High Court rules on data protection and privacy rights in YSL v Surrey NHS Trust case

Citation: [2024] EWHC 391 (KB)
Judgment on


In the case of YSL v Surrey and Borders Partnership NHS Foundation Trust, the High Court of Justice focused on matters concerning data protection, the Human Rights Act 1998, the right to privacy under Article 8 of the European Convention on Human Rights (ECHR), and the principles governing the retention and processing of personal data. Mr Justice Julian Knowles methodically addressed each element of the claimant’s case against the defendant NHS trust and applied well-established legal principles to reach a verdict.

Key Facts

The claimant, YSL, brought an action alleging unlawful processing, retention, and inaccuracy of his patient records by the defendant NHS trust. YSL contended that his medical records, including sensitive information about his mental health and an autism assessment, should not have been disclosed to third parties without consent or knowledge, and that such records should be erased in accordance with data protection legislation. He also objected to the 20-year retention policy for his medical records, which he asserted was disproportionate and continued to cause distress. YSL advanced these complaints under a variety of legal umbrellas, including the Data Protection Act 1998 (DPA 1998), the Data Protection Act 2018 (DPA 2018), the General Data Protection Regulation (EU GDPR and UK GDPR), as well as the common law and Article 8 ECHR.

The legal principles applied in this case included:

  1. Abuse of Process: The defendant argued for the claim’s dismissal on grounds that it was an abuse of process, being precluded by a prior compromise agreement reached in 2016 that settled all claims related to data disclosures by CAMHS staff, including those regarding the claimant’s autism diagnosis.

  2. Proportionality and Necessity under Data Protection Law: The court examined whether the processes described respect the conditions set out in the EU and UK GDPRs for the lawful processing of personal data, specifically data related to health conditions including mental health.

  3. Proportionality under Article 8 ECHR: The court analyzed the necessity and proportionality of the defendant’s data retention policy under Article 8 ECHR, considering the “legitimate aim” pursued, whether the measures applied are “rationally connected to the objective,” and if a “less intrusive” measure could have been used. The court also assessed the proportionality of retaining sensitive medical data in relation to the right to respect for private life.

  4. Open Justice Principle: YSL’s request for a private judgment hand-down and restricted access to the judgment was rejected based on the principle of open justice, which dictates that legal proceedings and judgments should generally be accessible to the public to maintain transparency and accountability.


The court concluded that:

  1. Parts of YSL’s claim relating to unlawful disclosure were barred by the 2016 compromise agreement, and thus were struck out as an abuse of process.

  2. The retention and processing of YSL’s patient records were found to be lawful under both the DPA 1998 and the EU/UK GDPR, justified by the principles that permit health data processing for the provision of medical services and as protection against legal claims.

  3. The 20-year retention policy set out in the NHSX Code was determined to be proportionate and necessary, abiding by the data protection legislation’s principles for health or social care purposes.

  4. The claim for inaccuracy was dismissed as the matters in question pertained to clinical opinion, which falls outside the scope of the data accuracy principle articulated in the UK GDPR.

  5. YSL’s application for the judgment to be delivered in private, to restrict its access, and for any potential modification to the anonymity order was denied, affirming the principle of open justice.


The High Court of Justice in YSL v Surrey and Borders Partnership NHS Foundation Trust rendered a decision that upholds the integrity of existing data protection laws and the established principles concerning the public’s interest in the retention and processing of medical records. The ruling reaffirmed the necessary balance between individual rights to privacy under Article 8 ECHR and society’s broader interests in maintaining a viable public health framework. Furthermore, it emphasized the enduring relevance of the open justice principle in safeguarding the transparent administration of law.