Out-Law News 4 min. read
04 Oct 2016, 4:40 pm
The High Court in London ruled that the disclosure of the report to the patient would not have been justified on privacy grounds. The report contained the personal data of both the doctor, Dr DB, and the patient, P, whose identities were anonymised by the court. P's request for access to the report was considered as a being a subject access request (SAR) under the Data Protection Act.
P had requested access to the report after complaining to the GMC that Dr DB had "examined and dealt with him incompetently", according to the High Court judgment. The GMC commissioned the expert report into Dr DB's professional competence in light of P's complaint.
According to the ruling, P wanted to access to the report for the purposes of raising a possible legal case against Dr DB. P claimed that Dr DB's handling of his case result in a one year long "avoidable delay" in him being diagnosed with having cancer, it said.
The GMC had concluded that it would be fair and lawful to disclose the report to P, but after notifying Dr DB of its intention to disclose the report the doctor challenged the decision. The GMC decided to defer disclosure until after the High Court assessed the case.
In his ruling, Mr Justice Soole said that the GMC had failed to appropriately balance the competing privacy rights of Dr DB and P.
Among the judge's criticisms of the GMC was his view that the GMC had failed to assess the case from a starting point of "a presumption against disclosure", which he said was required in accordance with previous case law given that Dr DB did not consent to the disclosure of his personal data.
The GMC also did not give "adequate weight" to Dr DB's "status as a data subject or therefore the privacy right which he had in the report", Mr Justice Soole said.
The fact that P wanted to use the information in the report to raise legal proceedings against Dr DB "should have been a weighty factor in the scales" in relation to the balancing of P and Dr DB's privacy rights, the judge said. However, the GMC's decision "took no adequate account" of this fact, he said.
Mr Justice Soole said that each future dispute over access to personal data which is mixed with others' data has to be considered on its own merits. However, he provided guidance on how organisations should approach such requests.
"In conducting the balancing exercise in mixed data cases of this type: it is essential to keep in mind that the exercise involves a balance between the respective privacy rights of data subjects," Mr Justice Soole said. "In the absence of consent, the rebuttable presumption or starting point is against disclosure. Furthermore the express refusal of consent is a specific factor to be taken into account."
"If it appears that the sole or dominant purpose is to obtain a document for the purpose of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the Court procedure under CPR 31 [which contains rules on disclosure and inspection of documents]," he said.
Under the Data Protection Act the motivation behind a SAR is generally to be treated as irrelevant by organisations handling such requests. However, that changes when a SAR invokes another person's privacy rights, such as where the information requested also contains that third party's data.
If the third party does not consent to the release of their data, the organisation must nevertheless determine whether it is 'reasonable in all the circumstances to comply with the request without the consent of the other individual'. This involves carrying out a careful balancing act between the requester's privacy rights and those of the third party. In such cases it is relevant for organisations to assess the motivations behind a SAR. The High Court has now given guidance on how SARs filed for the purposes of litigation should be considered in such a balancing of rights.
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "There is now a growing body of case law concerning disclosure requests and mixed data documents where the English courts have been prepared to rule in favour of refusing disclosure of personal data under section 7 of the Data Protection Act (DPA) where the dominant or sole purpose being pursued is litigation, on the basis that the more appropriate route for obtaining disclosure is the court procedure under CPR 31."
"Of central interest in this case are the judge’s conclusions about the purpose behind the request. He considered purpose important, though subjects are of course not required to state their purpose in making a subject access request under the DPA," he said.
"The judge noted that P intended to use the information to pursue litigation against Dr DB but said that that purpose was not in line with those contemplated for subject access requests under the EU's Data Protection Directive – namely, to ensure personal data records are accurate and lawfulness of processing. He also said that Dr DB would be 'deprived' of protections that exist under CPR 31 procedures, including restrictions on how documents disclosed can be used, if the SAR had been granted," Dautlich said.
"In summary, the judge considered that the CPR 31 process for seeking document disclosure in litigation provided for a 'less restrictive interference' with Dr DB's privacy rights than would have applied had the document been disclosed in response to P's SAR, and that CPR 31 was the 'appropriate procedure' for P to follow given P's real purpose in seeking the document," he said.