Blog

IN THE SUPREME COURT OF JUDICATURE
COURT OF APPEAL (CIVIL DIVISION)
ON APPEAL FROM MR JUSTICE LATHAM

Tuesday, 21 December 1999

JUDGMENT

Lord Justice Simon Brown:

1. 1. What duty of confidence is owed by pharmacists to patients to whom they dispense prescribed drugs?In particular, provided always that the patient’s anonymity is fully protected, does their duty of confidence to patients prevent pharmacists from using the material contained in the GP’s prescription forms for whatever purposes they wish?That is the central issue raised on this appeal. The circumstances in which it arises are as follows.
   2. The appellants (Source) are a UK Subsidiary of an American company concerned for commercial reasons to obtain information as to doctors’ prescribing habits. Source then sell this information on to pharmaceutical companies so that they may more effectively market their products.
   3. The information contained on the prescription form consists (in no particular order) of the doctor’s name, the patient’s name, the date of prescription, the product prescribed and the quantity prescribed. Pharmacists, for their own purposes, enter this information onto their computer database together with details of the product dispensed (described specifically), and the date of dispensing.
   4. Source have no interest in the patients’ names or identities but every interest in the rest of the information, in particular the GP’s names and the products they prescribe. To obtain this they need in practice the cooperation of both the prescribing doctors and the dispensing pharmacists, and this they used to secure (and hope again to secure) by modest payments: in the case of GPs, ?15 to a charity of the doctor’s choice; in the case of pharmacists, ?150 per annum. For their part, the pharmacists download (normally weekly) the anonymised information (i.e. all the information save that which would identify the patient) by means of specially designed computer software and then pass it to Source for aggregation. Source thus create a database comprising information as to products prescribed by individual doctors in the UK. As Source’s evidence asserts:”The main aim of the database is to obtain knowledge of doctors’ prescribing habits and it will primarily be used by pharmaceutical companies to allow them to target more precisely promotions and communications regarding their products”.

Is there anything unlawful about such a process? In particular, does it involve a breach of the patient’s confidence?The Department of Health’s view, expressed in a policy document dated 24 July 1997, is that it does. These proceedings challenge that view and seek declarations, first that it is erroneous in law, and second:”… that disclosure by doctors or pharmacists to a third party of anonymous information, that is information from which the identity of patients may not be determined, does not constitute a breach of confidentiality.”

1. 1. That application was dismissed by Latham J on 28 May 1999 when, in a very full judgment (now reported at [1999] 4 AllER 185), he concluded that “what is proposed will result in a clear breach of confidence unless the patient gives consent, which is not part of the proposal at present” (page 192 j), and that “the breach of confidence by the pharmacist is capable of providing the basis for a successful action” (page 197 g). Source now appeal with the leave of the judge below.
   2. The whole of the policy document is set out in the judgment at first instance. I propose to quote only the most material parts:

“Anonymisation (with or without aggregation) does not, in our view, remove the duty of confidence towards the patients who are the subject of the data. Apart from the risk of identification of a patient despite anonymisation, the patient would not have entrusted the information to the GP or pharmacist for it to be provided to the data company. The patient would not be aware of or have consented to the information being given to the data company, but would have given it to be used in connection with his care and treatment and wider NHS purposes. Anonymisation of the data (with or without aggregation) would not obviate a breach of confidence.

The duty of confidence may in some circumstances be outweighed by the public interest in disclosure. However, we have severe reservations that disclosure by GPs or NHS pharmacists of dispensing information to … data companies could be argued to be in the public interest. Indeed, it might well be directly contrary to the public interest if the data company is further selling on the information on doctors’ prescribing habits to the pharmaceutical industry.”

1. 1. Before coming to the central issue, let me deal briefly with three particular matters touched on in those quoted passages. First, “the risk of identification of a patient despite anonymisation”. The judge below noted Source’s recognition of “a remote risk that certain information of a rare kind might conceivably enable a patient to be identified”. Having accepted, however, that there was “no evidence before me which sets out any rational basis for such concerns”, he decided the case on the footing that patients’ anonymity could be guaranteed. We too are asked to make that assumption and I would merely note that it will be for Source to satisfy all interested parties that there will be no risk of identification in practice. Source are confident of achieving this and have recently proposed certain refinements to their system to screen out any conceivably identifying information.
   2. Second, “the patient would not … have consented to the information being given to the data company”. Although Source do not formally accept this contention, it is no part of their case that the patient’s consent to this proposal can be implied. Rather their case is that no such consent is required and, indeed, that the patient could advance no legal objection to the use proposed. Source similarly contend that they need no public interest to justify “disclosure by … pharmacists” of (ex hypothesi anonymous) dispensing information to data companies.
   3. Third, the contention that the business of data companies like Source “might well be directly contrary to the public interest”. The Department have been entirely candid about their motives in publishing this guidance. To quote from Mr Sales’ main skeleton argument:

“The interest of the Department (apart from an interest to ensure that NHS GPs and pharmacists are given a fair warning of legal risks which they might be running in participating in such a scheme) is to prevent the sort of targeted marketing which Source and its customers wish to employ, as the Department’s assessment is that such marketing would affect prescribing habits of GPs so as to add hugely (and unnecessarily) to the NHS drugs bill.”

1. 1. The Association of the British Pharmaceutical Industry (ABPI), I should note, one of four parties who have been permitted to intervene in this appeal on stringent terms as to the length of oral argument and costs, take express exception to the Department’s public interest objection. They point out that “targeted marketing” is only marketing which, because of its focus, involves less waste than otherwise. If it increases the NHS drugs bill, that can only be because it acquaints prescribers with medicines which it is appropriate for them to prescribe for their patients, and of which they would otherwise be ill-informed. It is not, they contend, in the public interest that the prescribing of appropriate medicine should be arbitrarily limited by restricting the availability of accurate information to prescribers or by making manufacturers resort to less efficient methods of providing that information.
   2. This is not an issue which to my mind it is either possible or necessary for us to resolve. Whether or not such use of anonymised statistical data can be shown to be contrary to the public interest cannot decide whether or not it involves a breach of confidentiality. Indeed, I do not understand Mr Sales to contend otherwise.
   3. I come then to the central issue: does a pharmacist breach his undoubted duty of confidentiality to a patient if, having duly dispensed the medicine prescribed, he then uses the prescription form as the means of selling anonymised information to Source?
   4. The conventional starting point for considering the nature and scope of the duty of confidentiality is Megarry J’s judgment in Coco v A.N. Clarke (Engineers) Ltd (1969) 86 RPC 41 at 47:

“In my judgment, three elements are normally required if, apart from contract, a case of breach of confidence is to succeed. First the information itself, in the words of Lord Greene, MR in the Saltman case [Saltman Engineering Co Ltd v Campbell Engineering Co Ltd. (1948) 65 R.P.C. 203] on page 215, must ‘have the necessary quality of confidence about it.’Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it.”(On the next page of his judgment, however, Megarry J expressly kept open the possiblity that “detriment” was not, after all, required.)

1. 1. Put at their shortest, the points taken by Source on the appeal are, first that the information is confidential to the patient only if it can be identified with him: thus the information downloaded for Source is by definition not confidential; second, that even if (contrary to submission 1) the downloading to Source constitutes anonymisation of confidential information, that itself involves no misuse of the information: it is, indeed, the very antithesis to a breach of confidence. Third, in any event, detriment is required and, as the judge below accepted, here the patient suffers none. Latham J (at page 195 j) recognised that, “if anonymity is guaranteed, their [the patients’] privacy would not be invaded, and … the commercial value of their prescriptions would individually be infinitesimal” (the latter conclusion being repeated at page 196 f). Having been referred, however, to X v Y and Others [1988] 2 AllER 648 (a case to which I shall return), he accepted (at page 197 F) “that the breach of confidence in itself might carry with it sufficient detriment to justify the grant of a remedy.”
   2. Mr Sales’ response, again put at its shortest, is that Source’s first argument is artificial. It is the information as a composite whole which is confidential because it identifies the patient as someone requiring treatment for his condition and that, as no one doubts, the pharmacist could not properly reveal: the patient is entitled to keep his ailments to himself. Source’s second argument – that to anonymise confidential information is not to misuse it – Mr Sales confronts head on. He submits that the confidential information is given to the pharmacist by the patient for the sole purpose of obtaining the prescribed drugs; any other use of it (or any part of it) for any other purpose, he argues, is unauthorised and, absent an express or implied consent or a justifying public interest, involves a breach of confidence. As for detriment, Mr Sales submits, first, that on true analysis of the law this is never a specific requirement; alternatively, second, that it is only sometimes so and certainly not in a case like this involving intimate information; alternatively, third, that patients in fact do suffer detriment: the confider’s feelings are hurt when his confidence is breached. The patient’s autonomy, he submits, must be respected.
   3. Before I turn to what may be regarded as the mainstream principles governing the law of confidence, I would note first the striking paucity of authority on the central question at issue here, the anonymisation of confidential information and its subsequent use in anonymised form. Is this not perhaps, as Mr Beloff QC suggests, for the very good reason that objection could not sensibly be taken to such conduct? Two cases only are in point and, of these, the first is relevant only to the extent of a persuasive obiter dictum. The issue raised in W. v Egdell [1990] Chancery 359 was identified by Bingham LJ at page 417 thus:

“What is the scope of the duty of confidence owed to a restricted mental patient by a psychiatrist engaged by the patient to report on his mental health for purposes of his forthcoming application to a mental health tribunal?”

1. 1. The report being adverse, the patient refused the psychiatrist permission to disclose it to the hospital. The psychiatrist was nonetheless so concerned at the danger the patient represented that he took it upon himself to disclose the report. The court held that the public interest in the circumstances outweighed the doctor’s duty of confidence to the plaintiff. Importantly for present purposes, Bingham LJ at page 419 said this:

“It has never been doubted that the circumstances here were such as to impose on Dr Egdell a duty of confidence owed to W. He could not lawfully sell the contents of his report to a newspaper, as the judge held … Nor could he, without a breach of the law as well as professional etiquette, discuss the case in a learned article or in his memoirs or in gossiping with friends, unless he took appropriate steps to conceal the identity of W. It is not in issue here that a duty of confidence existed.”

1. 1. It is, submit Source, clearly implicit in that dictum that, provided only a confidant does take appropriate steps to conceal the confider’s identity, he may use the information entirely as he pleases. They might have added that a dictum from that source is worth many a ratio decidendi from another.
   2. The other case directly concerning the use of anonymised information is X v Y and Others [1988] 2 AllER 648, a decision of Rose J following a six day witness action. The proceedings (and procedural history) were complicated but for present purposes the facts may be summarised as follows. The plaintiffs were a health authority, the second defendants the owners and publishers of a national newspaper, one of whose reporters was the first defendant. In clear breach of confidence, an employee of the plaintiffs supplied the first defendant with information obtained from hospital records which identified two doctors who were carrying on general practice despite having contracted AIDS. One of many issues arising before Rose J was whether the second defendants should be entitled to publish an article based on that information provided that the individual doctors were not identified. Rose J at page 657 said this:

“Counsel for the second defendants next submitted that, if the identities are not revealed, an injunction should not be granted even though the information has the necessary quality of confidentiality. There must (as is common ground) be a substantial, not trivial, violation of the plaintiffs’ rights to justify equitable relief. … he submitted that there was no discernible detriment to the plaintiffs and detriment is essential … In my judgment detriment in the use of the information is not a necessary precondition to injunctive relief. … In the present case, detriment occurred to the plaintiffs because patients’ records were leaked to the press in breach of contract and breach of confidence, with [certain adverse] consequences, even without publication, to the plaintiffs and the patients … If use were made of that information in such a way as to demonstrate to the public (by identifying the hospital) the source of the leak, the plaintiffs would suffer further detriment. But use of the information (as the defendants now seek) in a way which identifies neither the hospital nor the patients does not mean that the plaintiffs have suffered no detriment. Significant damage, about which the plaintiffs are entitled to complain, has already been done. This is also the answer to the additional submission of counsel for the first defendant that, though there was a breach of confidence in obtaining the information, there is, on the evidence, none in publishing it, if the doctors are not identified. In my judgment it is, in the present case, the initial disclosure and its immediate consequences, not subsequent publication, which found the plaintiffs’ claim in breach of contract and breach of confidence.”

1. 1. Rose J then turned to the issue of public interest in the freedom of the press, and at page 661 said this:

“Paraphrasing Templeman LJ in the Schering case [Schering Chemicals Ltd v Falkman Ltd [1982] QB 1], the facts, in the most limited version now sought to be published, have already been made available and may again be made available if they are known otherwise than through the medium of the informer. The risk of identification is only one factor in assessing whether to permit the use of confidential information. In my judgment to allow publication in the recently suggested restricted form, would be to enable both defendants to procure breaches of confidence and then to make their own selection for publication. This would make a mockery of the law’s protection of confidentiality when no justifying public interest has been shown. These are the considerations which guide me, whether my task is properly described as a balancing exercise, or an exercise in judicial judgment, or both.”

1. 1. He refused permission for future publication of the information in any form.
   2. On the present appeal, both sides seek to rely on that decision. To my mind, however, it ultimately assists neither of them. True, as Mr Sales points out, it defeats any contention that the publication of anonymised information will of itself necessarily in all circumstances preclude a claim for breach of confidence. But I am quite unable to accept his submission that the pharmacist’s position here is akin to that of the defendants there, both being under a duty of confidence to the patients in question. That is to overlook entirely the fact that in X v Y the information came to the defendants in flagrant breach of confidence. Hardly surprising, submits Mr Beloff, that the judge was concerned to prohibit any further use of it as the fruit of the poisoned tree. In my judgment X v Y begs rather than answers the question raised on the present appeal. The position might perhaps be otherwise were it Source, not the pharmacists, who propose to anonymise the information. That, certainly, would make for a closer analogy with X v Y. Even then, however, I can envisage various arguments by which Source might seek to distinguish the two cases on their facts.
   3. Both W v Egdell and X v Y, it will be noted, concerned (as does the present appeal) the duty of confidence owed in respect of personal information confided in the context of a professional relationship of trust. As Dr Francis Gurry points out in his monograph on Breach of Confidence [1984], this is the second of four main classes of information which traditionally have been protected, or whose use has been restricted, by the enforcement of confidences: trade secrets, personal confidences, Government information, and artistic and literary confidences. As Dr Gurry explains, the notion of privacy lies close to the heart of the courts’ interest in securing personal confidences. I mention that at this stage because most of the authorities in this field appear to have been decided in respect of other classes of information and, as I shall suggest, that may have some significance.
   4. I have already cited one passage from Megarry J’s judgment in Coco. In turning to the other main authorities I propose to be highly selective in citation. I start with the Federal Court of Australia in Smith Kline & French Laboratories (Australia) Limited v Department of Community Services and Health (1991) 99 ALR 679 at 691:

“Megarry J has suggested a broad test to determine whether an obligation of confidence exists. In Coco v A.N. Clarke (Engineers) Limited [1969] RPC 41, Megarry J said (at 48):

‘It seems to me that if the circumstances are such that any reasonable man standing in the shoes of the recipient of the information would have realised that upon reasonable grounds the information was being given to him in confidence, then this should suffice to impose upon him the equitable obligation of confidence.’

However, this test does not give guidance as to the scope of an obligation of confidentiality, where one exists. Sometimes the obligation imposes no restriction on use of the use [sic] of the information, as long as the confidee does not reveal it to third parties. In other circumstances, the confidee may not be entitled to use it except for some limited purpose. In considering these problems, and indeed the whole question, it is necessary not to lose sight of the basis of the obligation to respect confidences: ‘it lies in the notion of an obligation of conscience arising from the circumstances in or through which the information was communicated or obtained.’ This is quoted from Moorgate Tobacco Co Ltd v Philip Morris Ltd (No 2) (1984) 156 CLR 414 at 438; 56 ALR 193 at 203 per Deane J, with whom the other members of the court agreed. A similar broad view has been taken in the United States: E.I. Dupont de Nemours Powder Co v Masland (1917) 244 US 102 …

Similar expressions recur in other cases: Seager v Copydex Ltd [1967] RPC 349 at 368:’The law on this subject … depends on the broad principle of equity that he who has received information in confidence shall not take unfair advantage of it.’

To avoid taking unfair advantage of information does not necessarily mean that the confidee must not use it except for the confider’s limited purpose. Whether one adopts the ‘reasonable man’ test suggested by Megarry J or some other, there can be no breach of the equitable obligation unless the court concludes that a confidence reposed has been abused, that unconscientious use has been made of the information.

…

We would add that in our opinion courts exercising equitable jurisdiction should not be too ready to import an equitable obligation of confidence in a marginal case. There is the distinction between use of confidential information in a way of which many people might disapprove, on the one hand, and illegal use on the other. Not only the administration of business and government, but ordinary communication between people, might be unduly obstructed by use of too narrow a test, such as that which the appellants put forward here.”

1. 1. Many of those same citations had found their way into Bingham LJ’s judgment in the Court of Appeal in the Spycatcher case – Attorney General v Guardian Newspapers (No. 2) [1990] 1 AC 109 – in a passage setting out the relevant principles of law, later approved by the House of Lords. As to the duty of confidence generally, Bingham LJ at page 216 said this:

“The cases show that the duty of confidence does not depend on any contract, express or implied, between the parties. If it did, it would follow on ordinary principles that strangers to the contract would not be bound. But the duty ‘depends on the broad principle of equity that he who has received information in confidence shall not take unfair advantage of it:’ Seager v Copydex Ltd. [1967] 1 WLR 923, 931, per Lord Denning MR. ‘The jurisdiction is based not so much on property or on contract as on the duty to be of good faith’: Fraser v Evans [1969] 1 QB 349, 361, per Lord Denning MR. It accordingly ‘affects the conscience of the person who receives the information with knowledge that it has orginally been communicated in confidence’: per Sir Nicolas Browne-Wilkinson V-C at the interlocutory stage of this case [1987] 1 WLR 1248, 1265. So it is appropriate that the enforceability of rights of confidence against third parties should be analysed in the traditional terms of equitable rights over property, as Sir Nicolas Browne-Wilkinson V-C did [1987] 1 WLR 1248,1264D, and Nourse LJ did at an even earlier stage of this case Attorney-General v Observer Ltd., The Times, 26 July 1986; Court of Appeal (Civil Division) Transcript No. 696 of 1986.

The English law on this subject could not, I think, be more clearly or accurately stated than it was by the High Court of Australia in Moorgate Tobacco Co Ltd v Philip Morris Ltd (No. 2) (1984) 156 CLR 414, 437-438:

“It is unnecessary for the purposes of the present appeal, to attempt to define the precise scope of the equitable jurisdiction to grant relief against an actual or threatened abuse of confidential information not involving any tort or any breach of some express or implied contractual provision, some wider fiduciary duty or some copyright or trade mark right. A general equitable jurisdiction to grant such relief has long been asserted and should, in my view, now be accepted:see Commonwealth of Australia v John Fairfax & Sons Ltd (1980) 147 CLR 39, 50-52. Like most heads of exclusive equitable jurisdiction, its rational basis does not lie in proprietary right. It lies in the notion of an obligation of conscience arising from the circumstances in or through which the information was communicated or obtained.'”

1. 1. Of the speeches in the House of Lords I cite only the briefest passages. At page 255 Lord Keith of Kinkel said this:

“Most of the cases have arisen in circumstances where there has been a threatened or actual breach of confidence by an employee or ex-employee of the plaintiff, or where information about the plaintiff’s business affairs has been given in confidence to someone who has proceeded to exploit it for his own benefit; an example of the latter type of case is Seager v Copydex Ltd. [1967] 1 WLR 923. In such cases the detriment to the confider is clear. In other cases there may be no financial detriment to the confider, since the breach of confidence involves no more than an invasion of personal privacy. Thus in Duchess of Argyll v Duke of Argyll [1967] Ch.302 an injunction was granted against the revelation of marital confidences. The right to personal privacy is clearly one which the law should in this field seek to protect.”

1. 1. At page 281 Lord Goff of Chieveley stated the broad general principle (non-definitively) as follows:

“That a duty of confidence arises when confidential information comes to the knowledge of a person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others.”

1. 1. Then, at page 282, he referred to three limiting principles to which that broad general principle is subject, of which for present purposes only the first is relevant:

“The first limiting principle (which is rather an expression of the scope of the duty) is highly relevant to this appeal. It is that the principle of confidentiality only applies to information to the extent that it is confidential. In particular, once it has entered what is usually called the public domain (which means no more than that the information in question is so generally accessible that, in all the circumstances, it cannot be regarded as confidential) then, as a general rule, the principle of confidentiality can have no application to it.”

1. 1. Let me give two final quotations before finally coming to address the novel question raised on this appeal. First, a passage from Dr Gurry’s book at page 258 relied on by Mr Sales:

“The underlying notion of a confidence existing between the confider and the confidant has figured prominently in determining whether there has been a breach of an obligation. The courts have been less concerned with formal requirements, than with the practical effects of a confidant’s misconduct, and, where these are such as to represent a lack of good faith on the part of the confidant, he will be liable for breach of his duty of confidence. This general attitude of the courts is reflected in a number of ways which differentiate the nature of the protection provided for information by the breach of confidence action from that afforded by other types of protection for intellectual property.

First, it seems that a confidant will be liable for breach of his duty if he misuses only part of the confidential information which has been disclosed to him, provided that the misuse relates to a material part of the information. In Amber Size and Chemical Co. Ltd. v Menzel [1913] 2Ch.239 the defendant, while in the employ of the plaintiffs, acquired a knowledge of ‘very material portions’ of the plaintiffs’ secret process for the manufacture of size. After leaving the plaintiffs’ service, the defendant was employed by a competitor of the plaintiffs as size-maker. In this capacity, he attempted to reproduce the plaintiffs’ process, but was unsuccessful owing to the lack of one small detail. Even though unable to reproduce the process in toto, the defendant was held liable for breach of duty, and an injunction was granted to restrain him from using ‘the whole or any material part‘ of the process.”

1. 1. This approach, I should note, is wholly consistent with a further principle of the law of confidence, the spring-board principle as it has been called. As Megarry J put it in Coco at page 47:

“… where confidential information is communicated in circumstances of confidence the obligation thus created endures, perhaps in a modified form, even after all the information has been published or is ascertainable by the public; for the recipient must not use the communication as a spring-board [reference being made to Seager v Copydex Ltd].”

1. 1. To my mind the one clear and consistent theme emerging from all these authorities is this:the confidant is placed under a duty of good faith to the confider and the touchstone by which to judge the scope of his duty and whether or not it has been fulfilled or breached is his own conscience, no more and no less. One asks, therefore, on the facts of this case: would a reasonable pharmacist’s conscience be troubled by the proposed use to be made of patients’ prescriptions?Would he think that by entering Source’s scheme he was breaking his customers’ confidence, making unconscientious use of the information they provide?
   2. In contending for the answer ‘Yes’, Mr Sales urges in particular these considerations. The patient’s sole purpose in handing over the prescription is so that the pharmacist may dispense the drugs prescribed. That, therefore, is the only use of it that is authorised. By anonymising the information the pharmacist does not cease to be under a duty of confidence with regard to it. Indeed the very act of anonymisation involves “manipulation” of the information and is itself objectionable. The only reason the pharmacist has something to sell is because the patient has handed over his prescription. Even when it is anonymised, it is still not in the public domain. To sell any part of it is to misuse it.
   3. For my part I find these arguments not merely unconvincing but wholly unreal. True it is that even when stripped of anything capable of identifying the patient, the information which the pharmacist proposes to sell to Source is still not in “the public domain”. But whether or not that matters must surely depend upon the interest at stake. I referred earlier to the different classes of information identified by Dr Gurry as traditionally having attracted the law’s protection. If, of course, Government information is involved, then whether or not the information has entered the public domain may well prove decisive – as in Spycatcher itself. If trade secrets (which clearly include intellectual property rights) are involved, then the position may be different – consider the final passage quoted above from Dr Gurry and the spring-board principle. What then of a case like the present which involves personal confidences?What interest, one must ask, is the law here concerned to protect?
   4. In my judgment the answer is plain. The concern of the law here is to protect the confider’s personal privacy. That and that alone is the right at issue in this case. The patient has no proprietorial claim to the prescription form or to the information it contains. Of course he can bestow or withhold his custom as he pleases – the pharmacist, note, has no such right: he is by law bound to dispense to whoever presents a prescription. But that gives the patient no property in the information and no right to control its use provided only and always that his privacy is not put at risk. I referred earlier to Mr Sales’ plea for respect for “the patient’s autonomy”. At first blush the submission is a beguiling one. My difficulty with it, however, is in understanding how the patient’s autonomy is compromised by Source’s scheme. If, as I conclude, his only legitimate interest is in the protection of his privacy and if that is safeguarded, I fail to see how his will could be thought thwarted or his personal integrity undermined. By the same token that, in a case concerning Government information, “the principle of confidentiality can have no application to it … once it has entered … the public domain” (per Lord Goff), so too in a case involving personal confidences I would hold by analogy that the confidence is not breached where the confider’s identity is protected.
   5. This appeal concerns, as all agree, the application of a broad principle of equity. I propose its resolution on a similarly broad basis. I would not distinguish between Source’s first and second arguments and nor would I regard the case as turning on the question of detriment. Rather I would stand back from the many detailed arguments addressed to us and hold simply that pharmacists’ consciences ought not reasonably to be troubled by cooperation with Source’s proposed scheme. The patient’s privacy will have been safeguarded, not invaded. The pharmacist’s duty of confidence will not have been breached.
   6. I turn to deal altogether more briefly with the remaining issues debated before us. First, there is the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which fell to be implemented by 24 October 1998 and which the United Kingdom will finally implement on 1 March 2000 when the relevant provisions of the Data Protection Act 1998 come into force. Although all this post-dates the Department’s policy guidance and, indeed, attracted no consideration in the court below, we cannot, I fear, entirely ignore it. The Directive was first raised in these proceedings by Lord Lester QC on behalf of the General Medical Council (GMC), another intervening party. His argument (much over-simplified) is that, even if Source’s proposal would involve a breach of confidence under domestic law, it does not offend the Directive and so should be held compatible also with domestic law, the latter being read down if necessary for the purpose. By a linked submission, he further argues that the policy guidance (and/or any ruling by the court in support of it) would violate Article 10 of ECHR, there being on the facts no countervailing interest in privacy to protect under Article 8, and that domestic common law and, indeed, the scope of the Directive itself (see the reference to ECHR in recital 1) should accordingly be determined as he contends so as to avoid such violation.
   7. These arguments encouraged Mr Sales to advance mirror submissions on behalf of the Department, namely that even if Source’s proposal would not offend the common law (as I would hold) it should nevertheless be recognised to fall foul of the Directive (and eventually the 1998 Act) so that domestic law ought accordingly to be read up for the purpose.
   8. Let me put aside further complications such as whether or not Source are entitled to invoke the transitional provisions in Article 32(2) of the Directive, and whether or not the Directive is directly effective pending its implementation, and turn to those of its Articles upon which Mr Sales principally relies.
   9. Article 2 (the definition Article) by paragraph (a) defines “personal data” as meaning “any information relating to an identified or identifiable natural person (‘data subject’) … and by paragraph (b) defines ‘processing of personal data’ (‘processing’) as meaning:

“any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.”

1. 1. Article 8.1, requires that:

“Member states shall prohibit … the processing of data concerning health … .”

1. 1. Article 8.2(a) disapplies Article 8.1 where:

“the data subject has given his explicit consent to the processing of those data …” (a provision to which I shall briefly return later in this judgment)

1. 1. Article 8.3, disapplies Article 8.1:

“where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provison of care or treatment or the management of health-care services, and where those data are processed by a health professional [which includes, all parties agree, a pharmacist] …”

1. 1. Mr Sales’ argument put at its simplest is that the proposed anonymisation of the information contained in a prescription form will – under the very wide definition of “processing” set out in Article 2(b) – constitute the processing of data concerning the patient’s health, and that this is impermissible under Article 8.1, such processing not being required for any of the stipulated purposes allowed for by Article 8.3.
   2. Lord Lester’s best answer to this submission (and he is joined in it by Source) is that the Directive can have no more application to the operation of anonymising data than to the use or disclosure of anonymous data (which, of course, by definition is not “personal data” and to which, therefore, it is conceded that the Directive has no application). He points to the several recitals emphasising the right to privacy as the principal concern underlying this Directive, and he places great reliance on recital 26:

“Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible.”

1. 1. Although this is clearly not the appropriate occasion to attempt a definitive ruling on the scope of the Directive – and still less of the impending legislation – I have to say that commonsense and justice alike would appear to favour the GMC’s contention. By the same token that the anonymisation of data is in my judgment unobjectionable here under domestic law, so too, I confidently suppose, would it be regarded by other Member States. Of course the processing of health data requires special protection and no doubt the “erasure or destruction” of such data is included in the definition of processing for good reason: on occasion it could impair the patient’s own health requirements. It by no means follows, however, that the process envisaged here should be held to fall within the definition: on the contrary, recital 26 strongly suggests that it does not.
   2. I pass to a very different area of the debate before us, the loosely linked issues of implied patient consent and the public interest.
   3. Let me at this stage briefly explain the presence of the four intervening parties. Two of them – ABPI (who represent the interests of manufacturers of prescription-only medicines) and the National Pharmaceutical Association Limited (NPA) (who represent most of Britain’s community phamacists) – applied to intervene at an oral hearing in September. Both suggested that the judgment below had given rise to general confusion and uncertainty and expressed their differing concerns as to its impact upon a whole range of activities. ABPI suggested that:

“… the collection and use of much if not all of this anonymised data will be prohibited or severely inhibited due to great uncertainty as to its legality. The decision has generated enormous uncertainty in relation to the collection of prescription and related medical data, and has resulted in the suspension of a number of long-standing databases (some in use for over thirty years) used by the members of the ABPI.”

1. 1. They further referred to the:

” … profound implications of the decision for the whole of the pharmaceutical industry (branded and generic) in terms of not only marketing, but also medical research, fulfilment of regulatory obligations, collection of Government statistics, coping with fluctuations in supply and demand, and dealing with adverse event monitoring and product withdrawals.”

1. NPA too contended that various uses of data were affected by the judgment, including the use by pharmacists of computerised patient records for patients’ safety purposes, for creating drug product usage information, for stock management purposes, and to assist in the development of information technology systems.
2. Subsequently both the GMC and the Medical Research Council (MRC) joined in the appeal without objection from any other party to voice their own particular concerns. The GMC, of course, has a statutory role in setting and enforcing ethical standards for the medical profession. The MRC is the UK’s main funder of basic and applied bio-medical research and training, a vital part of whose work involves the use of anonymous patient information.
3. In the event, taking the favourable view we do of Source’s central argument, it has not proved necessary to explore the inteveners’ separate interests in any depth. I should, however, make just three points.
4. First, Lord Lester’s arguments on implied consent, opposed though they were not merely by the Department but also by the NPA and the MRC, to my mind appeared compelling. So far from patients being taken to have impliedly consented to such uses of the information they provide as are commonly accepted to be in the public interest, this is, submits Lord Lester, to conflate the issue of effective consent (which modifies the duty of confidence) with that of the public interest (which overrides the duty). The reference (noted above) in Article 8.2(a) of the Directive to the “data subject [giving] his explicit consent” strongly supports this thesis. In addition, Lord Lester’s approach overcomes such problems as the well recognised reluctance of certain people to accept the views of those in authority as to just what is or is not good for them, and, let us postulate, the occasional patient who expressly purports to refuse permission for his prescription form to be used for any purpose save only the dispensing of the prescribed drug. Given, however, the Department’s submission that in any event, whenever patient consent could arguably be implied, so too could the public interest be invoked to the same end, it seemed pointless to carry the debate very far.
5. Second, the Department submits that various of the uses to which patient information is put are not in fact capable of being justified by reference either to implied consent or to the public interest. To illustrate this by a single example, the Department suggests that stock-management could be undertaken using conventional stock-control means (i.e. monitoring quantities ordered and comparing this with the quantities remaining in the dispensary at any given time) rather than by using patient information. Given the conclusion already reached on the central point, this argument, of course, fails in limine: no breach of confidence is involved in pharmacists using the information contained in prescription forms for their own stock-keeping purposes; the patient’s privacy is thereby neither invaded nor imperilled. Nevertheless, recognising, as one must, the importance of confining any public interest defence in this area of the law within strict limits – lest, as Gummow J put it at first instance in Smith Kline and French Laboratories (Australia) Limited v Department of Community Services and Health [1990] FSR 617, 663; it becomes “not so much a rule of law as an invitation to judicial idiosyncracy by deciding each case on an ad hoc basis as to whether, on the facts overall, it is better to respect or to override the obligation of confidence” – the Department’s stance on a use so innocuous as stock-keeping strongly reinforces the view that the equitable obligation of confidence ought not to be drawn too widely in the first place – see the final paragraph cited above from the judgment in Smith Kline and French on appeal.
6. Third, it is clear on the information before us that for certain limited purposes patient information is used in identifiable rather than anonymised form. As the Department states, “thorough research and management depend in part upon the possibility of others checking that anonymised and aggregated information does correspond to the real world, by audit procedures which must inevitably involve checking identifiable cases.”For present purposes, I say no more than that, provided, as I understand to be the case, the use of such identifiable data is very strictly controlled, there appears no reason to doubt that this is acceptable – whether because it falls within the public interest defence or as is perhaps the preferable view, because the scope of the duty of confidentiality is circumscribed to accommodate it, it is not necessary to decide on this appeal.
7. Long though this judgment is, I am conscious of the many subtle arguments from one quarter or another of which it takes no express notice whatever. That perhaps is inevitable in a case which has expanded as widely as this one was permitted to do. At the end of it all, however, the conclusion I reach can be succinctly stated. Participation in Source’s scheme by doctors and pharmacists would not in my judgment expose them to any serious risk of successful breach of confidence proceedings by a patient (any more than were a prescribing doctor, asked by a manufacturer’s representative what medicine he ordinarily prescribes for a given condition, to answer candidly on the basis of his current practice). If the Department continue to view such schemes as operating against the public interest, then they must take further powers in this already heavily regulated area to control or limit their effect. The law of confidence cannot be distorted for the purpose.
8. I would accordingly allow this appeal and let our judgments stand as the court’s declaration in the matter.
9. Lord Justice Aldous:
10. I agree.
11. Lord Justice Schiemann:
12. I also agree with the judgment delivered by Simon Brown LJ. 

    Source: www.bailii.org