Privacy notice

Privacy Notice

1 Introduction

Obiter Review is committed to protecting the privacy and confidentiality of personal data processed in connection with this website and our services; this Privacy Notice explains our roles, how we handle personal data, and how we support the responsibilities of controllers who use our service for expert reports prepared for litigation.  This Notice is intended to comply with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.  It also reflects the common law duty of confidence applicable to confidential material submitted for review. 

2 Who we are and how to contact us

Obiter Review Limited (company number 16934191) is established in England and Wales with its registered office at Flat 7, 73 St James’s Street, London SW1A 1PH; you may contact us at [email protected] in relation to this Notice or our handling of personal data.

3 Our roles: controller for website and payments; processor for expert report content

We act as data controller for personal data processed in connection with website operation, account management and payment processing, including our use of Clerk for authentication and Stripe for payment processing; Clerk and Stripe may also act as independent controllers for their own security, fraud prevention and compliance purposes. For expert report content and any associated materials submitted for review, we act as data processor, processing personal data solely on the documented instructions of the controller; this processor role applies only to report content and related materials.

4 Categories of personal data we handle

For website and account functions, we process contact details provided during enquiries and registration, basic technical information such as IP addresses for secure access, and payment‑related identifiers as needed for transactions; we do not use tracking‑based advertising.  For report content processed as processor, the controller may submit material that includes personal data relevant to the litigation, which may include special category data such as health information and, where applicable, criminal offence data; we process only what is supplied by or on behalf of the controller and only for the purpose of producing the requested review output. 

5 Purposes and lawful bases

5.1 Website, account and payments (controller)

We process personal data as controller to provide secure authentication and account access, to maintain account security and detect or prevent unauthorised access or fraud, and to process payments; for these purposes, we rely on the performance of a contract and our legitimate interests, and for payments we also rely on compliance with legal obligations, with Clerk and Stripe acting as our processors for core functions and as independent controllers where required for their own compliance.

5.2 Expert report content: lawful basis guidance for controllers

For report content, we act strictly on the controller’s documented instructions and process personal data solely for the purpose of generating the requested review output, with no secondary use; the controller is responsible for identifying and documenting an Article 6 lawful basis and, where applicable, an Article 9 condition and DPA 2018 Schedule 1 condition for any special category or criminal offence data contained in the report content. In typical litigation workflows, the controller will rely on processing necessary for the establishment, exercise or defence of legal claims under Article 9(2)(f), together with the corresponding DPA 2018 Schedule 1 legal claims condition, and will maintain an Appropriate Policy Document; where the controller relies on legitimate interests under Article 6(1)(f), the controller will have undertaken a balancing assessment.

Controllers should be aware that satisfying the necessity test under Article 9(2)(f) requires more than demonstrating that the processing is convenient or useful: the controller must be able to document why processing by a third-party service is necessary — rather than merely helpful — for the establishment, exercise or defence of legal claims. In completing that assessment, the following features of the service are directly relevant: submitted material is processed automatically without any human access, is not shared with any third party, is not used for any secondary purpose, and is permanently and securely deleted immediately upon delivery of the review output. Controllers should document these features as part of their necessity assessment. Controllers who are uncertain whether their use of the service satisfies the necessity test in any given case should seek independent legal advice before submitting material.

Where the expert themselves acts as the controller — for example where the expert is directly instructed rather than acting under a solicitor’s instruction — the lawful basis analysis may differ from that applicable to a solicitor-controller. In such cases, the expert must independently identify and document the applicable Article 6 basis and, where relevant, the applicable Article 9 condition, having regard to their own professional regulatory obligations and to any additional considerations arising from their direct relationship to the personal data contained in the report. Experts acting as controllers in this position should seek specific legal advice if the applicable basis is not clear.

6 How we process expert report content

Submitted expert reports and associated materials are handled as confidential and are processed automatically using systems owned and operated by Obiter Review; reports and outputs are not accessed by our personnel, are not used for training, analysis, benchmarking, or service development, and are not shared with third parties. Processing is carried out solely for the purpose of generating the requested review output.  Confidential material is retained only for the period necessary to complete the review and deliver the output; following completion, submitted material and generated outputs are securely and permanently deleted and no retained archive is maintained. 

7 Confidentiality, litigation privilege, and usage guidance

7.1 Common law duty of confidence

We recognise the common law duty of confidence attaching to confidential material submitted for review. The common law duty of confidence attaches to patient and other sensitive information and does not dissipate merely because documents are created for, or used within, litigation.

Solicitors and experts who submit confidential material to this service do so within the framework of their existing professional and legal authority to handle such material for the purposes of preparing expert evidence. Obiter Review’s position is that the strictly limited, automated, and transient nature of the processing — characterised by the complete absence of human access to submitted material, the absence of any onward sharing, and the immediate and permanent deletion of all submitted content and outputs following completion of the review — means that handling by Obiter Review falls within the implied authority of solicitors and experts to process confidential information in the preparation and management of litigation evidence, and does not constitute a disclosure of confidential information to a third party in the relevant legal sense. Controllers should nonetheless consider the nature of the confidential material being submitted and, if uncertain whether submission is consistent with their professional obligations and the common law duty of confidence in any particular case, should seek specific advice before using the service.

7.2 Litigation privilege: the act of submission and the risk of disclosure of outputs

The service is intended to be used under solicitor instruction for the dominant purpose of anticipated or ongoing litigation, and submissions and outputs should be treated as confidential lawyer-expert work product. We recommend that controllers mark submissions as privileged and restrict dissemination of outputs to the legal team and the expert; while our design reduces access and retention, courts may require disclosure of materials that have influenced a served expert report. Our Disclaimer explains that outputs are for internal quality assurance and are not prepared for service, filing or disclosure as expert evidence.

Controllers should also be aware of an antecedent and distinct question: whether the act of transmitting a privileged document to an independent commercial entity may itself affect the privilege attaching to that document, whether by amounting to a voluntary disclosure to a third party or otherwise. Obiter Review’s position is that the automated and non-human nature of the processing, the complete absence of any onward sharing, and the strict treatment of all submitted material as confidential lawyer-expert work product together support the conclusion that submission to the service does not constitute the kind of voluntary disclosure to a third party that would destroy or weaken litigation privilege. This position has not been judicially tested in this specific context. Solicitors should take specific privilege advice before transmitting any draft reports or other privileged materials where any doubt exists, and should not rely on this statement as a substitute for independent legal advice.

8 Expert independence and CPR Part 35

Use of the service must preserve the expert’s independence under CPR Part 35; our outputs provide prompts for consideration and do not include suggested wording or co-authorship, and the expert remains solely responsible for the content of their report and for ensuring that any amendments reflect their independent analysis and duty to the court. The expert should record their own reasons for any substantive changes and decline to adopt any change that they do not independently endorse, to guard against arguments of coaching or improper influence.

Solicitors and experts should be aware, however, that independence concerns under CPR Part 35 are not limited to questions of authorship. An expert who has been shown identified evidential gaps or potential lines of cross-examination cannot be considered to have formed their views entirely independently of that information, even if all subsequent amendments are written in the expert’s own words and reflect their genuine assessment. The risk that awareness of such matters may itself constitute a form of influence on the expert’s opinion — independent of who holds the pen — should be considered before using the service.

The service is accordingly best suited to formal and procedural quality checking, such as compliance with Practice Direction 35 requirements, citation accuracy, and logical structure; its use for the identification of substantive evidential gaps or potential lines of cross-examination raises more acute independence concerns and, in such cases, solicitors and experts should consider carefully whether use of the service for those purposes is consistent with the expert’s CPR Part 35 obligations in the specific circumstances of the case. Specific advice should be sought where any doubt exists.

9 Data retention

Enquiry‑related correspondence is retained for a limited period and then securely deleted; account information is retained for as long as an account remains active and for a limited period thereafter where necessary for security or legal purposes; payment records are retained as required for accounting and tax purposes in accordance with UK legal requirements. Confidential report material and review outputs are deleted following completion of the review as described above. 

10 Data security

We maintain appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or loss, including access controls, encryption and secure hosting; these measures reflect the need to ensure confidentiality, integrity and availability of data, the sensitive nature of expert report material, and the professional and legal context in which the service operates. 

11 Cookies

This website uses only essential cookies and similar technologies that are strictly necessary for the secure operation of the service, including to enable secure authentication and account access, maintain login sessions, protect against unauthorised access and fraudulent activity, process payments securely, and ensure the technical functionality and security of the website; we do not use cookies for tracking across other websites, behavioural advertising, marketing profiles, analytics, or performance measurement.