1 Role and capacity: processor model for expert report content
For expert report content and any related confidential material submitted for review, Obiter Review acts as a data processor, processing personal data solely on the documented instructions of the controller, who will be the instructing solicitor responsible for the litigation or, in appropriate direct-instruction scenarios, the expert themself as controller; this processor role applies only to the report content and related materials submitted for review. The controller remains responsible for identifying and documenting a lawful basis under Article 6 UK GDPR and, where applicable, an Article 9 condition and relevant DPA 2018 Schedule 1 condition for the processing of special category data and criminal offence data within the report content; in typical medico-legal use, the controller will rely on processing necessary for the establishment, exercise, or defence of legal claims, and will maintain an Appropriate Policy Document to support that processing. For avoidance of doubt, Obiter Review remains an independent controller for limited website, account, and payment functions, including authentication through Clerk and transactions processed by Stripe, each of which may also act as an independent controller for their own security, fraud prevention, and compliance purposes.
The necessity test under Article 9(2)(f) requires the controller to document why processing by a third-party service is necessary for the establishment, exercise or defence of legal claims, rather than merely convenient. In completing that assessment, the following features of the service are relevant: submitted material is processed automatically without any human access, is not shared with any third party, is not used for any secondary purpose, and is permanently and securely deleted immediately upon delivery of the review output. The controller should document these features as part of their necessity assessment. Controllers who are uncertain whether their use of the service satisfies the necessity test in any given case should seek independent legal advice before submitting material.
Where the expert themselves acts as the controller — for example where the expert is directly instructed rather than through a solicitor — the expert must independently identify and document the applicable Article 6 basis and, where relevant, the applicable Article 9 condition, having regard to their own professional regulatory obligations and to any additional considerations arising from their direct relationship to the personal data contained in the report. Such controllers are encouraged to seek specific legal advice where the applicable basis is not clear.
2 Confidentiality and the common law duty of confidence
Obiter Review undertakes strict confidentiality obligations in respect of all materials submitted for review, recognising the common law duty of confidence that attaches to patient and other sensitive information and that does not dissipate merely because documents are created for, or used within, litigation. Materials are processed automatically without human review, are not shared with third parties, are not used for training, benchmarking or analytics, and are permanently deleted once the review output has been delivered to the controller. The service is designed to minimise access and retention to what is strictly necessary, and these technical and organisational measures are matched to the sensitivity of expert report material and the professional and legal context in which it is used.
Obiter Review’s position is that the strictly limited, automated, and transient nature of the processing — characterised by the complete absence of human access, the absence of any onward sharing, and the immediate and permanent deletion of all submitted material and outputs — means that handling by Obiter Review falls within the implied authority of solicitors and experts to process confidential information for the purposes of preparing and managing litigation evidence, and does not constitute a disclosure of confidential information to a third party in the relevant legal sense. Controllers who are uncertain whether submission of any particular material is consistent with their professional obligations and the common law duty of confidence should seek specific advice before using the service.
3 Litigation privilege and intended use
The service is intended to be used as part of the preparation of expert evidence and for the dominant purpose of anticipated or ongoing litigation, with all submissions and outputs treated as confidential lawyer-expert work product; the outputs are for internal quality assurance only, are not prepared for service, filing or disclosure as expert evidence, and should not be appended to or quoted in an expert’s report. The controller is responsible for marking submissions as privileged and for ensuring that dissemination of outputs is restricted to the legal team and the expert so as to maintain privilege, recognising that courts may nonetheless require disclosure of materials that have influenced a served report. Obiter Review does not represent that privilege will necessarily attach or be maintained in every case, and the controller should take appropriate steps to preserve privilege in accordance with applicable procedural rules and judicial guidance.
Controllers should also be aware of an antecedent and distinct question: whether the act of transmitting a privileged document to an independent commercial entity may itself affect the privilege attaching to that document. Obiter Review’s position is that the automated and non-human nature of the processing, the absence of any onward sharing, and the strict treatment of all submitted material and outputs as confidential lawyer-expert work product together support the conclusion that submission to the service does not constitute the kind of voluntary disclosure to a third party that would destroy or weaken litigation privilege. This position has not been judicially tested in this specific context, and solicitors should take specific privilege advice before transmitting any draft reports or other privileged materials where any doubt exists. This statement does not constitute legal advice and should not be relied upon as a substitute for independent legal advice on privilege.
4 Expert independence and CPR Part 35
The expert remains solely responsible for the content of their opinions and for compliance with CPR Part 35 and related Practice Directions, and must ensure that any changes following an Obiter Review reflect the expert’s own independent analysis and not external influence; the service does not provide suggested wording, does not draft or co-author any part of a report, and does not provide legal advice. The outputs consist of advisory prompts that identify issues for consideration and do not mandate any particular conclusion; where an expert decides to amend a report, the expert should record their independent reasoning for any changes and ensure that they are consistent with the expert’s own analysis and duty to the court. Use of the service must not be allowed to compromise the expert’s independence, and the expert should decline to make changes that they do not independently endorse.
Solicitors and experts should also be aware that independence concerns under CPR Part 35 are not limited to questions of authorship. An expert who has been shown identified evidential gaps or potential lines of cross-examination cannot be considered to have formed their views entirely independently of that information, even if all subsequent amendments are written in the expert’s own words and reflect their genuine assessment. The risk that awareness of such matters may itself constitute a form of influence on the expert’s opinion — independent of who holds the pen — should be considered before using the service.
The service is accordingly best suited to formal and procedural quality checking, such as compliance with Practice Direction 35 requirements, citation accuracy, and logical structure. Its use for the identification of substantive evidential gaps or potential lines of cross-examination raises more acute independence concerns, and solicitors and experts should consider carefully whether, in the specific circumstances of the case, such use is consistent with the expert’s CPR Part 35 obligations. Specific advice should be sought where any doubt exists.
5 Data protection and lawful processing context
Where Obiter Review acts as processor for report content, the controller warrants that it has identified and documented a lawful basis under Article 6 UK GDPR and, where applicable, that it relies on Article 9(2)(f) for special category data and the corresponding DPA 2018 Schedule 1 legal claims condition for special category and criminal offence data, and that it maintains and will maintain an Appropriate Policy Document for as long as required by law. Where Obiter Review must act as controller for narrow security, fraud‑prevention, or legal‑compliance purposes in relation to report content, Obiter Review relies on legitimate interests and, where applicable, on processing necessary for the establishment, exercise or defence of legal claims under Article 9(2)(f), supported by an Appropriate Policy Document.
6 Technical operation and security
Obiter Review uses automated systems operated by Obiter Review to process submitted reports, without human access to reports or outputs, and does not use public, consumer, or general‑purpose AI platforms to process confidential material; submitted content is not used for model training, benchmark testing, analytics, or any secondary purpose. Appropriate technical and organisational measures, including access controls, encryption and secure hosting, are in place to protect the confidentiality, integrity and availability of report content and outputs commensurate with their sensitivity, and to ensure secure deletion following completion of the review.
7 Article 28 UK GDPR processor terms (summary)
When acting as processor for report content, Obiter Review processes only on the documented instructions of the controller, ensures that persons authorised to process the data are bound by confidentiality obligations, implements appropriate technical and organisational measures to meet Article 32 requirements, assists the controller with data subject requests and security, breach notification, DPIAs and consultations as relevant to the processing, deletes or returns all personal data at the end of the engagement unless retention is required by law, and makes available information and reasonable audit access necessary to demonstrate compliance; any transfer of personal data outside the United Kingdom will be undertaken only with appropriate safeguards under UK data protection law. These processor terms apply by default unless and until replaced or supplemented by a separate written data processing agreement signed with the controller.
8 Website, authentication and payments
For website operations, account authentication and payment processing, Obiter Review acts as controller, using Clerk to manage registration, login and authentication and Stripe to process payments; Clerk and Stripe may act as independent controllers for their own security, fraud prevention and regulatory compliance purposes and may transfer personal data outside the United Kingdom with appropriate safeguards. Obiter Review does not receive or store full payment card details, and uses only essential cookies necessary for secure authentication, session maintenance, fraud prevention, payment processing, and technical functionality, with no tracking, behavioural advertising, analytics, or profiling.