurer clients who suspected patterns of fraudulent or exaggerated psychiatric injury claims.

Nature of the claim: declaratory relief and compliance orders under the UK GDPR and Data Protection Act 2018 alleging breaches of article 5 (lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, integrity and confidentiality), article 6, article 9 (processing of special category data), article 14 (information), article 17 (erasure) and article 25 (data protection by design).

Key procedural posture: the spreadsheet JS1 had been used and relied on in multiple County Court personal injury proceedings where insurers pleaded fundamental dishonesty; applications to debar reliance on JS1 failed in the County Court and on appeal (Freedman J). The claimant firm gave an undertaking in the County Court context and the defendant later pseudonymised JS1 by replacing names with solicitors' reference numbers. The present claims were brought in the High Court challenging the earlier non-pseudonymised processing.

Issues framed:

• Whether the defendant's processing of personal and special category data in JS1 was lawful under article 6 and, for health data, under article 9;
• whether the processing was "necessary" and proportionate (data minimisation, pseudonymisation, storage limitation, integrity and confidentiality);
• whether processing complied with purpose limitation and transparency obligations (articles 5 and 14);
• whether article 17 (erasure) applied; and
• whether the High Court litigation was abusive.

Court's reasoning (concise): the court accepted the defendant was a controller and that the spreadsheet included personal and special category data processed without consent. The processing, however, was undertaken on instructions from insurer clients and for the legitimate public interest of administering justice and defending legal claims. The court applied the established "more than desirable but less than indispensable" test of necessity and a proportionality balancing for legitimate interests (including consideration of the reasonable expectations of data subjects). It accepted the defendant's explanations for using names when compiling JS1 (identification, case management system limitations, and to enable validation by claimants' solicitors) and found that the use of names at the initial stage was necessary and proportionate. The court further found article 9(2)(f) applied because the processing was necessary for the defence and establishment of legal claims and that the Schedule 2 DPA 2018 exemption applied to articles 14 and 17 in this context. The defendant's disclosure of JS1 was limited (to courts and to Ersan) and was later pseudonymised once an alternative was agreed; the claimants had not shown an unjustified detriment or unfairness requiring intervention.

Result: the claimants' claims were dismissed and the court gave directions for consequential procedural steps and any applications about costs or remedies to be addressed on the papers.

The claim is dismissed. The court held that the defendant lawfully processed the claimants' personal and special category data in JS1 on a lawful basis under article 6 (including 6(1)(c), 6(1)(e) and 6(1)(f)) and that article 9(2)(f) applied to permit processing of health data necessary for the establishment, exercise or defence of legal claims. The use of names in JS1 prior to subsequent pseudonymisation was judged to be "necessary" and proportionate given the purpose, context and the limited disclosure made; the Schedule 2 exemption in the Data Protection Act 2018 meant articles 14 and 17 did not require a different outcome. Accordingly there was no breach requiring declaratory relief or compliance orders.