424 Rv Dept of Health, Ex p Source Informatics Ltd (CA) (2001) QB Court of Appeal Regina v Department of Health Ex parte Source Informatics Ltd 1999 Nov 29, 303 Simon Brown, Aldous and Schiemann LJ} Dec 2, 3321 Confidential Information — Breach of confidence — Public interest — Applicants collecting information on prescribing habits from general practitioners and pharmacists — No disclosure to applicants of patients’ identities — Applicants selling information to pharmaceutical companies for marketing purposes — Whether disclosure of information breach of duty of confidence owed to patients The applicants operated a scheme whereby information was obtained from general practitioners and pharmacists about drugs prescribed for patients. The information came from prescription forms each of which contained the doctor's name, the patient’s name, the date of prescription, the product prescribed and the quantity prescribed. Pharmacists, for their own purposes, entered all that information onto their computer database together with specific details of the drug dispensed and the date of dispensing. For modest payments to general practitioners and pharmacists who participated in the scheme, all the information on the prescription forms, except for the patient's identity, was passed on to the applicants by means of specially designed computer software. The anonymised information was sold by the applicants to pharmaceutical companies who used it for marketing purposes. The Department of Health issued a policy document advising that the anonymisation of such information would not remove the duty of confidence owed to patients and that general practitioners and pharmacists would incur legal risks if they participated in the scheme. The applicants brought judicial review proceedings against the Department of Health seeking a declaration that the policy guidance was wrong and that a disclosure of such information would not be a breach of confidence. The judge dismissed the application, holding that, in the absence of consent from patients, the disclosure of information abstracted from prescription forms would be an unauthorised use of confidential information, even ifanonymity could be guaranteed. On the applicants’ appeal— Held, allowing the appeal, that a patient had no proprietorial claim to the prescription form or to the information it contained and had no right to control the way the information was used provided only that his privacy was not put at risk; that where a patient's identity was protected, it would not be a breach of confidence for general practitioners and pharmacists to disclose to a third party, without the patient’s consent, the information contained in the patient's prescription form; and that, accordingly, the applicants were entitled to the declaration sought (post, PP 440B-G, 444D-G). Coco v AN Clark (Engineers) Ltd [1969] RPC 41 and Attorney General v Guardian Newspapers Ltd (No 2) [1990| 1 AC 109, HL(E) considered. Decision of Latham J [1999] 4 All ER 185 reversed. The following cases are referred to in the judgment of Simon Brown LJ: Attorney General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109; [1988] 2 WLR 805; [1988] 3 All ER 545, Scott J and CA; [r990] 1 AC ro9; [1988] 3 WLR 776; [1988] 3 AIl ER 545, HL(E) Coco v AN Clark (Engineers) Ltd {1969] RPC 4 Smith Kline & French Laboratories (Australia) Ltd v Secretary to the Department of Community Services and Health [1990] FSR 617; (1991) 99 ALR 679 Wv Egdel! [1990] Ch 3593 [1990] 2 WLR 471; [1990] x All ER 835, CA Xv ¥ [1988] 2 AILER 648425 [2001] QB Rv Dept of Health, Ex p Source Informatics Ltd (CA) The following additional cases were cited in argument: Albert (Prince) v Strange (1849) 2 De G & Sm 652 Ashmore v Douglas-Home [1987] FSR 553 Bowater v Rowley Regis Corpn [194.4] KB 476; [1944] 1 AIl ER 465, CA British Steel Corpn v Granada Television Ltd [1981] AC 1096; [1980] 3 WLR 774; [1981] x AILER 417, HL(E) Burnett v British Waterways Board [1973] 1 WLR 700; [1973] 2 AIIER 631, CA Derbyshire County Council v Times Newspapers Ltd 1993] AC 5343 [1993] 2 WLR 449; [1993] 1 All ER ror, HL(E) Dudgeon v United Kingdom (1981) 4 EHRR 149 Duncan v Medical Practitioners Disciplinary Committee [1986] 1 NZLR 513 Gartside v Outram (1856) 26 LJCh 113 Gaskin v United Kingdom (1989) 12 EHRR 36 Goodwin v United Kingdom (1996) 22 EHRR 123 Guerra v Italy (1998) 26 EHRR 357 Haarhaus & Co GmbH v Law Debenture Trust Corpn plc [t988] BCLC 640 Hellewell v Chief Constable of Derbyshire [1995] t WLR 8045 [1995] 4 AIlER 473 Jacubowski v Germany (1994) 19 EHRR 64 Kirkham v Chief Constable of the Greater Manchester Police [1990] 2 QB 283; [1990] 2 WLR 987; [1990] 3 All ER 246, CA Lamb v Evans [1893] Ch 218, CA Leander v Sweden (1987) 9 EHRR 433 Lingens v Austria (1986) 8 EHRR 407 Melnerney v MacDonald (1992) 93 DLR (4th) 415 Markt Intern and Beerman v Germany (1989) 12 EHRR 161 Marshall v Southampton and South West Hampshire Area Health Authority (Teaching) (Case 152/84) [1986] QB 4or; [1986] 2 WLR 780; [1986] 2 All ER 584, EC] Matadeen v Pointu [1999] 1 AC 98; [1998] 3 WLR 18, PC Morley v United Friendly Insurance plc [1993] 1 WLR 996; [1993] 3 AIIER 47, CA Norwich Pharmacal Co v Customs and Excise Comrs [1974] AC 1333 [1973] 3 WLR 1643 [1973] 2 AI ER 943, HL(E) O'Brien v Cunard SS Co (1891) 28 NE 266 Pollard v Photographic Co (1888) 40 Ch D 345 R v Brown (Gregory) [1996] AC 543; [1996] 2 WLR 203; [1996] 1 All ER 545, HL(E) R v Director of Public Prosecutions, Ex p Kebilene [2000] 2 AC 326; [1999] 3, WLR 972; [1999] 4 All ER 801, HL(E) Reynolds v Times Newspapers Ltd [1999] 3 WLR 1010; [1999] 4 All ER 609, HL(E) Robb v Green [1895] 2 QB 1; [1895] 2 QB 315,CA Saltman Engineering Co Ltd v Campbell Engineering Co Lid (1948) 65 RPC 203, CA Sarch v Blackburn (1830) 4 C & P 297 Seager v Copydex Ltd [1967] WLR 923; [1967] 2 AILER 415,CA Sidaway v Board of Governors of the Bethlem Royal Hospital and the Maudsley Hospital [1985] AC 871; [1985] 2 WLR 480; [1985] 1 All ER 643, HL(E) Sunday Times v United Kingdom (1979) 2 EHRR 245 Tournier v National Provincial and Union Bank of England [1924] 1 KB 461, CA Woolgar v Chief Constable of Sussex Police [2000] 1 WLR 25; [1999] 3 All ER 604, CA Zv Finland (1997) 25 EHRR 371 APPEAL from Latham J By notice of motion dated 7 April 1998 the applicants, Source Informatics Ltd, sought judicial review of the guidance contained in a policy document promulgated by the Department of Health on or about 24 July 1997 to426 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001] QB health authorities in which the Department of Health advised that disclosure by doctors to the applicants of details of products which they prescribe constituted a breach of confidentiality. The applicants sought (1) a declaration that the guidance was erroneous in law and (2) a declaration that disclosure by doctors and pharmacists to a third party of anonymous information, ie information from which the identity of patients might not be determined, did not constitute a breach of confidentiality. On 28 May 1999 the judge dismissed the application. By notice of appeal dated 24 June 1999 the applicants appealed on the grounds, inter alia, that (1) the judge erred in law in holding that the disclosure by pharmacists to the applicants of details of products prescribed by doctors involved the unauthorised use by the pharmacists of confidential information about patients; (2) further and in the alternative, (i) the judge having correctly held that (a) there must be a detrimental effect on the confider from which the court considered that he was entitled to protection before the court would provide a remedy, (b) the anonymous information disclosed by each pharmacist to the applicants provided nothing which could link it to any individual’s identity, and (c) the value to the patient of the confidential information provided to the pharmacist was infinitesimal, the judge erred in law in holding that the breach of confidence by the pharmacist was capable of providing the basis for a successful action; (ii) the judge erred in law in holding that it was not acceptable for pharmacists to breach their patients’ confidence for personal gain unless the breach of confidence was in itself in the public interest; (3) further and in the alternative, the judge erred in law in holding that the rights of patients were capable of justifying interference with the rights of doctors, pharmacists and the applicants to impart and receive information under article 10 of the Convention for the Protection of Human Rights and Fundamental Freedoms (1953)(Cmd 8969) or the equivalent common law rights. The Association of the British Pharmaceutical Industry, the National Pharmaceutical Association Ltd, the General Medical Council and the Medical Research Council were all given leave by the Court of Appeal to intervene in the appeal. The facts are stated in the judgment of Simon Brown LJ. Michael Beloff QC, Charles Flint QC and Sarah Moore for the applicants, The case concerns the lawfulness or otherwise of the imparting by pharmacists of anonymised prescription information to the applicants, who require it for the business purpose of ensuring that doctors receive information about drugs which might be useful for the particular practice. An equitable duty of confidence arises when confidential information comes to the knowledge of a person in circumstances where he has notice, or is held to have agreed, that the information is confidential and it would be just that he should be precluded from disclosing the information to others: see Attorney General v Guardian Newspapers Lid (No 2) [1990] 1 AC 109. For a case of breach of confidence to succeed (1) the information must have the necessary quality of confidence about it; (2) the information must have been imparted in circumstances importing an obligation of confidence; and (3) there must be unauthorised use of that information to the detriment of the party communicating it: see Coco v AN Clarke (Engineers) Lid [1969]427 [2001] QB Rv Dept of Health, Ex p Source Informatics Ltd (CA) RPC 41, 47. Here, the second test is satisfied (see W v Egdell [1990] Ch 359), but not the first or third. The protection of the law extends to personal information of limited or no commercial value where there is no contract between confidant and confider but the information has been imparted in circumstances of confidence: see Saltman Engineering Co Ltd v Campbell Engineering Co Ltd (1948) 65 RPC 203. In the context of patient/doctor relationship the law of confidentiality will protect at the suit of the patient only that which is personal and private to the patient, and at the suit of the doctor only that which is personal and private to the doctor. The disclosure by the pharmacist to the applicants information about a doctor or pharmacy would only take place with the doctor’s or pharmacist’s consent respectively. The information disclosed would not have the quality of confidentiality or privacy in relation to other patients. Thus, the first test in Coco v AN Clarke (Engineers) Ltd [1969] RPC 41 was not satisfied. The anonymisation of prescription information does not constitute misuse of confidential information and the subsequent disclosure of anonymous prescription information is not disclosure of confidential information: see Robb v Green [1895] 2 QB 1; [1895] 2 QB 315; Seager v Copydex Ltd [1967] 1 WLR 923; R v Brown (Gregory) [1996] AC 5433 Duncan v Medical Practitioner's Disciplinary Committee [1986] x NZLR 513 and X v Y [1988] 2 All ER 648. Detriment is necessary to ground a cause of action for breach of confidence. [Reference was made to Ashmore v Douglas-Home [1987] FSR 553 and Haarhaus & Co GmbH v Law Debenture Trust Corpn ple [1988] BCLC 640.]. Since the information disclosed to the applicants was anonymous doctor and pharmacy information, the disclosure could not possibly act to the patient’s detriment. The promulgation of the policy guidance by the Department of Health interfered with the applicants’ right to receive and impart information and was contrary to article 10 of the Convention for the Protection of Human Rights and Fundamental Freedoms (1953) (Cmd 8969) and/or the equivalent common law rights: see Sunday Times v United Kingdom (1979) 2 EHRR 245; Lingens v Austria (t986) 8 EHRR 407; Goodwin v United Kingdom (1996) 22 EHRR 123 and Derbyshire County Council v Times Newspapers Ltd [1993] AC 534- Mark Howard QC and Jemima Stratford for the Association of the British Pharmaceutical Industry. The judge and the Department of Health appear to have proceeded from the premise that once one identifies a relationship as giving rise to a duty of confidentiality, it must follow that the nature and scope of that duty is one not in any way to use or disclose the confidential information other than for specifically authorised purposes. Itis said that the process of anonymisation itself amounts to a misuse of confidential information because the patient has not authorised such use. That approach is fundamentally flawed. Identifying a relationship of confidentiality is only the first stage in the inquiry. The next stage is to identify the nature and scope of the duty owed in the circumstances, ie, to identify the interest of the confider that the law and public interest are seeking to protect: see Coco v AN Clarke (Engineers) Ltd [1969] RPC 41; W v Egdell [1990] Ch 359 and Smith Kline & French428 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001] QB Laboratories (Australia) Ltd v Secretary to the Department of Community Services and Health [1990] FSR 617; (1991) 99 ALR 679. The interest of the patient which the law of confidence protects is limited: his interest is in the doctor and the pharmacist not disclosing his identity to third parties in relation to his treatment, since it is this disclosure which may inhibit him from seeking medical advice in the future. There was no breach if the information disclosed by the pharmacist to the applicants was incapable of identifying the patient or otherwise causing him harm. Nigel Pleming QC for the National Pharmaceutical Association Ltd. A person cannot be in breach of a duty of confidence owed to another by disclosure of information to which that other expressly or impliedly consents. The test of the consent is objective. There is no distinction between the duty of confidence placed on an agent by implied contract and that imposed on him by equity: see Lamb v Evans [1893] 1 Ch 218. The implied consent defence has been applied where the use of the information has benefited groups of patients: see Duncan v Medical Practitioner's Disciplinary Committee [r986] 1 NZLR 513; and X v Y [1988] 2 AIL ER 648. The public interest in the effectiveness of a system that supports and provides for all patients outweighs the public interest in the maintenance of confidentiality: see Gartside v Outram (1856) 26 LJCh 113; W v Egdell [1990] Ch 359 and Attorney General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109. [Reference was also made to Tournier v National Provincial and Union Bank of England [1924] 1 KB 461.] Lord Lester of Herne Hill QC and Helen Mountfield for the General Medical Council. Although the Data Protection Act 1998 and the Human Rights Act 1998 are not yet in force the court should have regard to the principles enshrined in them when declaring the common law because of the analogical force of the legislation: see R v Director of Public Prosecutions, Ex p Kebilene [2000] 2 AC 326. Domestic law must provide appropriate safeguards to prevent the disclosure of personal medical data which may be inconsistent with article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (1953) (Cmd 8969) and may deter patients from disclosing personal information necessary for their treatment: see Z v Finland (1997) 25 EHRR 371. The Convention requires a fair balance to be struck between conflicting rights, so that any restriction must satisfy the requirement of legal certainty and be proportionate to the end desired: see Reynolds v Times Newspapers Ltd [t999] 3 WLR oro and Woolgar v Chief Constable of Sussex Police [1999] 3 All ER 604. The burden of proof rests on the claimant: see Matadeen v Pointu [1999] TAC 98. Council Directive 95/46/EC prescribes the minimum standards of protection for the individual’s right to personal privacy with respect to the processing of personal data. The provisions of the Directive may be relied on, even before the Data Protection Act 1998 comes into force, provided the conditions for direct effect established in Marshall v Southampton and South West Hampshire Area Health Authority (Teaching) (Case 152/84) [1986] QB 4or are satisfied. ‘The Directive applies to any information concerning an identifiable person but not to data rendered anonymous so that its subject. is no longer identifiable. If the information disclosed to a third party by the429 [2001] QB Rv Dept of Health, Ex p Source Informatics Ltd (CA) doctor or pharmacist is anonymous, there is no breach of the duty of confidence: McInery v MacDonald (1992) 93 DLR (4th) 415. For there to be effective consent sufficient information must have been given to the patient about the purpose and extent of the disclosure of confidential personal information: see Sidaway v Board of Governors of the Bethlehem Royal Hospital and the Maudsley Hospital [r985| AC 871. Consent may be signified by conduct: see O’Brien v Cunard SS Co (1891) 28 NE 266. The right to protection of doctor/patient confidences cannot be abridged or eroded by a public authority without good reason: see Dudgeon v United Kingdom (1981) 4 EHRR 149. Only informed and explicit patient consent will suffice for the disclosure of personal medical patient data: see Bowater v Rowley Regis Corpn [1944] KB 476; Burnett v British Waterways Board [1973] 1 WLR 700; Kirkham v Chief Constable of the Greater Manchester Police [1990] 2 QB 283; Morley v United Friendly Insurance ple [1993] WLR 996 and Sarch v Blackburn (1830) 4 C & P 297. Even if the applicants’ scheme would involve a breach of confidence under domestic law, it does not offend Council Directive 95/46/EC and so should be held compatible with domestic law. The policy guidance and/or any ruling by the court in support of it would violate article x0 of the Convention, there being no countervailing interest in privacy to protect under article 8. Domestic common law and the scope of Council Directive 95/46/EC itself should be determined so as to avoid such violation. Philip Havers QC for the Medical Research Council. Information about a patient is only confidential if the patient can be identified. No duty of confidence is owed in respect of information supplied in a form which is not capable of identifying the patient or any other person to whom the duty might be owed: see W v Egdell [1990] Ch 3593 Attorney General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109 and section 1(1) of the Data Protection Act 1998. Patients impliedly consent to the use of information provided by them for medical research in an anonymised form since without such information medical research would be gravely handicapped to the detriment of all patients. There is a strong public interest in the work carried out by the Medical Research Council which outweighs the public interest in the preservation and protection of confidences. Philip Sales and Jason Coppel for the Department of Health. Where information of a personal kind has been imparted in confidence the law will protect the confidence even where there is no contract between the confider and the confidant: sce Prince Albert v Strange (1849) 2 De G & Sm 652 and British Steel Corpn v Granada Television Ltd [1981] AC 1096. It is not a requirement for establishing breach of confidence that the immediate confidant or another person receiving the information actually disclosed the information to a third party. There would be an unauthorised use of the confidential information by a pharmacist if he manipulated it to anonymise it and supplied it to the applicants for financial gain. Unlawful misuse of confidential information was established, either because the reduced information which was by the pharmacist to Source remained to be treated as part of the confidential information supplied by patients, or because the very act of anonymisation of data by pharmacists constituted an unauthorised use of that data: see Coco v AN Clarke (Engineers) Ltd [1969] RPC 41.430 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001] 98 Simon Brown LJ Where what is in issue is peculiarly private and personal information about the medical condition of a patient, it is not necessary for the patient to establish any specific harm or detriment arising out of the misuse of the information: see Atiorney General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109 and Hellewell v Chief Constable of Derbyshire [1995] t WLR 804. In any event, detriment may arise from misuse of the confidential information. A plaintiff may suffer no economic detriment but only hurt feelings and yet be entitled to relief: Pollard v Photographic Co (1888) 40 ChD 345. Itis the failure to treat confidences as sacrosanct which forms the basis of breach of confidence and not any detriment flowing from that failure: Norwich Pharmacal Co v Customs and Excise Comtrs [1974] AC 133. The common law ought in any event to be read consistently with Council Directive 95/46/EC, which, properly analysed, prohibited the anonymisation and transmission of patient information by pharmacists. Patient information constituted a special category of personal data within article 8 of the Directive, and manipulation of that data by pharmacists, and its onward sale to the applicants constituted processing within article 2(b). The processing, which was carried out without the consent of patients, was prima facie unlawful and did fall within any exception prescribed by the Directive. In particular, it was not necessary for medical purposes within article 8 or justified by the legitimate interests of the pharmacists or the applicants within article 7. The right to receive information in article 10 of the Human Rights Convention does not import a general right to have access to information which is not otherwise available: see Leander v Sweden (1987) 9 EHRR 433; Gaskin v United Kingdom (1989) 12 EHRR 36 and Guerra v Italy (1998) 26 EHRR 357. If there is an interference with the right to receive information it is justified as being for the protection of others: sce Jacubowski v Germany (1994) 19 EHRR 64 and Markt Intern and Beerman v Germany (1989) 12 EHRR 161. [Reference was also made to MS v Sweden (1997) 28 EHRR 313.] Cur adv vult 21 December. The following judgments were handed down. SIMON BROWN LJ 1 What duty of confidence is owed by pharmacists to patients to whom they dispense prescribed drugs? In particular, provided always that the patient’s anonymity is fully protected, does their duty of confidence to patients prevent pharmacists from using the material contained in the general practitioner’s prescription forms for whatever purposes they wish? That is the central issue raised on this appeal. The circumstances in which it arises are as follows. 2 The applicants (Source) are a United Kingdom subsidiary of an American company concerned for commercial reasons to obtain information as to doctors’ prescribing habits. Source then sell this information on to pharmaceutical companies so that they may more effectively market their products. 3. The information contained on the prescription form consists (in no particular order) of the doctor’s name, the patient’s name, the date of431 [2001] QB Rv Dept of Health, Ex p Source Informatics Ltd (CA) Simon Brown lJ prescription, the product prescribed and the quantity prescribed. Pharmacists, for their own purposes, enter this information onto their computer database together with details of the product dispensed (described specifically), and the date of dispensing. 4 Source have no interest in the patients’ names or identities but every interest in the rest of the information, in particular the general practitioner's names and the products they prescribe. To obtain this they need in practice the cooperation of both the prescribing doctors and the dispensing pharmacists, and this they used to secure (and hope again to secure) by modest payments: in the case of general practitioners, £15 toa charity of the doctor's choice; in the case of pharmacists, £150 per annum. For their part, the pharmacists download (normally weekly) the anonymised information (ie all the information save that which would identify the patient) by means of specially designed computer software and then pass it to Source for aggregation. Source thus create a database comprising information as to products prescribed by individual doctors in the United Kingdom. As Source’s evidence asserts: “The main aim of the database is to obtain knowledge of doctors’ prescribing habits and it will primarily be used by pharmaceutical companies to allow them to target more precisely promotions and communications regarding their products.” 5 _Isthere anything unlawful about such a process? In particular, does it involve a breach of the patient’s confidence? The Department of Health’s view, expressed in a policy document dated 24 July 1997, is that it does. ‘These proceedings challenge that view and seek declarations, first that it is erroneous in law, and second: “that disclosure by doctors or pharmacists to a third party of anonymous information, that is information from which the identity of patients may not be determined, does not constitute a breach of confidentiality.” 6 That application was dismissed by Latham J [1999] 4 All ER 185 on 28 May 1999 when, in a very full judgment he concluded, at p 192, that “what is proposed will result in a clear breach of confidence unless the patient gives consent, which is not part of the proposal at present” and, at p 197, that “the breach of confidence by the pharmacist is capable of providing the basis for a successful action”. Source now appeal with the leave of the judge below. 7 The whole of the policy document is set out in the judgment at first instance, I propose to quote only the most material parts, at p 187: “Anonymisation (with or without aggregation) does not, in our view, remove the duty of confidence towards the patients who are the subject of the data. Apart from the risk of identification of a patient despite anonymisation, the patient would not have entrusted the information to the general practitioner or pharmacist for it to be provided to the data company. The patient would not be aware of or have consented to the information being given to the data company, but would have given it to be used in connection with his care and treatment and wider NHS purposes. Anonymisation of the data (with or without aggregation) would not obviate a breach of confidence . . . The duty of confidence may in some circumstances be outweighed by the public interest in disclosure.432 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001] QB Simon Brown lt) However, we have severe reservations that disclosure by general practitioners or NHS pharmacists of dispensing information to data companies would be argued to be in the public interest. Indeed, it might well be contrary to the public interest if the data company is further selling on the information on doctors’ prescribing habits to the pharmaceutical industry.” 8 Before coming to the central issue, let me deal briefly with three particular matters touched on in those quoted passages. First, “the risk of identification of a patient despite anonymisation”. The judge below, at P 196, noted Source’s recognition of “a remote risk that certain information of a rare kind might conceivably enable a patient to be identified”. Having accepted, however, that there was “no evidence before me, which sets out any rational basis for such concerns”, he decided the case on the footing that patients’ anonymity could be guaranteed. We too are asked to make that assumption and I would merely note that it will be for Source to satisfy all interested parties that there will be no risk of identification in practice. Source are confident of achieving this and have recently proposed certain refinements to their system to screen out any conceivably identifying information. 9 Second, “the patient would not. . . have consented to the information being given to the data company”. Although Source do not formally accept this contention, it is no part of their case that the patient’s consent to this proposal can be implied. Rather their case is that no such consent is required and, indeed, that the patient could advance no legal objection to the use proposed. Source similarly contend that they need no public interest to justify “disclosure by ... pharmacists” of (ex hypothesi anonymous) dispensing information to data companies. to Third, the contention that the business of data companies like Source might well be directly contrary to the public interest. The Department of Health have been entirely candid about their motives in publishing this guidance. To quote from Mr Sales’s main skeleton argument: “The interest of the Department (apart from an interest to ensure that NHS general practitioners and pharmacists are given a fair warning of legal risks which they might be running in participating in such a scheme) is to prevent the sort of targeted marketing which Source and its customers wish to employ, as the Department’s assessment is that such marketing would affect prescribing habits of general practitioners so as to add hugely (and unnecessarily) to the NHS drugs bill.” 11 The Association of the British Pharmaceutical Industry (“ABPI”), I should note, one of four parties who have been permitted to intervene in this appeal on stringent terms as to the length of oral argument and costs, take express exception to the Department’s public interest objection. They point out that “targeted marketing” is only marketing which, because of its focus, involves less waste than otherwise. If it increases the NHS drugs bill, that can only be because it acquaints prescribers with medicines which it is appropriate for them to prescribe for their patients, and of which they would otherwise be ill-informed. It is not, they contend, in the public interest that the prescribing of appropriate medicine should be arbitrarily limited by restricting the availability of accurate information to prescribers ot by433 [2001] QB Rv Dept of Health, Ex p Source Informatics Ltd (CA) Simon Brown making manufacturers resort to less efficient methods of providing that information. 12 This is not an issue which to my mind it is either possible or necessary for us to resolve. Whether or not such use of anonymised statistical data can be shown to be contrary to the public interest cannot decide whether or not it involves a breach of confidentiality. Indeed, I do not understand Mr Sales to contend otherwise. 13 I come then to the central issue: does a pharmacist breach his undoubted duty of confidentiality to a patient if, having duly dispensed the medicine prescribed, he then uses the prescription form as the means of selling anonymised information to Source? 14. The conventional starting point for considering the nature and scope of the duty of confidentiality is Megarry J's judgment in Coco v A N Clark (Engineers) Ltd [969] RPC 41, 47: “In my judgment, three elements are normally required if, apart from contract, a case of breach of confidence is to succeed. First, the information itself, in the words of Lord Greene MR in Saltman Engineering Co Ltd v Campbell Engineering Co Ltd (1948) 65 RPC 203, ars, must ‘have the necessary quality of confidence about it’. Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it.” (On the next page of his judgment, however, Megarry J expressly kept open the possibility that “detriment” was not, after all, required.) 15 Put at their shortest, the points taken by Source on the appeal are, first that the information is confidential to the patient only if it can be identified with him: thus the information downloaded for Source is by definition not confidential; second, that even if (contrary to submission 1) the downloading to Source constitutes anonymisation of confidential information, that itself involves no misuse of the information: it is, indeed, the very antithesis to a breach of confidence. Third, in any event, detriment is required and, as the judge below accepted, here the patient suffers none. Latham J [1999] 4 All ER 185, 195 recognised that, “if anonymity is guaranteed, their [the patients’] privacy would not be invaded, and . . . the commercial value of their prescriptions would individually be infinitesimal” (the latter conclusion being repeated, at p 196). Having been referred, however, to X v Y [1988] 2 All ER 648 (a case to which I shall return), he accepted, at p 197, “that the breach of confidence in itself might carry with it sufficient detriment to justify the grant of a remedy”. 16 Mr Sales’s response, again put at its shortest, is that Source’s first argument is artificial. It is the information as a composite whole which is confidential because it identifies the patient as someone requiring treatment for his condition and that, as no one doubts, the pharmacist could not properly reveal: the patient is entitled to keep his ailments to himself. Soutce’s second argument—that to anonymise confidential information is not to misuse it—Mr Sales confronts head on. He submits that the confidential information is given to the pharmacist by the patient for the sole purpose of obtaining the prescribed drugs; any other use of it (or any part of it) for any other purpose, he argues, is unauthorised and, absent an express or implied consent or a justifying public interest, involves a breach of434 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001] QB Simon Brown L} confidence. As for detriment, Mr Sales submits, first, that on true analysis of the law this is never a specific requirement; alternatively, second, that it is only sometimes so and certainly not in a case like this involving intimate information; alternatively, third, that patients in fact do suffer detriment: the confider’s feelings are hurt when his confidence is breached. The patient’s autonomy, he submits, must be respected. 17 Before I turn to what may be regarded as the mainstream principles governing the law of confidence, I would note first the striking paucity of authority on the central question at issue here, the anonymisation of confidential information and its subsequent use in anonymised form. Is this not perhaps, as Mr Beloff suggests, for the very good reason that objection could not sensibly be taken to such conduct? Two cases only are in point and, of these, the first is relevant only to the extent of a persuasive obiter dictum. The issue raised in W v Egdell [1990] Ch 359, 417 was identified by Bingham L]: “what is the scope of the duty of confidence owed toa restricted mental patient by a psychiatrist engaged by the patient to report on his mental health for purposes of his forthcoming application to a mental health review tribunal?” 18 The report being adverse, the patient refused the psychiatrist permission to disclose it ro the hospital. The psychiatrist was none the less so concerned at the danger the patient represented that he took it upon himself to disclose the report. The court held that the public interest in the circumstances outweighed the doctor’s duty of confidence to the plaintiff. Importantly for present purposes, Bingham L] said, at p 419: “Tt has never been doubted that the circumstances here were such as to impose on Dr Egdell a duty of confidence owed to W. He could not lawfully sell the contents of his report to a newspaper, as the judge held. . . Nor could he, without a breach of the law as well as professional etiquette, discuss the case in a learned article or in his memoirs or in gossiping with friends, unless he took appropriate steps to conceal the identity of W. It is not in issue here that a duty of confidence existed.” 19 Iris, submit Source, clearly implicit in that dictum that, provided only a confidant does take appropriate steps to conceal the confider’s identity, he may use the information entirely as he pleases. They might have added that a dictum from that source is worth many a ratio decidendi from another. 20 The other case directly concerning the use of anonymised information is X v Y {r988] 2 All ER 648, a decision of Rose J following a six-day witness action. The proceedings (and procedural history) were complicated but for present purposes the facts may be summarised as follows. The plaintiffs were a health authority, the second defendants the owners and publishers of a national newspaper, one of whose reporters was the first defendant. In clear breach of confidence, an employee of the plaintiffs supplied the first defendant with information obtained from hospital records which identified two doctors who were carrying on general practice despite having contracted AIDS. One of many issues arising before Rose J was whether the second defendants should be entitled to publish anA 435 (2001) QB Rv Dept of Health, Ex p Source Informatics Ltd (CA) Simon Brown LJ article based on that information provided that the individual doctors were not identified. Rose J said, at pp 657-658: “Counsel for the second defendants next submitted that, if the identities are not revealed, an injunction should not be granted even though the information has the necessary quality of confidentiality. There must (as is common ground) be a substantial, not trivial, violation of the plaintiffs’ rights to justify equitable relief . . . he submitted that there was no discernible detriment to the plaintiffs and detriment is essential . . . In my judgment detriment in the use of the information is not a necessary precondition to injunctive relief... In the present case, detriment occurred to the plaintiffs because patients’ records were leaked to the press in breach of contract and breach of confidence, with [certain adverse] consequences, even without publication, to the plaintiffs and the patients... If use were made of that information in such a way as to demonstrate to the public (by identifying the hospital) the source of the leak, the plaintiffs would suffer further detriment. But use of the information (as the defendants now seek) in a way which identifies neither the hospital nor the patients does not mean that the plaintiffs have suffered no detriment. Significant damage, about which the plaintiffs are entitled to complain, has already been done. This is also the answer to the additional submission of counsel for the first defendant that, though there was a breach of confidence in obtaining the information there is, on the evidence, none in publishing it, if the doctors are not identified. In my judgment it is, in the present case, the initial disclosure and its immediate consequences, not subsequent publication, which found the plaintiffs’ claim in breach of contract and breach of confidence.” 21 Rose J then turned to the issue of public interest in the freedom of the press, and said, at p 661: “Paraphrasing Templeman LJ in Schering Chemicals Ltd v Falkman Lid [1982] QB 1, the facts, in the most limited version now sought to be published, have already been made available and may again be made available if they are known otherwise than through the medium of the informer. The risk of identification is only one factor in assessing whether to permit the use of confidential information. In my judgment to allow publication in the recently suggested restricted form, would be to enable both defendants to procure breaches of confidence and then to make their own selection for publication. This would make a mockery of the law's protection of confidentiality when no justifying public interest has been shown. These are the considerations which guide me, whether my task is, properly described as a balancing exercise, or an exercise in judicial judgment, or both.” He refused permission for future publication of the information in any form. 22 On the present appeal, both sides seek to rely on that decision. To my mind, however, it ultimately assists neither of them. True, as Mr Sales points out, it defeats any contention that the publication of anonymised information will of itself necessarily in all circumstances preclude a claim for breach of confidence. But | am quite unable to accept his submission that the pharmacist’s position here is akin to that of the defendants there, both being under a duty of confidence to the patients in question. That is to overlook436 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001] 98 Simon Brown LJ entirely the fact that in X v Y [1988] 2 All ER 648 the information came to the defendants in flagrant breach of confidence. Hardly surprising, submits Mr Beloff, that the judge was concerned to prohibit any further use of it as the fruit of the poisoned tree. In my judgment X v Y begs rather than answers the question raised on the present appeal. The position might perhaps be otherwise were it Source, not the pharmacists, who propose to anonymise the information. That, certainly, would make for a closer analogy with X v Y. Even then, however, I can envisage various arguments by which Source might seek to distinguish the two cases on their facts. 23 Both W v Egdell [1990] Ch 359 and X v Y [1988] 2 All ER 648, it will be noted, concerned (as does the present appeal) the duty of confidence owed in respect of personal information confided in the context of a professional relationship of trust. As Dr Francis Gurry points out in his monograph on Breach of Confidence (1984), this is the second of four main classes of information which traditionally have been protected, or whose use has been restricted, by the enforcement of confidences: trade secrets, personal confidences, government information, and artistic and literary confidences. As Dr Gurry explains, the notion of privacy lies close to the heart of the courts’ interest in securing personal confidences. I mention that at this stage because most of the authorities in this field appear to have been decided in respect of other classes of information and, as I shall suggest, that may have some significance. 24 [have already cited one passage from Megarry J’s judgment in the Coco case [1969] RPC 41. In turning to the other main authorities I propose to be highly selective in citation. I start with the Federal Court of Australia in Smith Kline & French Laboratories (Australia) Ltd v Secretary to the Department of Community Services and Health (1991) 99 ALR 679, 691- 692: “Megarry J has suggested a broad test to determine whether an obligation of confidence exists. In Coco v A N Clark (Engineers) Lid [1969] RPC 41, Megarry J said, at p 48: ‘It seems to me that if the circumstances are such that any reasonable man standing in the shoes of the recipient of the information would have realised that upon reasonable grounds the information was being given to him in confidence, then this should suffice to impose upon him the equitable obligation of confidence.’ “However, this test does not give guidance as to the scope of an obligation of confidentiality, where one exists, Sometimes the obligation imposes no restriction on use of the use [sic] of the information, as long as the confide does not reveal it to third parties. In other circumstances, the confide may not be entitled to use it except for some limited purpose. In considering these problems, and indeed the whole question, it is necessary not to lose sight of the basis of the obligation to respect confidences: ‘It lies in the notion of an obligation of conscience arising from the circumstances in or through which the information was communicated or obtained.’ This is quoted from Moorgate Tobacco Co Ltd v Philip Morris Lid (No 2) (1984) 156 CLR 414, 438, per Deane J, with whom the other members of the court agreed. A similar broad view has been taken in the United States: EI Dupont de Nemours Powder Co v Masland (1917) 244 US 102...437 [2001] QB Rv Dept of Health, Ex p Source Informatics Ltd (CA) Simon Brown LJ “Similar expressions recur in other cases: Seager v Copydex Lid [1967] RPC 349, 368: ‘The law on this subject... depends on the broad principle of equity that he who has received information in confidence shall not take unfair advantage of it.” “To avoid taking unfair advantage of information does not necessarily mean that the confidee must not use it except for the confider’s limited purpose, Whether one adopts the ‘reasonable man’ test suggested by Megarry J or some other, there can be no breach of the equitable obligation unless the court concludes that a confidence reposed has been abused, that unconscientious use has been made of the information . . . “We would add that, in our opinion, courts exercising equitable jurisdiction should not be too ready to import an equitable obligation of confidence in a marginal case. There is the distinction between use of confidential information in a way of which many people might disapprove, on the one hand, and illegal use on the other. Not only the administration of business and government, but ordinary communication between people, might be unduly obstructed by use of too narrow a test, such as that which the appellants put forward here.” 25 Many of those same citations had found their way into Bingham LJ’s judgment in the Court of Appeal in the Spycatcher case—Attorney General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109—in a passage setting out the relevant principles of law, later approved by the House of Lords. As to the duty of confidence generally, Bingham LJ said, at pp 215-216 : “The cases show that the duty of confidence does not depend on any contract, express or implied, between the parties. If it did, it would follow on ordinary principles that strangers to the contract would not be bound. But the duty ‘depends on the broad principle of equity that he who has received information in confidence shall not take unfair advantage of it’: Seager v Copydex Ltd [1967] t WLR 923, 931, per Lord Denning MR. ‘The jurisdiction is based not so much on property or on contract as on the duty to be of good faith’: Fraser v Evans [1969] 1 QB 349, 361, per Lord Denning MR. It accordingly ‘affects the conscience of the person who receives the information with knowledge that it has originally been communicated in confidence’: per Sir Nicolas Browne-Wilkinson V-C at the interlocutory stage of this case [1987] 1 WLR 1248, 1265. So it is appropriate that the enforceability of rights of confidence against third parties should be analysed in the traditional terms of equitable rights over property, as Sir Nicolas Browne- Wilkinson V-C did [1987] 1 WLR 1248, 1264D, and Nourse LJ did at an even earlier stage of this case Attorney General v Observer Ltd The Times, 26 July 1986; Court of Appeal (Civil Division) Transcript No 696 of 1986. The English law on this subject could not, I think, be more clearly or accurately stated than it was by the High Court of Australia in Moorgate Tobacco Co Ltd v Philip Morris Lid (No 2) (1984) 156 CLR 414, 437-438: ‘It is unnecessary, for the purposes of the present appeal, to attempt to define the precise scope of the equitable jurisdiction to grant relief against an actual or threatened abuse of confidential information not involving any tort or any breach of some express or implied contractual provision, some wider fiduciary duty or some copyright or trade mark right. A general equitable jurisdiction to grant438 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001) QB Simon Brown LJ such relief has long been asserted and should, in my view, now be accepted: see Commonwealth of Australia v John Fairfax & Sons Ltd (1980) 147 CLR 39, 50-52. Like most heads of exclusive equitable jurisdiction, its rational basis does not lie in proprietary right. It lies in the notion of an obligation of conscience arising from the circumstances in or through which the information was communicated or obtained.’ ” 26 Of the speeches in the House of Lords I cite only the briefest passages, Lord Keith of Kinkel said, at p 255: “Most of the cases have arisen in circumstances where there has been a threatened or actual breach of confidence by an employee or ex-employee of the plaintiff, ot where information about the plaintiff’s business affairs has been given in confidence to someone who has proceeded to exploit it for his own benefit: an example of the latter type of case is Seager v Copydex Ltd [1967] 1 WLR 923. In such cases the detriment to the confider is clear. In other cases there may be no financial detriment to the confider, since the breach of confidence involves no more than an invasion of personal privacy. Thus in Duchess of Argyll v Duke of Argyll [967] Ch 302 an injunction was granted against the revelation of marital confidences. The right to personal privacy is clearly one which the law should in this field seek to protect.” 27 Lord Goff of Chieveley stated the broad general principle (non- definitively), at p 282: “that a duty of confidence arises when confidential information comes to the knowledge of a person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others.” 28 Then he referred to three limiting principles to which that broad general principle is subject, of which for present purposes only the first is relevant, at p 282: “The first limiting principle (which is rather an expression of the scope of the duty) is highly relevant to this appeal. It is that the principle of confidentiality only applies to information to the extent that it is confidential. In particular, once it has entered what is usually called the public domain (which means no more than that the information in question is so generally accessible thar, in all the circumstances, it cannot be regarded as confidential) then, as a general rule, the principle of confidentiality can have no application to it.” 29 Let me give two final quotations before finally coming to address the novel question raised on this appeal. First, a passage from Dr Gurry’s book Breach of Confidence, at p 258, relied on by Mr Sales: “The underlying notion of a confidence existing between the confider and the confidant has figured prominently in determining whether there has been a breach of an obligation. The courts have been less concerned with formal requirements, than with the practical effects of a confidant’s misconduct, and, where these are such as to represent a lack of good faith on the part of the confidant, he will be liable for breach of his duty439 {2001] QB Rv Dept of Health, Ex p Source Informatics Ltd (CA) Simon Brown L} of confidence. This general attitude of the courts is reflected in a number of ways which differentiate the nature of the protection provided for information by the breach of confidence action from that afforded by other types of protection for intellectual property. First, it seems that a confidant will be liable for breach of his duty if he misuses only part of the confidential information which has been disclosed to him, provided that the misuse relates to a material part of the information. In Amber Size and Chemical Co Ltd v Menzel [1913] 2 Ch 239 the defendant, while in the employ of the plaintiffs, acquired a knowledge of ‘very material portions’ of the plaintiffs’ secret process for the manufacture of size. After leaving the plaintiffs’ service, the defendant was employed by a competitor of the plaintiffs as size-maker. In this capacity, he attempted to reproduce the plaintiffs’ process, but was unsuccessful ‘owing to the lack of one small detail. Even though unable to reproduce the process in toto, the defendant was held liable for breach of duty, and an injunction was granted to restrain him from using ‘the whole or any material part’ of the process.” 30 This approach, I should note, is wholly consistent with a further principle of the law of confidence, the springboard principle as it has been called. As Megarry J put it in the Coco case [1969] RPC 41, 47: “where confidential information is communicated in circumstances of confidence the obligation thus created endures, perhaps in a modified form, even after all the information has been published or is ascertainable by the public; for the recipient must not use the communication as a spring-board”—reference being made to Seager v Copydex Ltd [1967] 1 WLR 923. 31 To my mind the one clear and consistent theme emerging from all these authorities is this: the confidant is placed under a duty of good faith to the confider and the touchstone by which to judge the scope of his duty and whether or not it has been fulfilled or breached is his own conscience, no more and no less. One asks, therefore, on the facts of this case: would a reasonable pharmacist’s conscience be troubled by the proposed use to be made of patients? prescriptions? Would he think that by entering Source’s scheme he was breaking his customers’ confidence, making unconscientious use of the information they provide? 32 In contending for the answer “Yes”, Mr Sales urges in particular these considerations. ‘The patient’s sole purpose in handing over the prescription is so that the pharmacist may dispense the drugs prescribed. That, therefore, is the only usc of it that is authorised. By anonymising the information the pharmacist does not cease to be under a duty of confidence with regard to it. Indeed the very act of anonymisation involves “manipulation” of the information and is itself objectionable. The only reason the pharmacist has something to sell is because the patient has handed over his prescription. Even when it is anonymised, it is still not in the public domain. To sell any part of it is to misuse it. 33. For my part I find these arguments not merely unconvincing but wholly unreal. True it is that even when stripped of anything capable of identifying the patient, the information which the pharmacist proposes to sell to Source is still not in “the public domain”. But whether or not that440 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001] 98 Simon Brown LJ matters must surely depend upon the interest at stake. I referred earlier to the different classes of information identified by Dr Gurry as traditionally having attracted the law's protection. If, of course, government information is involved, then whether or not the information has entered the public domain may well prove decisive—as in the Spycatcher case [1990] 1 AC rog itself. If trade secrets (which clearly include intellectual property rights) are involved, then the position may be different—consider the final passage quoted above from Dr Gurry and the springboard principle. What then of a case like the present which involves personal confidences? What interest, one must ask, is the law here concerned to protect? 34 In my judgment the answer is plain. The concern of the law here is to protect the confider’s personal privacy. That and that alone is the right at issue in this case. The patient has no proprictorial claim to the prescription form or to the information it contains. Of course he can bestow or withhold his custom as he pleases—the pharmacist, note, has no such right: he is by law bound to dispense to whoever presents a prescription. But that gives the patient no property in the information and no right to control its use provided only and always that his privacy is not put at risk. I referred earlier to Mr Sales’s plea for respect for “the patient’s autonomy”. At first blush the submission is a beguiling one. My difficulty with it, however, is in understanding how the patient's autonomy is compromised by Source’s scheme. If, as I conclude, his only legitimate interest is in the protection of his privacy and, if that is safeguarded, | fail to see how his will could be thought thwarted or his personal integrity undermined. By the same token that, in a case concerning government information, “once it has entered . . . the public domain . . . the principle of confidentiality can have no application to it” (per Lord Goff in the Spycatcher case [1990] 1 AC 109, 282), so too in a case involving personal confidences I would hold by analogy that the confidence is not breached where the confider’s identity is protected. 35 This appeal concerns, as all agree, the application of a broad principle of equity. I propose its resolution on a similarly broad basis. I would not distinguish between Source’s first and second arguments and nor would I regard the case as turning on the question of detriment. Rather I would stand back from the many detailed arguments addressed to us and hold simply that pharmacists’ consciences ought not reasonably to be troubled by co-operation with Source’s proposed scheme. The patient's privacy will have been safeguarded, not invaded. The pharmacist’s duty of confidence will not have been breached. 36 I turn to deal altogether more briefly with the remaining issues debated before us. First, there is Council Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and ‘on the free movement of such data, which fell ro be implemented by 24 October 1998 and which the United Kingdom will finally implement on 1 March 2000 when the relevant provisions of the Data Protection Act 1998 come into force. Although all this postdates the Department of Health’s policy guidance and, indeed, attracted no consideration in the court below, we cannot, I fear, entirely ignore it. Council Directive (95/46/ EC) was first raised in these proceedings by Lord Lester on behalf of the General Medical Council (“GMC”), another intervening party. His441 [2001] 98 Rv Dept of Health, Ex p Source Informatics Ltd (CA) Simon Brown LJ argument (much over-simplified) is that, even if Source’s proposal would involve a breach of confidence under domestic law, it does not offend Council Directive (95/46/EC) and so should be held compatible also with domestic law, the latter being read down if necessary for the purpose. By a linked submission, he further argues that the policy guidance (and/or any ruling by the court in support of it) would violate article to of the Convention for the Protection of Human Rights and Fundamental Freedoms (1953)(Cmd 8969), there being on the facts no countervailing interest in privacy to protect under article 8, and that domestic common law and, indeed, the scope of the Council Directive (95/46/EC) itself (see the reference to the Human Rights Convention in recital 1) should accordingly be determined as he contends so as to avoid such violation. 37 These arguments encouraged Mr Sales to advance mirror submissions on behalf of the Department of Health, namely that even if Source’s proposal would not offend the common law (as 1 would hold) it should nevertheless be recognised to fall foul of Council Directive (9 5/46/ EC) (and eventually the 1998 Act ) so that domestic law ought accordingly to be read up for the purpose. 38 Let me put aside further complications such as whether or not Source are entitled to invoke the transitional provisions in article 32(2) of Council Directive (95/46/EC), and whether or not the Directive is directly effective pending its implementation, and turn to those of its articles upon which Mr Sales principally relies. 39 Article 2 (the definitions article) by paragraph (a) defines “personal data” as meaning “any information relating to an identified or identifiable natural person (‘data subject’)” and by paragraph (b) defines “processing of personal data (‘processing’)” as meaning: “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. . .” 4o Article 8.1 requires that: “Member states shall prohibit... the processing of data concerning health . . .” 41 Article 8.2(a) disapplies article 8.1 where: “the data subject has given his explicit consent to the processing of those data . . .” (a provision to which I shall briefly return later in this judgment). 42 Atticle 8.3, disapplies article 8.1: “where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional [which includes, all parties agree, a pharmacist] . 43 Mr Sales’s argument put at its simplest is that the proposed anonymisation of the information contained in a prescription form will— under the very wide definition of “processing” set out in article 2(b)— constitute the processing of data concerning the patient’s health, and that442 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001198 Simon Brown LJ this is impermissible under article 8.1, such processing not being required for any of the stipulated purposes allowed for by article 8.3. 44 Lord Lester’s best answer to this submission (and he is joined in it by Source) is that Council Directive (95/46/EC) can have no more application to the operation of anonymising data than to the use or disclosure of anonymous data (which, of course, by definition is not “personal data” and to which, therefore, it is conceded that the Directive has no application). He points to the several recitals emphasising the right to privacy as the principal concern underlying this Directive, and he places great reliance on recital (26): “Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible . . .” 45 Although this is clearly not the appropriate occasion to attempt a definitive ruling on the scope of Council Directive (9 5/46/EC)—and still less of the impending legislation—I have to say that commonsense and justice alike would appear to favour the GMC’s contention. By the same token that the anonymisation of data is, in my judgment, unobjectionable here under domestic law, so too, I confidently suppose, would it be regarded by other member states. Of course the processing of health data requires special protection and no doubr the “erasure or destruction” of such data is included in the definition of processing for good reason: on occasion it could impair the patient’s own health requirements. It by no means follows, however, that the process envisaged here should be held to fall within the definition: on the contrary, recital (26) strongly suggests that it does not. 46 I pass to a very different area of the debate before us, the loosely linked issues of implied patient consent and the public interest. 47 Let me at this stage briefly explain the presence of the four intervening parties. Two of them—ABPI (who represent the interests of manufacturers of prescription-only medicines) and the National Pharmaceutical Association Ltd (“NPA”) (who represent most of Britain’s community pharmacists)—applied to intervene at an oral hearing in September. Both suggested that the judgment below had given rise to general confusion and uncertainty and expressed their differing concerns as to its impact upon a whole range of activities. ABPI suggested that: “the collection and use of much if not all of this anonymised data will be prohibited or severely inhibited due to great uncertainty as to its legality The decision has generated enormous uncertainty in relation to the collection of prescription and related medical data, and has resulted in the suspension of a number of long-standing databases (some in use for over thirty years) used by the members of the ABPI.” They further referred to the443 [2001] Q8 Rv Dept of Health, Ex p Source Informatics Ltd (CA) Simon Brown LJ “profound implications of the decision for the whole of the pharmaceutical industry (branded and generic) in terms of not only marketing, but also medical research, fulfilment of regulatory obligations, collection of government statistics, coping with fluctuations in supply and demand, and dealing with adverse event monitoring and product withdrawals.” 48 NPA too contended that various uses of data were affected by the judgment, including the use by pharmacists of computerised patient records for patients’ safety purposes, for creating drug product usage information, for stock management purposes, and to assist in the development of information technology systems. 49 Subsequently both the GMC and the Medical Research Council (“MRC”) joined in the appeal without objection from any other party to voice their own particular concerns. The GMC, of course, has a statutory role in setting and enforcing ethical standards for the medical profession. The MRC is the UK’s main funder of basic and applied bio-medical research and training, a vital part of whose work involves the use of anonymous patient information. 50. In the event, taking the favourable view we do of Source’s central argument, it has not proved necessary to explore the inteveners’ separate interests in any depth. I should, however, make just three points. 1 First, Lord Lester's arguments on implied consent, opposed though they were not merely by the Department of Health but also by the NPA and the MRC, to my mind appeared compelling. So far from patients being taken to have impliedly consented to such uses of the information they provide as are commonly accepted to be in the public interest, this is, submits Lord Lester, to conflate the issue of effective consent (which modifies the duty of confidence) with that of the public interest (which overrides the duty). The reference (noted above) in article 8.2(a) of Council Directive (95/46/EC) to the “data subject [giving] his explicit consent” strongly supports this thesis. In addition, Lord Lester’s approach overcomes such problems as the well recognised reluctance of certain people to accept the views of those in authority as to just what is or is not good for them, and, let us postulate, the occasional patient who expressly purports to refuse permission for his prescription form to be used for any purpose save only the dispensing of the prescribed drug. Given, however, the Department of Health’s submission that in any event, whenever patient consent could arguably be implied, so too could the public interest be invoked to the same end, it seemed pointless to carry the debate very far. 52 Second, the Department of Health submits that various of the uses to which patient information is put are not in fact capable of being justified by reference either to implied consent or to the public interest. To illustrate this by a single example, the Department of Health suggests that stock- management could be undertaken using conventional stock-control means (ie monitoring quantities ordered and comparing this with the quantities remaining in the dispensary at any given time) rather than by using patient information. Given the conclusion already reached on the central point, this argument, of course, fails in limine: no breach of confidence is involved in pharmacists using the information contained in prescription forms for their own stock-keeping purposes; the patient’s privacy is thereby neither invaded444 Rv Dept of Health, Ex p Source Informatics Ltd (CA) [2001] QB Simon Brown LJ nor imperilled. Nevertheless, recognising, as one must, the importance of confining any public interest defence in this area of the law within strict limits—lest, as Gummow J put it at first instance in Smith Kline and French Laboratories (Australia) Ltd v Department of Community Services and Health [1990] FSR 67, 663; it becomes “not so much a rule of law as an invitation to judicial idiosyncracy by deciding each case on an ad hoc basis as to whether, on the facts overall, it is better to respect or to override the obligation of confidence’—the Department of Health’s stance on a use so innocuous as stock-keeping strongly reinforces the view that the equitable obligation of confidence ought not to be drawn too widely in the first place— see the final paragraph cited above from the judgment in the Smith Kline case, 99 ALR 679 on appeal. 53 Third, itis clear on the information before us that for certain limited purposes patient information is used in identifiable rather than anonymised form. As the Department of Health states, “thorough research and management depend in part upon the possibility of others checking that anonymised and aggregated information does correspond to the real world, by audit procedures which must inevitably involve checking identifiable cases."For present purposes, I say no more than that, provided, as I understand to be the case, the use of such identifiable data is very strictly controlled, there appears no reason to doubt that this is acceptable— whether because it falls within the public interest defence or as is perhaps the preferable view, because the scope of the duty of confidentiality is circumscribed to accommodate it, it is not necessary to decide on this appeal. 54 Long though this judgment is, I am conscious of the many subtle arguments from one quarter or another of which it takes no express notice whatever. That perhaps is inevitable in a case which has expanded as widely as this one was permitted to do. At the end of it all, however, the conclusion Treach can be succinctly stated. Participation in Source’s scheme by doctors and pharmacists would not, in my judgment, expose them to any serious risk of successful breach of confidence proceedings by a patient (any more than were a prescribing doctor, asked by a manufacturer’s representative what medicine he ordinarily prescribes for a given condition, to answer candidly on the basis of his current practice). If the Department of Health continue to view such schemes as operating against the public interest, then they must take further powers in this already heavily regulated area to control or limit their effect. The law of confidence cannot be distorted for the purpose. 55 I would accordingly allow this appeal and let our judgments stand as the court’s declaration in the matter. ALDOUSLJ agree. SCHIEMANN LJ I also agree with the judgment delivered by Simon Brown LJ. Appeal allowed with costs in Court of Appeal and below. Leave to appeal refused. Solicitors: Clifford Chance; Cameron McKenna; Freshfields; Field Fisher Waterhouse; Treasury Solicitor; Solicitor to the Department of Health. MF