The high profile multi-million pound claims brought by Mark Holyoake against property moguls Nick and Chris Candy (and connected companies) have attracted a lot of media attention. The dispute between the parties related to a loan advanced by CPC Group Limited, a company connected to Nick Candy, to Mr Holyoake to fund the purchase of a mansion house. Behind the headline grabbing claims of misrepresentation, undue influence, intimidation and extortion, the Candy brothers cases also included claims for breaches of data protection legislation.

Warby J's decision in January 2017 in respect of Mr Holyoake's application for an order for compliance with a subject access request under the Data Protection Act 1998 ("DPA") was welcomed by data controllers, due to the High Court reaffirming that a data controller's implied obligation is limited to undertaking a search that is "reasonable and proportionate". In addition, Warby J upheld Mr Candy's application of the legal professional privilege exemption to certain documents that had been requested by Mr Holyoake.

Please click here in order to see a full copy of the High Court's judgment in this case.

The High Court's most recent decision in the Candy brothers litigation was handed down on 21 December 2017 in the case of Holyoake & Hotblack v Candy & Candy & others [2017] EWHC 3397 (Ch). Amongst the various claims considered in his 193 page judgment, Mr Justice Nugee also addressed two alleged breaches of the DPA.

The first breach considered was closely connected to the DPA proceedings detailed above.

CPC had hired a private investigator to establish whether Mr Holyoake had any criminal convictions. In the earlier proceedings, Warby J had concluded that the information (the fact that Mr Holyoake did not have any previous criminal convictions) had been properly obtained from a publicly available source and not from unlawful access to the Police National Computer as had been alleged. Nugee J refused to reconsider this point and accordingly, could not see "anything unfair or unlawful in CPC discovering that Mr Holyoake had no unspent convictions".

The second alleged breach considered by Nugee J is more significant. Mr Holyoake had secured a senior loan from Investec to partially finance the purchase of a mansion house. When CPC subsequently advanced a loan to Mr Holyoake to fund the same purchase, Mr Holyoake was adamant that this should not be disclosed to Investec. Mr Candy put pressure on Mr Holyoake to disclose the existence of the CPC loan to Investec by what Nugee J described as a "series of lies" about a potential transaction with Investec. Whilst there was a lack of evidence as to whether Mr Candy did disclose the fact that CPC had advanced a loan to Mr Holyoake to Investec, the lawyer for the Candy brothers accepted that he did. Accordingly, Nugee J was obliged to rule on the data protection point.

Mr Holyoake claimed that this disclosure amounted to unlawful data processing and, specifically, a breach of the duty in s 4(4) of the DPA on a data controller to comply with the data protection principles. Whilst the High Court accepted that there will have been data (i.e. an electronic record) held by CPC relating to the loan which amounted to "personal data", Nugee J grappled with the question as to whether Mr Candy's disclosure of the existence of the loan (which was "information in his own head" and "not derived from the records") amounted to CPC processing this information. Nugee J concluded that it did not on the basis that "the purpose of the Act is to regulate what a data controller does with information stored in a relevant record", rather than information in a person's own head.

In an obiter comment Nugee J further stated that, if he is wrong on this point, Mr Candy's disclosure would have fallen within para 6(1) of sch 2 as being necessary for the purposes of legitimate interests pursed by the data controller. However, it would appear that Nugee J has misunderstood the application of para 6(1) as it does not provide an exemption for processing data but is instead one of several legitimate reasons for processing personal data, which must be accompanied by a second requirement; the data controller should also provide specific information to the data subject, usually in the form of a privacy policy, detailing the processing to be undertaken. Only if both of these are present has the processing been conducted fairly for the purposes of the first data protection principle.

Nugee J expressed a clear lack of confidence in deciding this issue and the case certainly raises questions as to the extent to which personal data that data controllers can remember (independently of any existing records storing that information) is protected by data protection legislation. It therefore seems likely that this issue will be reviewed in future litigation.