Court of Appeal considers the meaning of ‘processing’ under the Data Protection Act – Johnson v. Medical Defence Union (No 2) [2007] EWCA Civ 262

On 28 March 2007, in the case of David Paul Johnson v. Medical Defence Union, the Court of Appeal dismissed Mr Johnson's appeal against the Medical Defence Union (the “MDU”) which claimed that the MDU had unfairly processed his personal data. The claim centred on the MDU's risk management policy, which involved a risk manager manually selecting information from files relating to complaints made about Mr Johnson (who was a surgeon) and putting the selected information on to a computer. Mr Johnson argued that the manual selection of information from his files was unfair, because the MDU's risk policy did not allow his views on the complaints to be taken into account by the MDU's risk assessment group. The case is of interest because the Court considers in some detail what constitutes ‘processing’ for the purposes of the Data Protection Act (the “Act”). The majority of the Court of Appeal (one Judge dissented) concluded that the risk manager's manual selection of information from Mr Johnson's files did not amount to processing for the purposes of the Act. The Court also held that even if processing had occurred, Mr Johnson's claim would still have failed because the data had not been processed unfairly and he did not suffer any damage.