Health Use
Data Protection Commission Case Studies
Doctor discloses sensitive personal data to insurance company without consent
This Office received a complaint from a solicitor acting on behalf of a data subject concerning the alleged further processing of the complainant’s personal data contained in medical records held by her General Practitioner (GP). It was alleged that medical records relating to the complainant were released to an insurance company by her GP, following a request made to the GP. The complaint stated that the GP had received a request from an insurance company seeking the complainant’s medical records relating to a knee injury she had suffered. It was alleged that, in replying to this request, the GP not only released data relevant to the knee injury, but he also disclosed other sensitive medical information – including cervical smear test results, a colposcopy, correspondence regarding lesions and records relating to Carpel Tunnel Syndrome, none of which were related to the knee injury.
We wrote to the GP and we asked that he provide an explanation as to what had occurred in this case. He responded stating that an insurance company had requested relevant information with respect to the patient concerned and her knee injury. He informed us that the request received stated that it ‘required copies of clinical consultations / surgery notes, investigations and associated results, treatments, referrals, outpatient appointments and repeat prescriptions from 18.2.2009 to the present date’. He stated that, inadvertently, copies of the patient’s records were supplied to the insurance company with some details which were not relevant to her knee injury and that this was obviously an oversight. He stated that he was deeply sorry that he had caused any distress or upset to his patient whom he had known for thirty five years. The GP stated that the complainant knew that he always endeavoured to keep a high standard in the practice and that she should understand his disappointment that the system used in releasing this information fell below the standard expected by the complainant and himself. He further stated that he hoped that she would accept his unreserved apology for the inadvertent disclosure of her records to the insurance company and that he completely understood how upset and disappointed she must be. He said that since this unpleasant and unfortunate error he had overhauled his practice procedures.
We wrote to the solicitor for the complainant outlining the GP’s response and also conveying the GP’s apologies. We stated that this Office’s approach to complaints is to try to seek an amicable resolution to the matter which is the subject of the complaint and we asked if his client would like to try to reach an amicable resolution of the complaint. They responded stating that their client wished for a formal decision of the Commissioner on the matter.
In considering this case, the key issue from a data protection perspective was the issue of consent. It was noted from the material provided that the complainant had completed and signed an insurance claim form which contained the following consent clause: “I authorise Financial Insurance Company Limited (the Underwriters) to make any enquiries and get any information they consider relevant from my doctor, employers or elsewhere. I understand that I must provide evidence to Financial Insurance Company Limited to prove my claim.” On the same claim form, the complainant supplied details of her accident and explained, as follows, why it prevented her from working: “Left knee injury. Tore Ligaments. Recovery Time Unknown. Waiting for Knee Surgery. On Waiting List.”
The insurance company concerned had sought the complainant’s medical records, supplied the relevant consent form and used the following terms in its request to the GP: “Can you please provide us with copies of the claimant’s medical records relevant to this claim. This includes all records relating to the medical conditions and associated symptoms which are the subject of this claim.”
It was clear from the insurance company’s request for medical records that it sought medical records relevant to the claim only. As the claim related to the complainant’s knee injury, the medical records sought related to that injury and the request did not extend beyond that. Equally, the complainant’s consent authorised the insurance company to make enquiries and to get any information considered relevant from her doctor and others. The consent was clearly limited to relevant information and it could not be interpreted as extending to all medical records held by the GP.
This Office issued a decision on this complaint which stated that the Commissioner was of the opinion, following the investigation of this complaint, that Section 2(1)(c)(ii)of the Data Protection Acts, 1988 & 2003 had been contravened by the GP by the further processing of the complainant’s sensitive personal data in the form of medical records unrelated to her knee injury. The contravention occurred when the GP, in responding to a request from an insurance company, disclosed to that insurance company certain medical records of the complainant without her consent.
Department of Education Circular Leads to Complaint about Sick Leave Information
We received a complaint relating to a Department of Education Circular (No. 0060/2010) concerning sick leave for registered teachers.
Specifically, the complaint focussed on certified sick leave and the requirement in the Circular that the nature of illness must be stated in a medical certificate in order for it to be acceptable.
Under the Data Protection Acts, medical data falls into the category of “sensitive personal data.” An employer has a legitimate interest in knowing how long an employee is likely to be on sick leave absence from work. It also has a legitimate interest in knowing whether an employee, following an accident or illness, is capable of doing particular types of work. Requiring employees to produce standard medical certificates to cover absences due to illness does not therefore present any data protection issues. But an employer would not normally have a legitimate interest in knowing the precise nature of an illness and it would therefore be at risk of breaching the Data Protection Acts if it sought such information. Even the consent of the employee may not allow the disclosure of such information to an employer as there may be a doubt as to whether such consent could be considered to be freely given in an employment context.
The Office raised the matter with the Department of Education. The Department indicated that the purpose of such information was to ensure that there was sufficient information available to the employer to make an informed decision as to whether or not to make a referral to the Occupational Health Service and/or to take appropriate steps, where necessary, in relation to health and safety matters. It said that in the context of a school, where the employer has a duty of care to its students and staff and where a teacher often has sole and unsupervised access to, and responsibility for, children this was particularly important. It stated that in the Department’s view, there was a strong legitimate public interest in ensuring that there was sufficient information to enable the employer to deal with any health and safety issues that may arise.
We accept that there are limited circumstances where employers may seek information from an employee in the context of an illness-related absence from work. Such situations may also permit a health professional to provide details of illness on request to an employer in specific circumstances where specifically warranted in a workplace context. Our guidance in relation to this matter (FAQ 3.7 on our website) makes it clear that in certain very specific circumstances a doctor may be legally obliged to report certain illnesses to an employer for health and safety reasons and we recognise the need for this practice, particularly in the case of contagious diseases.
However, any general practice of requiring all employees to specifically disclose their condition or illness to account for their sick absences from work does give rise to serious concerns from a data protection perspective as it does not adequately protect the sensitive personal data of those employees who may have an illness/condition which they consider private or sensitive.
We indicated to the Department that all of the considerations it had outlined had been considered by a Working Group established by the Department of Finance in 2010, which included representation from various Government Departments, this Office and the Attorney General’s Office. This led to the adoption of Department of Finance Circular 09/2010 setting out the Civil Service policy on the management of sick leave. In particular, Section 11 of that Circular states, among other things, that “While the nature of the illness does not have to be included in all circumstances, if it is not stated this may give rise to difficulties if seeking to have the absence discounted.” We consider that this approach represents an appropriate balance between the concerns outlined by the Department and the legitimate privacy expectations of employees.
Following our intervention, the Department confirmed that it was no longer advising schools/teachers that the nature of illness must be stated in all cases where a medical certificate is required. The Department also undertook to reflect this change when revising the current sick leave circular for teachers in order to ensure compliance with the Data Protection Acts. In addition, the Department indicated that relevant staff had been notified of our findings on this matter.
This case study highlights that employers should be aware that, in general, only limited relevant information should be sought from an employee submitting a medical certificate to account for a period of sick absence. Seeking excessive sensitive personal data in that context is a clear breach of the Data Protection Acts.
HSE West and a consultant ophthalmic surgeon breach the Acts
I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller. The data subject was involved in an insurance action with a third party in relation to an eye injury. The third party’s insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in Limerick. The consultant was also a consultant ophthalmic surgeon at the Mid-Western Regional Hospital in Limerick. The data subject had previously attended another consultant ophthalmic surgeon at the Mid-Western Regional Hospital as a public patient in relation to his eye injury.
The complaint was two fold. The first aspect related to the alleged release of the data subject’s hospital chart by the Mid-Western Regional Hospital to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice. It was alleged that this took place without the data subject’s consent. The second aspect of the complaint related to the alleged unfair obtaining of the data subject’s hospital chart by the consultant ophthalmic surgeon.
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted ‘sensitive personal data’ as defined in the Acts. The central issue to be considered in this case, from a data protection point of view, was whether the HSE West, Mid-Western Regional Hospital complied in full with its obligations under the Acts.
Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data. I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the Mid-Western Regional Hospital’s collection, processing, keeping and use of the data subject’s sensitive personal data. However, the disclosure of the data subject’s medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act. This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected. It was clear from my Office’s investigation that the consultant ophthalmic surgeon’s secretary at his private rooms contacted his secretary at the Mid-Western Regional Hospital to locate the data subject’s medical records relating to his eye condition. Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon’s private surgery.
In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon’s work within the HSE West, Mid-Western Regional Hospital as an employee of that hospital and his work carried out privately on behalf of an insurance company. The hospital’s disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the HSE West, Mid-Western Regional Hospital) to another (the consultant surgeon’s private surgery). It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject’s medical record from the hospital in his capacity as a separate data controller. In this instance he was not acting in his capacity as an employee of the HSE.
The medical record at the Mid-Western Regional Hospital in respect of the data subject was compiled in the course of his treatment for an eye condition. This was a specific, explicit and legitimate purpose. Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data. The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject’s eye condition on behalf of an insurance company to facilitate their processing of an insurance claim. The processing of an insurance claim related to the data subject’s eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the Mid-Western Regional Hospital.
There was also an obligation to meet the conditions set out in Section 2A of the Acts. These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:
· the performance of a contract to which the data subject is a party;
· in order to take steps at the request of the data subject prior to entering into a contract;
· compliance with a legal obligation, other than that imposed by contract;
· to prevent injury or other damage to the health of the data subject;
· to prevent serious loss or damage to property of the data subject;
· to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the performance of any other function of a public nature performed in the public interest; or
· for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
In this case, the data subject did not give his consent to the Mid-Western Regional Hospital for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon. In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above. In this instance, the hospital did not meet any of those conditions.
To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
– the data subject must give explicit consent to the processing or
– the processing must be necessary for one of the following reasons:
· for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
· to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
· it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
· the information being processed has been made public as a result of steps deliberately taken by the data subject;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
· for medical purposes;
· for the purposes of political parties or candidates for election in the context of an election;
· for the assessment or payment of a tax liability; or
· in relation to the administration of a Social Welfare scheme.
As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the Mid-Western Regional Hospital to the consultant surgeon. There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed. In this instance, the Mid-Western Regional Hospital did not meet any of those conditions.
I formed the opinion that the HSE West, Mid-Western Regional Hospital contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject’s sensitive personal data in a manner which was incompatible with the purpose for which it was obtained. This processing occurred when the consultant surgeon’s secretary at the Mid-Western Regional Hospital disclosed the data subject’s hospital medical file to his private practice secretary. In response to this incident the HSE West put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held. I welcome this.
I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the Mid-Western Regional Hospital.
In light of my previous decision which found a number of contraventions of the Acts by the HSE West, it followed that the consultant surgeon unfairly obtained the data subject’s hospital file. However, it was also clear that this was done unintentionally and in good faith.
I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split). This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems. However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company). Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts. These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data.
Data Controller breaches several provisions in its processing of Sensitive Personal Data
I received a complaint in May 2006 from a data subject regarding the use by her former employer, Baxter Healthcare S.A., of two medical reports relating to her. The data subject had been involved in an industrial accident at work in April 2002 which subsequently resulted in a prolonged absence from the workplace. During this absence, the data subject pursued a personal injuries claim against Baxter Healthcare. As part of this process, at the request of the solicitor acting on behalf of Baxter Healthcare’s insurers, she attended a consultant neurologist on two occasions for medical evaluation in 2003 and 2004. Early in 2005, the data subject became aware that the medical reports compiled as a result of those evaluations were in the possession of Baxter Healthcare. Through her solicitor, the data subject made an access request to Baxter Healthcare for copies of the medical reports. She was advised in writing that, as these reports were obtained in the context of her personal injury proceedings, her access request should be addressed to the solicitors,
P. O’Connor & Son, acting for the insurers. Shortly afterwards, the data subject’s contract of employment was terminated. The decision by Baxter Healthcare to terminate the employment was stated to be on the basis of the medical evidence available to the company, including the medical reports compiled in 2003 and 2004 in the context of the data subject’s personal injury claim. Following her dismissal, the data subject brought a claim to the Labour Relations Commission against Baxter Healthcare under the Unfair Dismissals Act 1977 to 2001. A hearing in relation to this case took place in April 2006 and the data subject alleged that, in the course of the hearing, copies of the medical reports were furnished by Baxter Healthcare to herself, to the Rights Commissioner and to all present. These medical reports had not been previously provided to her in response to her access request.
My Office conducted a detailed and extensive investigation of this complaint. This focused on 2 primary data protection issues, namely the use of the medical reports obtained to defend an insurance claim to support the dismissal of the data subject and the disclosure of those same medical reports at a labour relations hearing. The company’s solicitor stated that the medical reports of the consultant neurologist were obtained for the legitimate purpose of defending personal injury proceedings instituted by the data subject and that the medical reports were also employed and required for the legitimate purpose of defending separate legal proceedings against Baxter Healthcare under the Unfair Dismissals Acts 1977 to 2001. It submitted that Section 2(1)(c)(i) of the Acts specifically envisages that the data may be obtained and used for more than one purpose, provided that both purposes are legitimate. It went on to state that Section 2(1)(c) (ii) of the Acts only prohibits further processing insofar as that processing is incompatible with the original purpose or purposes. It argued that the use of the reports to defend legal proceedings against Baxter Healthcare under the Unfair Dismissals Act could not be said to be incompatible with the original purpose as the original purpose was to defend legal proceedings instituted by the data subject and the subsequent use was to also defend legal proceedings, albeit separate proceedings by the data subject.
The data subject sought a decision on her complaint under Section 10(1)(b(ii) of the Acts in June 2007. In my analysis of the data protection issues arising from this complaint, I found that the medical reports in question constitute ‘sensitive personal data’ within the meaning of the Acts. The medical reports were commissioned on behalf of Baxter Healthcare’s insurers, by its solicitors, for the purpose of the defence of the High Court personal injury claim instituted by the data subject. The reports were, however, used for three purposes:
They were used for the purpose for which they were generated in the first place, i.e. for the defence by Baxter Healthcare’s insurers of the High Court personal injury claim instituted by the data subject.
They were used in the decision taken by Baxter Healthcare to terminate the employment of the data subject.
They were used to defend legal proceedings taken by the data subject against Baxter Healthcare under the Unfair Dismissals Act at a hearing in April 2006.
No data protection issue arose in relation to the first use of the medical reports by Baxter Healthcare’s insurers in the context of its defence of the personal injury claim brought by the data subject.
With regard to the second use by Baxter Healthcare of the medical reports in the decision to terminate the data subject’s employment, this was done without the data subject’s consent. The general requirements that must be complied with by a data controller under the Acts in relation to the personal data of a data subject include the following:
the data shall have been obtained only for one or more specified, explicit and legitimate purposes
the data shall not be further processed in a manner incompatible with that purpose or those purposes
the data subject is informed of the purposes or purposes for which the data are intended to be processed
The consent of the data subject is the default position, as it were, for the fair processing and obtaining of personal data. Where it is absent, the data controller may not process personal data unless it can find another basis in the Acts. The Acts provide for the following exemptions which were potentially applicable in the present case:
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject (Section 2A (1)(d));
and (because sensitive data is involved)
the processing is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings or is otherwise necessary for the purpose of establishing, exercising or defending legal rights (Section 2B (b)( vii)).
All of these conditions must be met.
In my analysis of this complaint, I considered that the purpose for which the medical reports were originally obtained (the defence by Baxter’s insurers of the High Court personal injury claim instituted by the data subject) was not compatible with their further use to support the data controller’s decision to dismiss the data subject. I considered that, in the absence of the data subject’s consent, this processing of the data subject’s sensitive personal data constituted a breach of the Acts.
With regard to the third use by Baxter Healthcare of the medical reports to defend legal proceedings under the Unfair Dismissals Act, the same considerations arose in relation to the further use of the sensitive personal data at a hearing before a Rights Commissioner in April 2006, with the aggravating factor that the sensitive personal data was further disclosed to those involved in the hearing.
However, I had to consider if the processing of personal data in this case might benefit from the exemption in Section 8(f) of the Acts which provides that: “Any restrictions in this Act on the processing of personal data do not apply if the processing is …required…for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.”
I formed the opinion that this exemption cannot apply to sensitive personal data which has already been improperly processed to support the decision (dismissal) which was the subject matter of the legal process. I concluded that the use of the medical records to defend the Unfair Dismissals claim constituted a further breach of the Acts.
For completeness, my Decision in this case also found that Baxter had failed to comply fully with an access request made by the data subject.
This case demonstrates the care which data controllers must exercise in the processing of all personal data, including sensitive personal data, in its possession. It is unacceptable for a data controller to seek to take advantage of personal data which may be in its possession and to use it for some purpose unrelated to the purpose for which it was originally obtai
Caredoc: Failure to comply with an access request and appeal of an enforcement notice
I received a complaint from the parents of a child that Caredoc (a medical facility in Carlow) had failed to comply with an access request under Section 4 of the Acts for access to the child’s personal data.
My Office received the complaint in January 2006 and commenced an investigation. We established that the child had attended Caredoc in May 2004 and that the access request was made by the solicitor for the child’s family in August 2005. Prior to the complaint being submitted to my Office, Caredoc’s solicitors informed the legal representative for the child’s family that the access request raised matters of serious importance to their clients and that they wished to be absolutely sure of their position prior to making a formal reply.
During the course of my Office’s investigation, we exchanged correspondence on several occasions with Caredoc’s solicitors. We posed a number of key questions on the matter, none of which were answered to the satisfaction of my Office. At one point we were advised that the access request had thrown up a serious difficulty with which Caredoc was trying to come to terms. Caredoc’s solicitors acknowledged that their client owed statutory obligations on foot of the Data Protection Acts but stated that their client also owed a number of other conflicting obligations which needed to be reconciled properly with all the persons concerned before they were in a position to comply with the access request. In later correspondence, my Office was told that the request had raised a fundamental problem for Caredoc concerning the information gathered by them both physically and electronically and that the opinion of Senior Counsel was required. This was accepted in good faith on the basis that such advice would be forthcoming promptly. In a further letter, Caredoc’s solicitors informed my Office that genuine difficulties had arisen as a result of the circumstances thrown up by the access request and that Caredoc was anxious not to have any adverse precedents set in relation to the confidentiality issue as between doctor and patient. Throughout the investigation, my Office continued to remind Caredoc of its obligations to comply with the access request and we advised them that failure to proceed to release the information was a contravention of Section 4(1) of the Acts. At the end of June 2006, having exchanged a large volume of correspondence and with no prospect of the legal advice emerging, my Office gave Caredoc’s solicitors a final opportunity to respond to the key questions which we had raised with them. They failed to respond and I subsequently served an Enforcement Notice on Caredoc in July 2006 pursuant to Section 10 of the Acts.
There were a number of reasons for my decision to serve an Enforcement Notice on Caredoc. From the information available to me, I believed that information collected by Caredoc on the date in question likely constituted sensitive personal data within the meaning of the Acts. I believed that Caredoc had not complied with an access request and was, therefore, in contravention of Section 4(1) of the Acts. Furthermore, I believed that, given the passage of time and the continued failure of the data controller or their legal representatives to engage substantively with my Office, an Enforcement Notice was required to ensure compliance.
The Enforcement Notice required Caredoc, within a period of twenty one days, to provide the solicitor of the child’s family with the personal data relating to the attendance of the child at Caredoc’s facility in Carlow in May 2004. In line with their legal entitlements, pursuant to Section 26 of the Acts, Caredoc appealed to the Circuit Court against the requirement specified in the Enforcement Notice. The appeal was listed for hearing in Carlow Circuit Court in December 2006. At the Court hearing, Caredoc withdrew the appeal and agreed to supply the personal data sought.
I was very satisfied with the outcome of this case. Firstly, it ensured that the patient in question received access to their full medical records. Secondly, the case was significant for my Office as I used my full legislative powers to compel the provision of the records in question when Caredoc had repeatedly delayed in doing so. Thirdly, the case was all the more acute as it related to sensitive medical information which a patient has a right to access except in certain very limited circumstances. Finally, the patient in question was a minor and the access request was made on his behalf by his mother.
Life assurance company and medical reports – access request denied
I received a complaint from a data subject who had not been given copies of medical reports, commissioned from independent specialists by a life assurance company in connection with her on-going income continuance claims – the Company had discontinued her claims on the basis that she was no longer fulfilling the definition of disability, as required under her policy.
In investigating this complaint, I reiterated that the Data Protection Acts give people a statutory right of access to their data, including their medical records, and that this right can only be limited or set aside in very specific and narrow circumstances.
The Company had cited the exemptions in section 5(1)(f) and 5(1)(g) as a basis for denying access to certain reports.
Section 5(1)(f) of the Acts provides that the right of access to personal data does not apply to personal data:
“(f) consisting of an estimate of, or kept for the purpose of estimating, the amount of liability of the data controller concerned on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of the section would be likely to prejudice the interests of the data controller in relation to the claim.”
I considered that medical reports commissioned by a life assurance company are for the purpose of assessing a claim. I found that the exemption in section 5(1)(f) permits a data controller, who puts on file an estimate of the amount of money that may be needed to meet a claim for compensation, to plead an exemption if the release of that estimate would be prejudicial. The contents of the medical reports at issue in this case did not relate to estimating liability per se. Rather, they related to whether or not there is a disability and opinions about capacity to work. It was therefore my view that this exemption cannot be claimed in respect of medical reports.
The company also proposed to withhold other reports on the basis of legal privilege as provided in section 5(1)(g), as they believed that they would ‘seriously prejudice (their) defence in any action’. Section 5(1)(g) provides that the right of access to personal data does not apply in respect of data :
“(g) in respect of which a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers.”
In assessing whether privilege could be claimed, it is necessary to look at the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice. My staff outlined to the Company that it is important when a life assurance company commissions a report that the claimant fully understands the purpose of the examination e.g. the purpose being for the company to assess and to come to a decision on a claim. Whether the reports were commissioned in anticipation or furtherance of litigation and thus attract privilege, falls to be determined on a case by case basis.
It was understood that the decision in this case might ultimately be challenged in court and the Company indicated that in their opinion there was a high likelihood of this. The exemption refers to a potential situation where ‘a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers’. In this case, my staff considered that it was conceivable that such a claim could be maintained in a court. Therefore, it was held that certain medical reports specified by the company may be withheld pursuant to section 5(1)(g) pending any court proceedings.
Disclosure of patient details to the National Treatment Purchase Fund
I received a complaint from a public hospital patient whose data had been disclosed to the National Treatment Purchase Fund (NTPF).
My staff noted that regulation 4 (b) of Statutory Instrument 179 of the 2004 National Treatment Purchase Fund Board Establishment Order 2004 states –
“Without prejudice to section 52 of the Health Act, 1970 the functions of the board are as follows :
(b) to collect, collate and validate information in relation to persons waiting for hospital treatment and to put in place information systems and procedures for that purpose”.
As the hospitals had collected the patient data for the purpose of patient treatment, it was considered that disclosure to the Fund is compatible with the purpose for which the patients had given their data to the hospital in the first place. Furthermore, the transmission of the data was for a statutory purpose relating to treatment. It was therefore considered that disclosure of data to the NTPF Waiting List Register was compatible with the purpose for which hospitals hold the data and therefore satisfied section 2(1) of the Data Protection Acts.
It was also considered that section 2A(1)(c) (iv) provides a basis for disclosing the data. This provides for processing of personal data (defined to include ‘disclosure’) necessary “for the performance of any other function of a public nature performed in the public interest by a person”.
As the data includes sensitive personal data as to health, one of the conditions specified in section 2B must also be satisfied. In this regard section 2B (1)(b)(vi)(11) provides that sensitive data shall not be processed (defined to include ‘disclosure’) unless, inter alia,
“the processing is necessary –
(11) for the performance of a function conferred on a person by or under an enactment”.
I was of the view that this allows the National Treatment Purchase Fund to collect information in respect of persons on waiting lists in order to manage and facilitate their treatment and that this was compliant with the Acts.
The National Treatment Purchase Fund had consulted my Office about this process and our advice was that patients should be informed that the disclosure had been made and given the opportunity to have their data deleted by the Fund. This advice was implemented. It is important to also emphasise that the Waiting List Register does not involve the publication of personal data. Only the National Treatment Purchase Fund and the relevant hospital (in respect of its own patients) has access to specific personal data.
Employment matters – claim of legal privilege and access to medical data in the workplace
An employee of a major national company had been requested to attend a doctor nominated by the employer in the context of his on-going sick leave. His employment was subsequently terminated and he made an access request under section 4 of the Data Protection Acts for a copy of the medical report. The company refused him access on the grounds that the employee had initiated legal proceedings against the company and that the report was privileged and that it did not have to be released as section 5(1) (g) applied. This section provides that the right of access under section 4 of the Acts does not apply to personal data
“(g)in respect of which a claim of privilege could be maintained in proceedings in a Court in relation to communications between a client and his
professional legal advisers or between those advisers.”
I pointed out that there are two main categories of legal professional privilege recognised by Irish Courts:
? Confidential communications between a person and his lawyer seeking or giving legal advice and documents created by either party to provide or to obtain such advice are privileged.
? Documents created by either lawyer or client in anticipation or furtherance of litigation are also privileged. Therefore, communications between a person and his lawyer which provide legal advice or assistance and documents created to obtain or produce such advice or assistance are privileged if given or created in anticipation or furtherance of litigation.
In deciding whether privilege could be claimed, I considered the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice or whether the purpose was to determine fitness for work.
The complainant stated that he had been requested by letter to attend the doctor to have his condition assessed due to his on-going sick leave – no reference was made to attendance being requested in connection with any court proceedings. The company however sought to claim to my Office that the report had been sought on legal advice and in anticipation of possible future legal proceedings. I found that while there may indeed have been a possibility of legal proceedings in relation to other matters, the first formal notification of court proceedings was sent by the data subject’s solicitors many months later. I further found that the purpose of the medical examination should be clear to the data subject at the time that he attends the doctor.
The employee in this case was clearly under the impression that the referral was related to assessing his fitness for work only. It is an important Data Protection principle that another purpose cannot be introduced retrospectively. Furthermore, information about the purpose is required to be provided to the employee (data subject) pursuant to section 2(D)(i) and (ii) of the Acts, otherwise personal data is not treated as “fairly processed”.
Privilege is an important feature of court proceedings but it should not be used as a veil to seek to restrict access where it cannot be justified. As section 5(1)(g) relates to personal data in relation to communications between a client and his professional legal advisers or between those advisers, I took the view in this case that a copy of a medical report prepared for a specific personnel purpose could not be considered as such a “communication” which would attract privilege. Also, there are very limited restrictions on an individual’s right of access to his or her medical data. The Data Protection (Access Modification)(Health) Regulations, 1989 provide that restrictions on access must be based on opinion by a medical professional that allowing access would cause serious harm to the individual’s physical or mental health. As “harm” was not an issue, I therefore concluded that section 5(1)(g) of the Data Protection Acts, 1988 and 2003 could not be relied upon by the company to restrict his access to a copy of the medical report in question. I was pleased that the company accepted my view.
In another employment related case, I established that a data controller cannot avoid dealing with an access request for an employee’s medical report on the premise that it has been returned to the author of the report. To deal with such requests, organisations should have a clear procedure in place. The request may be for (1) the report itself and/or (2) the data on the medical file. When an access request for medical data is received, the Company Doctor/Medical Officer should be immediately advised and should make the data available unless it is considered ‘harmful’ to do so.
On a related question, it is sometimes considered that the employee’s consent is needed for referral to a company doctor. Generally, an employer will have the right under the contract of employment to refer an employee for a medical report. Processing of personal data in a medical report involves sensitive data and section 2(B)(i) of the Acts provides that a data controller must obtain “explicit” consent from a data subject before sensitive data may be processed. Alternatively, section 2B(ii) provides for processing which “is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.”.
Relying on freely given consent implies that an employee has a right to refuse referral. Given the employer’s rights under the contract of employment, this may not fully reflect the entirety of the rights and obligations involved. Therefore when the employee agrees to attend the doctor, what is important is that the employee clearly understands that s/he is required to attend the medical assessment for a particular purpose e.g. to determine whether s/he is fit to return to work and attends on that basis alone. On the other hand, if the purpose is connected with anticipation of or defence of legal proceedings then the employee should know that this is the basis for the referral.
Privilege is an important feature of court proceedings but it should not be used as a veil to seek to restrict access where it cannot be justified- generally, an employer will have the right under the contract of employment to refer an employee for a medical report
Drogheda Hospital- investigation into a consultant’s practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
I received many complaints from former patients of a Drogheda hospital in relation to the manner in which an investigation was carried out by a health board into the conduct of a consultant’s practice. They complained that in the course of its investigation, the health board had sent copies of patients’ records and charts to a UK based healthcare risk management group and to an Irish review group without the consent of the individuals involved in 1998 and subsequently.
When I began to investigate the matter, I established that the data that had been disclosed by the Health Board prior to1 July, 2003 was manual data, consisting of patient files, theatre files, etc. While the Data Protection Act, 1988 only applied to personal data on computer the Data Protection (Amendment) Act, 2003 applies to manual data from 1 July, 2003.Whilst manual data, therefore, was involved, and was not subject to the remit of my Office as the manual data in question was referred in 1998, nevertheless, given the major issue involved, the matter was given full consideration as if the principles of both Acts applied.
The background to these complaints was that in October, 1998 the Health Board was made aware of serious concerns in relation to the management of patients under the care of a Consultant Obstetrician/ Gynaecologist, as a result of which a preliminary assessment was carried out in relation to the perceived concerns regarding his clinical practice. The records of 42 patients were involved and to ensure patient privacy and confidentiality, patients were numbered consecutively and this numbering was used in the management of all subsequent classifications in the review process.
Initially the records of 3 patients were sent to the UK based company for risk assessment review. Consultation was then undertaken by the Health Board with the Chairman of the Institute of Obstetrician and Gynaecologists in Ireland, who indicated that the Institute would assist the Board in order to conduct a review. The Board stated that it was their intention to deal with the alleged serious concerns regarding the Consultant and his practice in a confidential and sensitive process, having regard to the Board’s statutory duty of care and service management to patients availing of services within its area. The Review was carried out by the Institute at the request of the Health Board, and consisted of three independent Obstetrician Gynaecologists. The Terms of Reference included a request to assess and consider the nature and merit of the concerns of the Health Board.
The Health Board maintained that it had a duty of care to patients within the Health Board area and when it was appraised of serious concerns relating to patient care, immediate legal and medical advice was sought and that it was in this regard that charts were provided in a confidential manner to the Review Group following consultation with the Institute of Obstetricians and Gynaecologists. It also stated that at this stage the well being of patients and the wider population was the primary concern. The Health Board set up help lines and counselling services, following the significant media coverage of the concerns in December, 1998 regarding the consultant’s practice. Following receipt of the Review Group’s Report in April1999, the help-line was re-activated and direct contact was made with the General Practitioners of patients involved by way of letter and telephone, who were asked to advise patients directly about the report and the options available to them.
The general principle of the Data Protection Acts is that personal data should only be processed and disclosed to other parties with the patient’s consent unless one of the provisions of section 8, which lift the restrictions on disclosure in limited and defined circumstances, apply.
Section 8(b) provides that –
“8.-Any restrictions in this Act on the processing of personal data do not apply if the processing is –
((b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid…”
while section 8(d) provides that –
“8- Any restrictions in this Act on the processing of personal data do not apply if the processing is-
(d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property.”
Section 8 therefore recognises that privacy rights are in no sense absolute and must constantly be balanced against other competing interests including society’s right to be made aware of particular information.
The matter which had to be considered by me, therefore, in terms of the Data Protection Acts, was whether the Board could rely on any of the provisions of section 8 as a basis for the referral of case files to the UK company and subsequently to the Enquiry by the Institute of Obstetricians and Gynaecologists, without the consent of the patients involved.
In routine referrals anonymised information should only be disclosed; charts etc might not need to be forwarded and indeed prior patient consent should be sought. However, in a case such as this when a serious matter, with implications for the health and welfare of past patients and indeed possible dangers for current and future patients, was brought to its attention, I deemed that the Board had a duty to fully establish all of the facts using whatever expert resources were necessary and indeed in a speedy and urgent manner. I considered that the Board were justified in disclosing the files in order to protect the health of those who had had the procedures carried out by the consultant and also so that necessary steps could be identified to avoid inappropriate procedures in the future. Having regard to the serious and far-reaching public health issues and circumstances involved, I considered that the Board were justified in making the disclosures under section 8(b) and section 8(d) of the Acts.
Furthermore, I considered that the disclosure by the Board was a compatible disclosure within the meaning of section 2 of the Acts. Section 2 (1) (c) (ii) provides that “data shall not be further processed in a manner incompatible with that purpose or those purposes” (for which it is held). I considered that the disclosure of patient data for the limited purpose of practice review in the wider interest of public health and, subject to confidentiality and privacy safeguards, was consistent with the purpose for which personal data was held by a healthcare provider. However, while names of patients were also included in the charts supplied to the reviewing bodies it would have been prudent, if it were feasible, given the urgency and importance of the investigation, to delete all references to patients so that only anonymised information was released.
I deeply appreciate and I am glad that the matter was brought to my attention by concerned and reasonable patients as it raised serious matters in the healthcare area regarding data protection.
Access to medical records on a change of general practitioner
A person contacted me regarding her difficulty in obtaining her actual medical file which she had formally requested from the local Health Centre under section 4 of the Data Protection Acts. She explained that she was a private patient of a doctor at the Centre which catered for General Medical Service’s patients – the doctor treated patients on a private basis also. Her doctor had left the practice and had passed her records to his replacement in the Centre. She had received advice from her local Health Board that, under normal protocols, files associated with a general practitioner would transfer to the successor on the General Medical Service’s panel. However, files relating to private consultations between an individual and their general practitioner were a different matter. This is an important and correct distinction in Data Protection Law because the patient was a private patient. The doctor is therefore the data controller in respect of private patients and not the Health Centre or the Health Board.
In the course of our investigations, my Office established that the replacement GP had offered the complainant a copy of her medical notes but not the actual file, which is consistent with his obligations under the Acts. He had taken legal advice regarding the transfer of her notes to him and was satisfied that he, as a principal of the health centre, was entitled to custody of the complainant’s file.
My Office informed the complainant that she had a right, under section 4 of the Acts, to access her data, but did not have a right to obtain her actual file. I also advised that if she wished to transfer as a patient to another practitioner outside the health centre, she could request that a copy of her medical records be sent to her new GP. However, the GP at the health centre is entitled to retain custody of her file for medico-legal and other professional requirements.
General Practitioners are at the coal face of the medical service and patients are happy to put confidence and trust in them regarding their personal data. A health service can be delivered in an efficient and effective manner while at the same time respecting peoples’ privacy. The general nature of data protection law, to the extent that it leaves scope for ambiguity, entails a certain lack of legal certainty and clarity. For this reason, I liaised with the Irish College of General Practitioners and the National General Practice Information Technology Group which led to the timely publication in November 2003 of “An Information Guide to the Data Protection Acts for General Practitioners”. The Guide addresses the issues surrounding custody of patients’ data raised in this case and advises that General Practitioners should take prompt reasonable steps to notify patients of cessation of practice and allow them the opportunity to transfer their health information to another provider. It also says that
“where a patient decides to transfer to another doctor, the existing doctor should, in accordance with data protection law and ethical guidelines, facilitate that decision by making available to the patient’s new doctor a copy of the patient’s health information. The existing doctor should, however, maintain the patient information record accumulated at that time for an adequate period consistent with meeting legal and other professional responsibilities. During that period, the provisions of the Data Protection Acts continue to apply to that information.”
In this case, I was pleased that the newly appointed doctor was following the guidance on the transfer of records. The case also highlights the important distinction between a data controller in respect of public patients (which is the Health Board or hospital or Health Centre as the case may be) and private patients (which is the relevant health professional).
Prosecution of Glen Collection Investments Limited and One of its Directors
The investigation in this case established that the defendant company obtained access to records held on computer databases in the Department of Social Protection over a lengthy period of time and that a company director used a family relative employed in the Department of Social Protection to access the records. The defendant company had been hired by a Dublin-based firm of solicitors to trace the current addresses of bank customers that the respective banks were interested in pursuing in relation to outstanding debts. Having obtained current address information or confirmed existing addresses of the bank customers concerned from the records held by the Department of Social Protection, the defendant company submitted trace reports containing this information to the firm of solicitors which acted for the banks. The case came to light on foot of a complaint which we received in February 2015 from a customer of AIB bank who alleged that an address associated with him and which was known only to the Department of Social Protection was disclosed by that department to an agent working on behalf of AIB bank.
The Data Protection Commissioner decided to prosecute both the company and the director in question, Mr Michael Ryan. Glen Collection Investments Limited was charged with seventy-six counts of breaches of the Data Protection Acts, 1988 & 2003. Sixty-one charges related to breaches of Section 19(4) of the Data Protection Acts for processing personal data as a data processor while there was no entry recorded for the company in the public register which is maintained by the Data Protection Commissioner under Section 16(2) of the Data Protection Acts. Fifteen charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person.
Mr. Michael Ryan, a director of Glen Collection Investments Limited, was separately charged with seventy-six counts of breaches of Section 29 of the Data Protection Acts, 1988 & 2003 for his part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of the company directors or other officers.
The cases against Glen Collection Investments Limited and its director were called in Tuam District Court in January, May and July of 2016 before the defendants eventually entered guilty pleas on 10 October 2016. While the defendant company was legally represented in court on all occasions, the Court issued a bench warrant for the arrest of the company director, Mr Ryan, on 10 May 2016 after he had twice failed to appear. The bench warrant was executed at Tuam District Court on 10 October, 2016 prior to the commencement of that day’s proceedings.
At Tuam District Court on 10 October 2016 Glen Collection Investments Limited pleaded guilty to twenty-five sample charges – thirteen in relation to offences under Section 22 and twelve in relation to offences under Section 19(4). The company was convicted on the first five counts with the remainder taken into consideration. The court imposed five fines of €500 each. Mr. Ryan pleaded guilty to ten sample charges under Section 29. He was convicted on all ten charges and the court imposed ten fines of €500 each. In summary, the total amount of fines imposed in relation to this prosecution was €7,500.
The Necessity to Give Clear Notice When Collecting Biometric Data at a Point of Entry
In October 2015, we received a complaint from a contractor in relation to the alleged unfair obtaining and processing of their personal data. The complainant stated that in the course of attending a data centre for work-related purposes the company had collected their biometric data without their consent and had also retained their passport until they had completed the training course. While the complainant had been advised in advance by the data controller to bring identification on the day of attendance at the data centre for security purposes, they had not been informed at that time that the data controller would be collecting their biometric data upon arrival at the data centre.
In the course of our investigation, we established that the data controller had collected the complainant’s biometric data upon their arrival at the data centre by way of a fingerprint scan. However, no information about this process had been provided to the complainant at that time – they were simply told that they could not go through security without this biometric fingerprinting. The data controller confirmed to us that this fingerprint scan data had not been retained, rather it had been used to generate a numerical template which was then stored in encrypted form and that numerical information was associated with a temporary access badge provided to the complainant for the duration of the time which the complainant was in attendance at the data centre. The data controller confirmed that it had deleted this information from its system and back-up files at the data subject’s request upon the data subject’s departure from the data centre. The data controller further confirmed that, while it had retained the complainant’s passport for the duration of the complainant’s attendance at the data centre pursuant to a policy to ensure the return of temporary access badges, it had not taken or retained a copy of the complainant’s passport.
The complainant in this case did not wish to accept the offer of amicable resolution made by the data controller and instead requested that the Commissioner make a formal decision on their complaint.
The decision by the Data Protection Commissioner in October 2016 found that the data controller contravened Section 2(1)(a) and Section 2D(1) of the Data Protection Acts 1988 and 2003 as the data controller should have supplied the complainant with the purposes of the collection and processing of the biometric data, the period for which it would be held and the manner in which it would be retained, used and, if applicable disclosed to third parties. This could have been done by the data controller either when it was in contact with the complainant to advise them of the requirement to bring identification to gain entry to the data centre, or at the latest, at the time the complainant arrived at the data centre.
However in relation to the obtaining and processing of the complainant’s biometric data, having reviewed the information provided by the data controller in the course of the investigation by this office, the Data Protection Commissioner found that the data controller had a legitimate interest under Section 2A(1)(d) of the Acts in implementing appropriate security procedures for the purposes of safeguarding the security of data centre, in particular for the purposes of regulating and controlling access by third parties to the data centre. Given that the biometric data was used solely for the purposes of access at the data centre, it was not transferred to any other party and was deleted in its entirely at the data subject’s request upon departing the data centre, the Data Protection Commissioner’s view was that this did not amount to potential prejudice which outweighed the legitimate interests of the data controller in protecting the integrity of the data centre and preventing unauthorised access to it. Accordingly, the Data Protection Commissioner concluded that the data controller had a legal basis for processing the complainant’s biometric data.
In relation to the retention of the complainant’s passport for the duration of their visit at the data centre, the Commissioner found that this did not give rise to any contravention of the Data Protection Acts 1988 and 2003, as the data controller had a legitimate interest in doing so and the limited processing of the complainant’s passport information (i.e. the retention of the passport itself) did not give rise to any disproportionate interference with the complainant’s fundamental rights.
Transparency is a key principle under data protection law and the giving of notice of processing of personal data to a data subject is a major element of demonstrating compliance with this principle. In particular, the central tenet that individuals whose data is collected and processed should not generally be “surprised” at the collection and processing or its scale or scope, should inform all aspects of a data controller’s data processing operations.
Residential Care Home’s Legimate Use of Audio Recording and Photograph of Data Subject Concerning Allegations of Misconduct
We received a complaint from a former employee of a residential care home who claimed that photographic evidence and an audio recording of them were used in a disciplinary case against them by their employer resulting in their dismissal.
During our investigation, the complainant’s former employer (the operators of the residential care home) advised us that a formal, externally led investigation had been conducted into allegations that the complainant had been found by a supervisor to be asleep during a night shift on two separate occasions. On the nights in question, the complainant had been the sole staff member on duty responsible for the care of a number of highly vulnerable and dependent adults who had complex medical and care needs and who needed to be checked regularly. Having discovered the complainant asleep on the first occasion, the supervisor had warned the complainant that if it happened again it would be reported in line with the employer’s grievance and disciplinary procedure. On the second occasion, when the supervisor discovered the complainant to be asleep, fully covered by a duvet on a recliner with the lights in the room dimmed and the television off, the supervisor had used their personal phone to take photographs of the complainant sleeping and make a sound recording of the complainant snoring. The allegations had been upheld by the investigation team and a report prepared. This was followed by a disciplinary hearing convened by the employer. The employer had informed the complainant at that hearing that it accepted the verbal and written account given by the supervisor. The employer had found that the act of sleeping on duty constituted gross misconduct in light of the vulnerabilities and dependencies of the clients in the complainant’s care and the complainant had been dismissed.
Having regard to the information supplied to us by the operators of the residential care home and, in particular, the vulnerability of the clients involved and the nature of the complainant’s duties, we formed the view that no breach of the Data Protection Acts 1988 and 2003 had occurred. In this case, we considered that the processing of the complainant’s data, by way of the photograph and audio recording made by the supervisor, and the subsequent disclosure of these to the employer was necessary for the purposes of the legitimate interests pursued by the data controller, the employer, under Section 2A(1)(d) of the Data Protection Acts 1988 and 2003. This legal basis for processing requires the balancing of the data controller’s (or a third party’s or parties’) legitimate interests against the fundamental rights and freedoms or legitimate interests of the data subject, including an evaluation of any prejudice caused to those rights of the data subject.
We considered that the processing of personal data here was limited in nature and scope as it consisted of a one-off taking of a photograph and the making of an audio recording by the supervisor, who acted of their own volition and not in response to any direction or request from the employer. There had been limited further disclosure of the personal data concerned afterwards, i.e. to the employer, while the original photograph and recording were deleted from the supervisor’s phone. A copy of the material had also been provided to the complainant in advance of the complainant meeting the investigation team. We therefore considered that, in the circumstances, the processing was proportionate and that the legitimate interests of the data controller (and indeed the legitimate interests of third parties, being the clients of the residential care home) outweighed the complainant’s right to protection of their personal data.
While the right to protection of one’s personal data attracts statutory protection within the national legal system and, moreover, is a fundamental right under EU law, such rights are not absolute. Accordingly, they must be interpreted to allow a fair balance to be struck between the various rights guaranteed by the EU legal order. In particular, as this case demonstrates, data-protection rights should not be used to ‘trump’ the rights of particularly vulnerable members of society or the legitimate interests pursued by those organisations responsible for safeguarding the health and life of such persons in discharging their duties of care and protection
The Necessity to Give Clear Notice When Collecting Biometric Data at a Point of Entry
In October 2015, we received a complaint from a contractor in relation to the alleged unfair obtaining and processing of their personal data. The complainant stated that in the course of attending a data centre for work-related purposes the company had collected their biometric data without their consent and had also retained their passport until they had completed the training course. While the complainant had been advised in advance by the data controller to bring identification on the day of attendance at the data centre for security purposes, they had not been informed at that time that the data controller would be collecting their biometric data upon arrival at the data centre.
In the course of our investigation, we established that the data controller had collected the complainant’s biometric data upon their arrival at the data centre by way of a fingerprint scan. However, no information about this process had been provided to the complainant at that time – they were simply told that they could not go through security without this biometric fingerprinting. The data controller confirmed to us that this fingerprint scan data had not been retained, rather it had been used to generate a numerical template which was then stored in encrypted form and that numerical information was associated with a temporary access badge provided to the complainant for the duration of the time which the complainant was in attendance at the data centre. The data controller confirmed that it had deleted this information from its system and back-up files at the data subject’s request upon the data subject’s departure from the data centre. The data controller further confirmed that, while it had retained the complainant’s passport for the duration of the complainant’s attendance at the data centre pursuant to a policy to ensure the return of temporary access badges, it had not taken or retained a copy of the complainant’s passport.
The complainant in this case did not wish to accept the offer of amicable resolution made by the data controller and instead requested that the Commissioner make a formal decision on their complaint.
The decision by the Data Protection Commissioner in October 2016 found that the data controller contravened Section 2(1)(a) and Section 2D(1) of the Data Protection Acts 1988 and 2003 as the data controller should have supplied the complainant with the purposes of the collection and processing of the biometric data, the period for which it would be held and the manner in which it would be retained, used and, if applicable disclosed to third parties. This could have been done by the data controller either when it was in contact with the complainant to advise them of the requirement to bring identification to gain entry to the data centre, or at the latest, at the time the complainant arrived at the data centre.
However in relation to the obtaining and processing of the complainant’s biometric data, having reviewed the information provided by the data controller in the course of the investigation by this office, the Data Protection Commissioner found that the data controller had a legitimate interest under Section 2A(1)(d) of the Acts in implementing appropriate security procedures for the purposes of safeguarding the security of data centre, in particular for the purposes of regulating and controlling access by third parties to the data centre. Given that the biometric data was used solely for the purposes of access at the data centre, it was not transferred to any other party and was deleted in its entirely at the data subject’s request upon departing the data centre, the Data Protection Commissioner’s view was that this did not amount to potential prejudice which outweighed the legitimate interests of the data controller in protecting the integrity of the data centre and preventing unauthorised access to it. Accordingly, the Data Protection Commissioner concluded that the data controller had a legal basis for processing the complainant’s biometric data.
In relation to the retention of the complainant’s passport for the duration of their visit at the data centre, the Commissioner found that this did not give rise to any contravention of the Data Protection Acts 1988 and 2003, as the data controller had a legitimate interest in doing so and the limited processing of the complainant’s passport information (i.e. the retention of the passport itself) did not give rise to any disproportionate interference with the complainant’s fundamental rights.
Transparency is a key principle under data protection law and the giving of notice of processing of personal data to a data subject is a major element of demonstrating compliance with this principle. In particular, the central tenet that individuals whose data is collected and processed should not generally be “surprised” at the collection and processing or its scale or scope, should inform all aspects of a data controller’s data processing operations.
HSE West and a consultant ophthalmic surgeon breach the Acts
I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller. The data subject was involved in an insurance action with a third party in relation to an eye injury. The third party’s insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in Limerick. The consultant was also a consultant ophthalmic surgeon at the Mid-Western Regional Hospital in Limerick. The data subject had previously attended another consultant ophthalmic surgeon at the Mid-Western Regional Hospital as a public patient in relation to his eye injury.
The complaint was two fold. The first aspect related to the alleged release of the data subject’s hospital chart by the Mid-Western Regional Hospital to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice. It was alleged that this took place without the data subject’s consent. The second aspect of the complaint related to the alleged unfair obtaining of the data subject’s hospital chart by the consultant ophthalmic surgeon.
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted ‘sensitive personal data’ as defined in the Acts. The central issue to be considered in this case, from a data protection point of view, was whether the HSE West, Mid-Western Regional Hospital complied in full with its obligations under the Acts.
Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data. I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the Mid-Western Regional Hospital’s collection, processing, keeping and use of the data subject’s sensitive personal data. However, the disclosure of the data subject’s medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act. This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected. It was clear from my Office’s investigation that the consultant ophthalmic surgeon’s secretary at his private rooms contacted his secretary at the Mid-Western Regional Hospital to locate the data subject’s medical records relating to his eye condition. Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon’s private surgery.
In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon’s work within the HSE West, Mid-Western Regional Hospital as an employee of that hospital and his work carried out privately on behalf of an insurance company. The hospital’s disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the HSE West, Mid-Western Regional Hospital) to another (the consultant surgeon’s private surgery). It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject’s medical record from the hospital in his capacity as a separate data controller. In this instance he was not acting in his capacity as an employee of the HSE.
The medical record at the Mid-Western Regional Hospital in respect of the data subject was compiled in the course of his treatment for an eye condition. This was a specific, explicit and legitimate purpose. Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data. The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject’s eye condition on behalf of an insurance company to facilitate their processing of an insurance claim. The processing of an insurance claim related to the data subject’s eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the Mid-Western Regional Hospital.
There was also an obligation to meet the conditions set out in Section 2A of the Acts. These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:
· the performance of a contract to which the data subject is a party;
· in order to take steps at the request of the data subject prior to entering into a contract;
· compliance with a legal obligation, other than that imposed by contract;
· to prevent injury or other damage to the health of the data subject;
· to prevent serious loss or damage to property of the data subject;
· to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the performance of any other function of a public nature performed in the public interest; or
· for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
In this case, the data subject did not give his consent to the Mid-Western Regional Hospital for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon. In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above. In this instance, the hospital did not meet any of those conditions.
To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
– the data subject must give explicit consent to the processing or
– the processing must be necessary for one of the following reasons:
· for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
· to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
· it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
· the information being processed has been made public as a result of steps deliberately taken by the data subject;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
· for medical purposes;
· for the purposes of political parties or candidates for election in the context of an election;
· for the assessment or payment of a tax liability; or
· in relation to the administration of a Social Welfare scheme.
As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the Mid-Western Regional Hospital to the consultant surgeon. There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed. In this instance, the Mid-Western Regional Hospital did not meet any of those conditions.
I formed the opinion that the HSE West, Mid-Western Regional Hospital contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject’s sensitive personal data in a manner which was incompatible with the purpose for which it was obtained. This processing occurred when the consultant surgeon’s secretary at the Mid-Western Regional Hospital disclosed the data subject’s hospital medical file to his private practice secretary. In response to this incident the HSE West put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held. I welcome this.
I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the Mid-Western Regional Hospital.
In light of my previous decision which found a number of contraventions of the Acts by the HSE West, it followed that the consultant surgeon unfairly obtained the data subject’s hospital file. However, it was also clear that this was done unintentionally and in good faith.
I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split). This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems. However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company). Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts. These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data.
Data Controller breaches several provisions in its processing of Sensitive Personal Data
I received a complaint in May 2006 from a data subject regarding the use by her former employer, Baxter Healthcare S.A., of two medical reports relating to her. The data subject had been involved in an industrial accident at work in April 2002 which subsequently resulted in a prolonged absence from the workplace. During this absence, the data subject pursued a personal injuries claim against Baxter Healthcare. As part of this process, at the request of the solicitor acting on behalf of Baxter Healthcare’s insurers, she attended a consultant neurologist on two occasions for medical evaluation in 2003 and 2004. Early in 2005, the data subject became aware that the medical reports compiled as a result of those evaluations were in the possession of Baxter Healthcare. Through her solicitor, the data subject made an access request to Baxter Healthcare for copies of the medical reports. She was advised in writing that, as these reports were obtained in the context of her personal injury proceedings, her access request should be addressed to the solicitors,
P. O’Connor & Son, acting for the insurers. Shortly afterwards, the data subject’s contract of employment was terminated. The decision by Baxter Healthcare to terminate the employment was stated to be on the basis of the medical evidence available to the company, including the medical reports compiled in 2003 and 2004 in the context of the data subject’s personal injury claim. Following her dismissal, the data subject brought a claim to the Labour Relations Commission against Baxter Healthcare under the Unfair Dismissals Act 1977 to 2001. A hearing in relation to this case took place in April 2006 and the data subject alleged that, in the course of the hearing, copies of the medical reports were furnished by Baxter Healthcare to herself, to the Rights Commissioner and to all present. These medical reports had not been previously provided to her in response to her access request.
My Office conducted a detailed and extensive investigation of this complaint. This focused on 2 primary data protection issues, namely the use of the medical reports obtained to defend an insurance claim to support the dismissal of the data subject and the disclosure of those same medical reports at a labour relations hearing. The company’s solicitor stated that the medical reports of the consultant neurologist were obtained for the legitimate purpose of defending personal injury proceedings instituted by the data subject and that the medical reports were also employed and required for the legitimate purpose of defending separate legal proceedings against Baxter Healthcare under the Unfair Dismissals Acts 1977 to 2001. It submitted that Section 2(1)(c)(i) of the Acts specifically envisages that the data may be obtained and used for more than one purpose, provided that both purposes are legitimate. It went on to state that Section 2(1)(c) (ii) of the Acts only prohibits further processing insofar as that processing is incompatible with the original purpose or purposes. It argued that the use of the reports to defend legal proceedings against Baxter Healthcare under the Unfair Dismissals Act could not be said to be incompatible with the original purpose as the original purpose was to defend legal proceedings instituted by the data subject and the subsequent use was to also defend legal proceedings, albeit separate proceedings by the data subject.
The data subject sought a decision on her complaint under Section 10(1)(b(ii) of the Acts in June 2007. In my analysis of the data protection issues arising from this complaint, I found that the medical reports in question constitute ‘sensitive personal data’ within the meaning of the Acts. The medical reports were commissioned on behalf of Baxter Healthcare’s insurers, by its solicitors, for the purpose of the defence of the High Court personal injury claim instituted by the data subject. The reports were, however, used for three purposes:
They were used for the purpose for which they were generated in the first place, i.e. for the defence by Baxter Healthcare’s insurers of the High Court personal injury claim instituted by the data subject.
They were used in the decision taken by Baxter Healthcare to terminate the employment of the data subject.
They were used to defend legal proceedings taken by the data subject against Baxter Healthcare under the Unfair Dismissals Act at a hearing in April 2006.
No data protection issue arose in relation to the first use of the medical reports by Baxter Healthcare’s insurers in the context of its defence of the personal injury claim brought by the data subject.
With regard to the second use by Baxter Healthcare of the medical reports in the decision to terminate the data subject’s employment, this was done without the data subject’s consent. The general requirements that must be complied with by a data controller under the Acts in relation to the personal data of a data subject include the following:
the data shall have been obtained only for one or more specified, explicit and legitimate purposes
the data shall not be further processed in a manner incompatible with that purpose or those purposes
the data subject is informed of the purposes or purposes for which the data are intended to be processed
The consent of the data subject is the default position, as it were, for the fair processing and obtaining of personal data. Where it is absent, the data controller may not process personal data unless it can find another basis in the Acts. The Acts provide for the following exemptions which were potentially applicable in the present case:
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject (Section 2A (1)(d));
and (because sensitive data is involved)
the processing is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings or is otherwise necessary for the purpose of establishing, exercising or defending legal rights (Section 2B (b)( vii)).
All of these conditions must be met.
In my analysis of this complaint, I considered that the purpose for which the medical reports were originally obtained (the defence by Baxter’s insurers of the High Court personal injury claim instituted by the data subject) was not compatible with their further use to support the data controller’s decision to dismiss the data subject. I considered that, in the absence of the data subject’s consent, this processing of the data subject’s sensitive personal data constituted a breach of the Acts.
With regard to the third use by Baxter Healthcare of the medical reports to defend legal proceedings under the Unfair Dismissals Act, the same considerations arose in relation to the further use of the sensitive personal data at a hearing before a Rights Commissioner in April 2006, with the aggravating factor that the sensitive personal data was further disclosed to those involved in the hearing.
However, I had to consider if the processing of personal data in this case might benefit from the exemption in Section 8(f) of the Acts which provides that: “Any restrictions in this Act on the processing of personal data do not apply if the processing is …required…for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.”
I formed the opinion that this exemption cannot apply to sensitive personal data which has already been improperly processed to support the decision (dismissal) which was the subject matter of the legal process. I concluded that the use of the medical records to defend the Unfair Dismissals claim constituted a further breach of the Acts.
For completeness, my Decision in this case also found that Baxter had failed to comply fully with an access request made by the data subject.
This case demonstrates the care which data controllers must exercise in the processing of all personal data, including sensitive personal data, in its possession. It is unacceptable for a data controller to seek to take advantage of personal data which may be in its possession and to use it for some purpose unrelated to the purpose for which it was originally obtained.
Data Protection Act 2018 (Section 36(2))
Cases
B v The General Medical Council
[2018] EWCA Civ 1497
Lord Justice Irwin:
In this case the General Medical Council [“GMC”] appeals the Order of Soole J of 23 September 2016, in which the judge granted an injunction against the GMC restraining disclosure of an expert report. The central facts are agreed between the parties and the claim has proceeded under CPR part 8, on the basis that there was no substantial dispute of fact.
For convenience the relevant provisions of the Data Protection Act 1998 [“DPA”] are set out in Annex 1 to this judgment.
The full factual background is set out in the judgment from the Court below in paragraphs 6 to 29. It is not necessary to recapitulate all of the facts but a summary is necessary.
The Respondent is a general medical practitioner and for a number of years he had a patient anonymised as “P”. P is a man in his 60s. Over a period of years P suffered difficulties in urinating, about which he consulted the Respondent Dr B. In September 2013, P was diagnosed as suffering from cancer of the bladder. On 8 November 2013, he complained to the GMC about his treatment by Dr B, in particular on 16 October 2012. The nub of his complaint was that Dr B had examined him and dealt with him incompetently, leading to an avoidable delay of about one year in the diagnosis of cancer.
P complained on 8 November 2013 and the GMC commenced an investigation of Dr B’s fitness to practice. The GMC instructed an independent expert GP to review the matter and the resulting report, consisting of 22 pages, was dated 14 May 2014. The report was delivered to the GMC and was the central element in their decision whether to take any action in relation to Dr B.
The report was critical of the care provided by Dr B in a number of respects, concluding that the care provided fell “below” but “not seriously below” the expected standard of care. A further conclusion was that most reasonably competent general practitioners would not have suspected bladder cancer, given two particular findings recited in the report.
On 19 May 2014, the GMC sent a copy of the report to Dr B. He was informed in the accompanying letter that the report would be forwarded to the relevant case examiners. On 17 July 2014, the GMC wrote again to Dr B and also wrote to P informing all parties that the case examiners, one of whom was medical and one of whom was a lay person, had taken the decision that there should be no further action. Attached to each letter was Annex A, summarising the reasons given by the case examiners for their decision. Annex A included a short summary of the experts’ comments taking approximately one page. It is helpful to produce that summary here, redacted so as to preserve anonymity:
“Expert report
The expert’s comments include the following:
Dr B should have asked the patient about blood in the urine as part of his assessment of lower urinary tract symptoms in order to exclude bladder pathology or renal/bladder stones. In addition he should have asked about bowel habit and general health as part of the assessment of abdominal pain to exclude the possibility of bowel pathology. However, as he arranged a urine test, his failure to ask about these was below but not seriously below the standard expected. This is because the urine test would have dealt with the presence or absence of blood or infection and if this were normal, there would be another opportunity to review the abdominal symptoms if they did not settle.
Dr B should have carried out an examination of the patient’s abdomen and external genitalia; his failure to do so represented a standard of assessment below, but not seriously below, that expected of a reasonably competent practitioner.
The prescription of Tamsulosin was reasonable; however, Dr B should have given the patient advice about the side effects of the drug; his failure to do so was only just below the standard expected of a reasonably competent GP.
The arrangements for follow up were recorded in the notes; even if the patient’s account is accepted, and no follow up was arranged, this would have demonstrated a standard of care below, but not seriously below, that expected of a reasonably competent GP.
There was no indication for any further investigations other than the urine test, which proved negative.
If the patient’s account is accepted, Dr B’s communication fell below the standard expected of a reasonably competent general practitioner but not seriously below.
The expert states that it is important to note that the patient did not complain of the presence of blood in his urine until prior to the consultation in June 2013 and nowhere in his complaint does he state that he told Dr B this. Contrary to the assertion in the letter of referral by Dr B’s colleague in June 2013, the previous urine tests had not shown any blood. The expert concludes that “most reasonably competent general practitioners would not have suspected bladder cancer on 16 October 2012 in the absence of a history of blood in the urine and this would have been confirmed by the laboratory result”.”
P’s solicitors requested disclosure of the report, initially pursuant to the Freedom of Information Act [“FOIA”]. This request was refused by the GMC on 9 October 2014, on the ground that to do so would breach the principles of the DPA, and thus FOIA s.40(5)(b)(i) was engaged.
On 11 September 2014, through his solicitors, P requested disclosure of the expert report. It is worth noting that the request was explicitly for the full report, not merely for P’s personal data contained within the report: see the judgment at paragraph12. The report was the first on a list of requested documents. The GMC responded to the solicitors explaining that the request would be treated as a subject access request under Section 7 of the DPA and the solicitors agreed. The GMC then invited a response from Dr B on the question of disclosure of the report to P. His solicitors responded on his behalf on 17 October, 21 November 2014 and 6 March 2015 making clear Dr B’s opposition to disclosure.
The essence of Dr B’s arguments in these letters was as follows. Initially, Dr B’s solicitors suggested that the report contained “his own and not [P’s] personal data, in that the report “relates to” Dr B as the “data subject”. The first letter cited Durant v Financial Services Authority [2003] EWCA Civ 1746. The use of the DPA as a vehicle for third party discovery with a view to litigation was misguided. The letter cited the provisions of the Access to Health Records Act 1990, which would enable P to acquire copies of his own records. There was no “public interest” in disclosing the expert report “for the purposes intended by [P] and his solicitors”.
In their letter of 21 November, Dr B’s solicitors’ position had shifted somewhat. They rejected the suggestion from the GMC that the letter contained the “sole” personal data of P, and asserted that the report contained the personal data of both P and Dr B. The letter noted that it was the clear intention behind the request to initiate litigation against Dr B, rather than a case where “a disappointed party requests disclosure with a view to taking advice as to whether to bring a legal challenge against a decision taken by the [GMC].” The “stated importance of transparency in GMC decision making is much reduced in circumstances involving an alternative motive” namely suing for compensation, and not concern about the GMC’s processes.
The solicitors emphasised that Dr B had not been invited to make, nor had he made, comments on the draft expert report. The report “contains criticisms of him … which [P] proposes to use … to secure compensation.” The interference in Dr B’s Article 8 rights was “more than trivial or modest”. Article 8 was certainly sufficiently wide to extend to the protection of a doctor’s reputation: see Mkolajova v Slovakia 4479/03 18 January 2011.
This letter also cited section 7(1)(c) of the DPA as conferring a right to have the communication of “information” in an “intelligible form”, not a right to documentation. P had already received the relevant information in intelligible form, in the shape of Annex A.
The GMC reasoning was refined and set down in an email of 12 February 2015 disclosed to the judge. Following consideration of the Information Commissioner’s Code of Practice, the relevant advisor emphasised that:
“… The GMC has a legitimate interest in ensuring openness and transparency when making decisions that affect an individual. The full report, which contains Mr S’s personal data, and upon which a decision was taken in relation to Mr S and the treatment he received is based, should be disclosed to fulfil this obligation. The report contains the findings of an independent expert, who has provided the GMC with full consent to disclose, and as such there could be no justification in withholding this report from Mr S.
In relation to Art.8 HRA, it states that: There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. We have to balance the rights and interests of both parties. As stated above, the report is based on the findings of an independent expert and is in no way intended to prejudice either side. Failure to disclose the findings of an independent expert would most likely be a breach of the Human Rights Act in terms of our obligations to protecting the health, as well as the rights and freedoms of the data subject (i.e. [P]). The report contains data that relates to both parties, (and it could be argued that both parties may very well disagree with certain aspects of the report) – by not disclosing to one party, we could be said to be biased and acting against the interests of the party, in contravention of our obligations under DPA/HRA.”
The GMC took the decision to disclose the report for reasons summarised in their letter to Dr B’s solicitors of 13 February 2015. The reasons given by the GMC’s Information Access Managers were very close to the reasoning in the internal email of the day before. The salient passages read:
“You raise concerns about our view on the expert report in the context of the Durant judgment. It remains our view that the expert report is the joint personal data of Dr B and [P]. As such it is our view that the consideration of the disclosure of the report was correctly considered via the balancing exercise required under S.7(4) to 7(6).
Following receipt of your letter I have asked a colleague to undertake a review of my original balancing decision. Having done so, they are of the view that disclosure of the expert report to [P] is appropriate.
You have referenced DPA Schedule 2 conditions in the context of the requirement for any processing to be necessary. This needs to be considered, in the context of condition 6(1), coupled with legitimate interest and proportionality. The GMC has a legitimate interest in ensuring openness and transparency when making decisions that affect an individual. It is, in our view, necessary that the full report, which contains [P]’s personal data, and upon which a decision was taken in relation to [P] is based, should be disclosed to fulfil this obligation.
In relation to Article 8 HRA, it states that: There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. We have to balance the rights and interests of both parties. As stated above, the report is based on the findings of an independent expert. Failure to disclose the findings of an independent expert would most likely be a breach of the Human Rights Act in terms of our obligations to protecting the health, as well as the rights and freedoms of the data subject (i.e. [P]). The report contains data that relates to both parties, (and it could be argued that both parties may very well disagree with certain aspects of the report) – by not disclosing to one party, we could be said to be biased and acting against the interests of the party, in contravention of our obligations under DPA/HRA.”
The GMC agreed to suspend the intended disclosure pending the decision of the High Court. Dr B’s claim was brought under two heads, firstly the DPA and secondly in reliance on Article 8 of the ECHR. By the time of the hearing before Soole J, it was common ground that the Article 8 claim added nothing to the DPA claim and the case therefore proceeded on the application of Section 7 of the DPA, although the submissions and the decision of the judge took full cognizance of the parties’ Article 8 rights.
The Judge’s Reasoning
The judge began by analysing the history and facts, including the correspondence between the parties and the internal email traffic within the GMC, some of which I have touched on above.
The Information Access Manager of the GMC was a Mr Julian Graves, the recipient of the email advice of 12 February 2015 quoted above. The judge noted that Mr Graves recognised the information was clearly being sought to further a potential claim for clinical negligence against Dr B. It was not submitted to the judge, nor to us, that this was inaccurate or an error. Nevertheless, he concluded that the report should be disclosed. Mr Graves recognised, as the judge put it, “the validity of the concern that the report was being sought in order to pursue litigation” but in fact did not think it would assist P in any claim for negligence. Mr Graves went on to take account of the “transparency of [the GMC] decision-making process”. He had in mind Rule 12 of the GMC Fitness to Practice Rules, under which an affected patient can request a review of a decision not to proceed.
The judge noted that by the time the case came before him the parties were agreed that the personal data of P and Dr B were “inextricably mixed” in the report. Where there cannot be compliance with a subject access request without disclosing information relating to another data subject, there had to be a balancing exercise pursuant to Section 7 of the DPA, although that exercise had to be considered in the context of Article 8 and fairness at common law.
The judge also noted that the Court must conduct a more intensive review of that balancing exercise than would arise from application of the “traditional Wednesbury test”. The judge noted that the primary objective of the EU Directive 95/46, enshrined in the DPA, was “to protect the right to privacy and accuracy of their personal data held by others”, see Durant, per Auld LJ at paragraph 4, and Buxton LJ at paragraph 79, and see YS v Minister Voor Immigratie [2015] 1 CMLR 18.
The Judge then set out the relevant provisions of the DPA, including the critical passages from ss.7(4) and 7(6). He noted the remark of Auld LJ at paragraph 55 of Durant that, in the absence of consent, there was a rebuttable presumption or starting point against disclosure. The judge considered the four non-exhaustive factors identified in s.7(6). He noted the obligation to process personal data “lawfully” (Schedule 1, Part 1, paragraph 1) and in compliance with the data controller’s legal obligations (Schedule 2, Condition 3), taken together with Schedule 2 Condition 6, including the “Article 8/common law right of privacy; which must therefore be taken into account in the s.7(4) balancing exercise”: judgment, paragraph 46.
The judge cited various authorities to the effect that the relevant information was the private information of Dr B, but went on to note:
“53. Whilst accepting that the Report’s information about Dr B is private information, Mr Hopkins submits that he did not have a reasonable expectation that the Report would be kept from P. On the contrary, his reasonable expectation should have been that it would be disclosed to him (although not to the public generally) if requested under s.7. In disagreement Ms Proops in particular points to the GMC’s practice of providing only a summary of the expert report to the complainant in the event of deciding to take no further action – as in this case.”
The judge went on to consider more closely the “purpose” of a request under the DPA. He quoted the passages from paragraphs 26 and 27 of the judgment of Auld LJ in Durant, to the effect that the purpose of the legislation was to enable the individual (the data subject) to obtain the information which concerned him, but not “to be provided with documents as such” (paragraph 26). The purpose was to enable him to check whether the processing of the information was lawful, and if not, to invoke the remedies under the Act (paragraph 27). The judge noted that the logic of these remarks had been followed in the first instance decision in Dawson-Damer v Taylor Wessing LLP [2016] 1 WLR 28.
The judge continued:
“58. Conversely in Dunn v. Durham County Council [2013] 1 WLR 2305 Maurice Kay LJ said (obiter) in a case concerning disclosure under CPR 31 : “I do not doubt that a person in the position of the claimant is entitled – before, during or without regard to legal proceedings – to make an access request pursuant to section 7 of the Act. I also understand that such a request prior to the commencement of proceedings may be attractive to prospective claimants and their solicitors. It is significantly less expensive than an application to the court for disclosure before the commencement of proceedings pursuant to CPR 31.16. Such an access may result in sufficient disclosure to satisfy the prospective claimant’s immediate needs..’ : see also Gurieva v. Community Safety Development Ltd [2016] EWHC 643 (QB) per Warby J at paras.67-72 (‘It is commonly said that the subject access regime under the DPA is ‘purpose blind’); also Kololo v. Commissioner of Police [2015] 1 WLR 3702 and Zaw Lin v. Commissioner of Police [2015] EWHC 2484 (QB).
59. The Defence pleads that the requester’s intention to use the information in furtherance of litigation is not of itself a reason for refusing the request. Mr Hopkins accepted, rightly in my judgment, that it was a factor which could be taken into account in the balancing exercise. However he submitted it should be given no significant weight in this case.”
The Judge noted the submissions on behalf of Dr B that the GMC’s balancing exercise had failed to give sufficient weight to Dr B’s privacy, and had given no or no adequate weight to the litigation purpose. The focus of the relevant report was on Dr B. The personal data of P was “incidental”. Disclosure would be damaging to Dr B’s professional reputation (and mental health). The refusal of the GMC to disclose the report pursuant to FOIA was inconsistent with the GMC’s decision to disclose under the DPA: disclosure under FOIA was proper where it was “in the public interest”. Yet it was proposed to publish under the DPA in order to demonstrate the transparency of the GMC processes. These decisions could not stand together. Disclosure of such material pursuant to s.35B of the Medical Act 1983 was invariably done subject to a Non-Disclosure Agreement, again an approach inconsistent with disclosure now proposed, since there would be no constraint on what P did with the report once disclosed. Not only was this disclosure sought for litigation, at variance with the purpose of the statute, but it would act to sidestep “the requirements and constraints of CPR 31”.
In reply, the counsel for the GMC argued that the report focussed equally on P and Dr B, and included “sensitive personal data” as defined by S. 2, of P alone. Dr B had no reasonable expectation that the report would not be made available to P. Any risk of damage to professional reputation was already present because of the summary, already in P’s possession. There was no evidence that P would misuse the report by making it public: the summary had not been misused. There was no evidence of risk to Dr B’s health. The report itself would advance P’s understanding beyond the summary. There was a “legitimate and weighty public interest” in the transparency of the GMC’s processes, and no inconsistency with refusal to disclose “to the world” under FOIA or the Medical Act 1983. The balancing exercise had been appropriate.
The judge concluded that the GMC had fallen into error and “got the balance wrong”. They failed to begin with a presumption against disclosure. They gave no adequate weight to Dr B’s status as a data subject and to his rights of privacy in the undisclosed material. The real focus of the report was on Dr B’s professional competence.
The judge did not accept that Dr B’s “reasonable expectation” was that the report would be disclosed to P: rather the reasonable expectation was that a lawful balancing exercise would be carried out. That expectation would be “fortified” by awareness of the GMC’s practice “in disclosing only a summary” in such circumstances. Given the way the GMC approached the matter, they had never given any real weight to Dr B’s privacy rights, had focussed on P’s rights and the issue of transparency. They had taken no adequate account of Dr B’s express refusal of consent, nor of the intended use of the report for the purposes of litigation, which was the “dominant purpose” behind P’s request. That was important, even though it was right there was no evidence of any abuse of the summary already provided.
The judge noted the GMC’s practice in requiring a Non-Disclosure Agreement before disclosing a report under s.35B of the Medical Act, and noted the provisions of CPR Part 31; both pointed away from the approach advanced by P. The judge added:
“82. If the GMC had considered that the principles of transparency and equality required a supply of the full Report to a complainant (such as P) in circumstances where no further action was taken, its policy and practice would doubtless have reflected this. If so, the complainant’s entitlement would not be dependent on making a request under s.7 DPA or otherwise. In the absence of such a policy or practice, I do not consider that the GMC is entitled to give any particular weight to this factor (and whether expressed as the legitimate interest of P or itself) in the balancing exercise between the parties. To do so is in effect to revise its policy by the side-wind of the DPA; and thereby to defeat the other data subject’s reasonable expectation of privacy.”
For those reasons, the judge allowed Dr B’s claim.
The Grounds of Appeal
The GMC advance four Grounds of Appeal as follows:
i) That it was an error to proceed on the basis that, in a case of “mixed personal data” there is a rebuttable presumption against disclosure.
ii) That it was an error to hold that, where the sole or dominant purpose behind a Subject Access Request is to obtain information for the purpose of litigation, that was a weighty factor in favour of refusal.
iii) That the Court’s reasoning was flawed in holding that the GMC (a) gave inadequate consideration to Dr B’s privacy rights, (b) took inadequate account of Dr B’s express refusal of consent, and (c) underestimated the incremental impact of the disclosure of the report over and above the summary.
iv) That the Court (a) “effectively substituted” its own assessment of the case for disclosure, rather than review the decision of the data processor, (b) over-estimated the risk of P publishing the report, and failed to consider that Dr B had preventive legal options open to him to block such abuse, and (c) gave inadequate consideration to P’s “fundamental rights … to obtain and understand information about him of a highly sensitive nature”.
I will address the Grounds in turn. The submissions to us in support and in opposition to the Grounds broadly mirrored the submissions below save where more recent authority arose.
Ground 1: That it was an error to proceed on the basis that, in a case of “mixed personal data” there is a rebuttable presumption against disclosure
The formulation of a “rebuttable presumption against disclosure” was drawn directly from the dictum of Auld LJ in Durant. The GMC argues that the judge overstated the effect of Auld LJ’s remarks. As that judge made clear, any such presumption could be overturned by showing that disclosure would be reasonable, within s.7(4). Moreover, the Appellant submits that these words were obiter dicta.
The Respondent argues that the structure of the Act itself gives rise to the presumption, in the sense that where consent is refused under s.7(6) in a mixed data case, s.7(4) exempts the data processor from the duty to disclose, save where the disclosure is reasonable. The Respondent rejects the argument that these remarks in Durant were obiter dicta; rather they formed a key element in the ratio decidendi when deciding that the redaction of data in that case could not be challenged. In any event, says the Respondent, this ground is not critical to the decision, since the judge had substantive grounds for quashing the GMC decision.
In my view, the remarks of Auld LJ in Durant did form part of the ratio of that decision. It may be that the term “presumption” is unhelpful, if it is thought to imply a continuing perspective on what is reasonable in a particular case, rather than truly a “starting point”. In my view the statutory provisions, and paragraphs 55 and 56 of Durant need to be read together. It seems to me that the “starting point” in a mixed data case means no more than to underscore that there are competing rights in question, and thus the data controller cannot override the rights of the objecting data subject, unless it is reasonable to do so.
On this issue, as on others, it seems to me helpful to bear in mind the remarks of Lewison LJ in Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd and Others [2017] EWCA Civ 121, [2017] 3 WLR 811, as to the scheme and purpose of a Subject Access Request:
“82. The underlying purpose of the right of access to personal data is for the data subject to check the accuracy of the data and to see that they are being processed lawfully. The first place where this point is made is in recital (41) which I have quoted. In Rotterdam v Rijkeboer the court said at [49]:
“That right to privacy means that the data subject may be certain that his personal data are processed in a correct and lawful manner, that is to say, in particular, that the basic data regarding him are accurate and that they are disclosed to authorised recipients. As is stated in recital 41 in the preamble to the Directive, in order to carry out the necessary checks, the data subject must have a right of access to the data relating to him which are being processed.”
83. The court repeated this in YS v Minister voor Immigratie at [44]. Auld LJ made a similar point in Durant at [27]. In the same case Buxton LJ said at [79]:
“The guiding principle is that the Act, following Directive 95/46, gives rights to data subjects in order to protect their privacy. That is made plain in recitals (2), (7) and (11) to the Directive, and in particular by recital (10)…”
84. In Johnson v Medical Defence Union [2007] EWCA Civ 282, (2007) 96 BMLR 99 at [1] he said that the protection of privacy was the “central mission” of the Directive; and at [16] that it was not easy to extract any other purpose from it.
85. It is, however, true that as the Information Commissioner submits, the right of access under section 7 of the DPA is not subject to any express purpose or motive test. Nor is a data subject required to state any purpose when making a SAR.
86. It has been suggested, based on Durant, that the making of a SAR for a collateral purpose such as to obtain documents for the purposes of litigation entitles the data controller to refuse to comply with the request. An alternative way of putting the point is that it is disproportionate to require him to do so in such circumstances. I do not consider that this is a valid objection. First, the target of a SAR is not documents; it is information. I return to this point below. Second, in principle the mere fact that a person has collateral purposes will not invalidate a SAR, or relieve the data controller from his obligations in relation to it, if that person also wishes to achieve one or more of the purposes of the Directive: compare Iesini v Westrip Holdings Ltd [2009] EWHC 2526 (Ch), [2011] 1 BCLC 498 at [119] to [121]. Third, there is now a considerable body of domestic case law which recognises that it is no objection to a SAR that it is made in connection with actual or contemplated litigation: Ezsias v Welsh Ministers [2007] EWHC B15 (QB), [2007] All ER (D) 65 (Dec) at [51]; Dunn v Durham CC [2012] EWCA Civ 1654, [2013] 2 All ER 213 at [16]; Kololo v Commissioner of Police of the Metropolis [2015] EWHC 600 (QB), [2015] 1 WLR 3702 at [35] to [36]; Zaw Lin v Commissioner of Police of the Metropolis [2015] EWHC 2484 (QB) at [114]; Guriev v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB) at [72].
87. Fourth, section 27 (5) of the DPA provides that apart from exemptions contained in the DPA itself, the subject information provisions prevail over any other enactment or rule of law.
88. Fifth, there is a sufficient safety net in the form of the EU doctrine of “abuse of rights”. This is a principle of interpretation of EU legislation which applies across the board: for example to commercial activities, the common agricultural policy, marriages of convenience, VAT planning and so on. The topic is the subject of a comprehensive discussion by Advocate General Poiares Maduro in (Joined Cases C-255/02 and C-223/03) Halifax plc v Customs and Excise Commissioners [2006] Ch 397 at [62] to [71], and by the Supreme Court in HMRC v Pendragon plc [2015] UKSC 37, [2015] 1 WLR 2838. This court expressed a similar view in Dawson-Damer at [109] by reference to the domestic principle of abuse of process. I do not think that there is much difference between the two approaches in this context.
89. Finally, the point is now put beyond doubt by the recent decision of this court in Dawson-Damer at [108].
90. In some cases, it has been said that the supply of information does not tell the data subject anything he or she did not already know. In many cases that would miss the point. To take a simple example: everyone knows their own name and date of birth. A data subject may well make a SAR, not for the purpose of discovering his name or date of birth, but for the purpose of checking whether the data controller has correctly recorded them. A data subject will know his own address, and may make a SAR in order to discover to whom the data controller has disclosed those data. Likewise a data subject may ask for information about a particular meeting that he or she attended, not for the purpose of finding out what happened at the meeting (which is already known), but for the purpose of checking the accuracy of any personal data recorded in a note of the meeting. It is thus not necessarily an answer to a SAR to say that the data subject already knows what happened at the meeting. However, the case is different where the only relevant personal data are contained in a particular document (or documents) and that document has (or those documents have) been provided to the data subject. In a case in which the document or documents have already been provided otherwise than under a previous SAR the fact that they have already been provided may go to the exercise of the court’s discretion under section 7 (9). Moreover where the focus of a SAR is (as is often the case) a request for copies of documents rather than personal data, the fact that the data subject was either the author or recipient of the document in question would also be highly relevant to the exercise of discretion.”
In that passage, Lewison LJ quotes with approval the remark of Buxton LJ in Durant: the “guiding principle” of the DPA is to enable data subjects to “protect their privacy”. It seems to me that principle necessarily gives rise to a “starting point”, in a mixed data case, that private information should not be revealed. That does not mean that there is a continuing presumption – a gradient which the requesting data subject must climb – before the data controller satisfies a SAR. The data controller must start from the objection and then consider all the circumstances and decide what is reasonable: no more, no less.
In my view, the judge may have placed somewhat too much weight on this formulation, but it was not critical for his decision. Of more importance were his substantive considerations.
Ground 2: That it was an error to hold that, where the sole or dominant purpose behind a subject access request is to obtain information for the purpose of litigation, that was a weighty factor in favour of refusal
It is now well established that in general it is no objection to a SAR that it is made in connection with actual or contemplated litigation: see Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74, [2017] 1 WLR 3255 and see Ittihadieh, paragraph 86, and the authority recited therein.
However, none of those cases addresses directly the question arising here: albeit an intention to litigate is not a bar, is it a relevant circumstance that litigation is planned by the one data subject against the other data subject, in a mixed data case? Should that consideration form part of the decision as to whether it is reasonable to override the privacy of the objecting data subject? In my view, it is inevitable that it should.
It seems to me a proper aspect of privacy, well within the ambit of the rights protected by the DPA regime and by Article 8, that personal data should be kept confidential so as to prevent or diminish the prospect of hostile litigation. This is a quite separate consideration from legal professional privilege. Indeed, the scheme of the law concerning disclosure underscores this point. There is no obligation to divulge private information which may assist litigation until the relevant groundwork has been laid, in this context so as to satisfy CPR Part 31. Thus, while the prospect of litigation is in general no bar, and whilst I accept (subject to a qualification I will shortly enter) the remark of Warby J in Guriev v Community Safety Development (UK) Limited [2016] EWHC 643 (QB) that it is “commonly said that the subject access regime under the DPA is ‘purpose blind'” (see paragraph 67), that judge too was considering a case where the SARs were made in respect of unmixed personal data. In my view, the “common saying” might wisely be qualified: “in the absence of mixed personal data, the DPA regime is purpose-blind”. So far as can be discerned, all the reported cases bearing on this issue are cases where those making the SARs were seeking their own personal data rather than seeking mixed data, where another data subject was the proposed or potential defendant.
The relevant guidance from the Information Commissioner in relation to requests bearing on requests for the purpose of potential proceedings is short:
“Where legal professional privilege cannot be claimed, you may not refuse to supply information in response to a SAR simply because the information is requested in connection with actual or potential legal proceedings. The DPA contains no exemption for such information; indeed, it says the right of subject access overrides any other legal rule that limits disclosure. In addition, there is nothing in the Act that limits the purposes for which a SAR may be made, or which requires the requester to tell you what they want the information for.
It has been suggested that case law provides authority for organisations to refuse to comply with a SAR where the requester is contemplating or has already begun legal proceedings. The Information Commissioner does not accept this view. Whether or not the applicant has a ‘collateral’ purpose (ie other than seeking to check or correct their personal data) for making the SAR is not relevant.”
This guidance does not address mixed personal data.
The guidance addressing SARs “involving other people’s information” is also relatively short. It is not necessary to reproduce more than a brief paragraph:
“Circumstances relating to the individual making the request. The importance of the information to the requester is also a relevant factor. The need to preserve confidentiality for a third party must be weighed against the requester’s right to access information about his or her life. Therefore, depending on the significance of the information to the requester, it may be appropriate to disclose it even where the third party has withheld consent.”
This guidance does not address the case where information is sought for the purpose of litigation against the “mixed” data subject.
I repeat that I should not be understood to mean that in mixed data cases, an intention to litigate represents an inevitable bar to release of information. However, it seems to me that the judge was correct in thinking this is a significant matter to be weighed in the balance, as a necessary part of the consideration whether it is reasonable to override the refusal of consent by the data subject who is seeking to protect their personal data.
If I am wrong about this, it may have very wide consequences. It would likely mean that in any case where the personal data of an individual is part of an expert report commissioned by a professional body following a complaint, that report could be obtained by the requesting data subject without regard to the privacy rights of the professional. Very often, as here, the professional will have no option but to be made the subject of such a report. This has potential implications beyond medicine and the other health professions. Financial professionals might easily be faced with the same problem. If I am wrong, then this route will be an obvious way to circumvent the requirements of the CPR, and it is easy to conceive how such an approach may lead to professional complaints which would not otherwise be made, and which are made in fact only to achieve the contingent benefit of free access to a professional review, where the potential professional defendant cannot raise the obvious objections.
I do not mean that “floodgates” considerations are a proper basis for distorting the meaning of the provisions of the DPA, even if the consequences are as I consider they may be. I am simply of the view that it is, or can be, a perfectly reasonable consideration on the part of the professional, whose personal data are mixed in such a report, that the report is sought in order to sue him or her. In my view the data controller should have regard to that matter. It is clear the GMC did not do so here.
It is no argument against the view taken by the judge that s.27(5) of the DPA provides that “the subject access provisions shall have effect notwithstanding any enactment on rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.” This is not a question of the disclosure provisions of CPR Part 31 being given effect, wrongly, at the expense of the DPA. The point in question here is that there are competing privacy interests to be protected as part of the very operation of the subject access provisions of the DPA itself.
I have considered whether consideration of the question of litigation would place too heavy a burden on a data controller faced with a decision concerning mixed data. However, it does not seem to me that concern can be a valid objection to considering a “litigation purpose” where that properly arises. Firstly, it is a practical point and cannot alter the meaning of the statute. Secondly, these decisions inevitably encompass some difficult balancing factors: the existing guidance from the Information Commissioner makes that tolerably clear. Thirdly, in the circumstances of this case, and of parallel professions, the data controllers will be professional bodies perfectly sophisticated enough to address this issue.
For these reasons, I consider the judge was correct to hold that the prospect of litigation was a “weighty consideration” which should have been borne in mind by the GMC, and that they failed to do so.
Ground 3: That the Court’s reasoning was flawed in holding that the GMC (a) gave inadequate consideration to Dr B’s privacy rights, (b) took inadequate account of Dr B’s express refusal of consent, and (c) underestimated the incremental impact of the disclosure of the report over and above the summary
Here too I reject the attack on the approach taken by the judge. It appears to me a tenable and reasonable view of the GMC’s approach, as evidenced by their internal and external communications, that they failed properly to consider Dr B’s privacy rights. I remind myself that there is no issue but that Dr B’s privacy rights under Article 8 were engaged, and that some of the material the GMC wished to disclose constituted his personal data. Criticism of a professional in the context of a formal disciplinary complaint, even where that criticism is not such as to found disciplinary or regulatory proceedings, can lead to important reputational damage. In many professional contexts, although less obviously here, it would be predictable that such reputational damage might easily lead to financial loss. The privacy rights engaged are not obviously trivial. In my view it was not, and is not, obvious that Dr B’s rights should be trumped by P’s request. In my view, the necessary balancing exercise required a weighing up of any gain to P represented by the additional information, set against the loss of privacy to Dr B. P already had the summary and knew not merely the personal data on which the expert had reported, but his conclusions. If there was any inaccuracy in the personal data on which the report had been obtained, he was already in a position to challenge and correct it. He lacked only the detailed reasons for the expert’s conclusions
I look in vain for any proper consideration of Dr B’s rights by the GMC. Beyond recording Dr B’s concern that disclosure would encourage legal claims in general, there is no formulation or account of his Art 8 rights and no considered weighing of the relative interests of the two data subjects expressed anywhere in the evidence. It appears to me that, by contrast, the data controller had P’s rights well in mind, for example referring to him as “the” data subject. It is also clear that the GMC was centrally concerned to demonstrate the transparency of their own processes. There was also a concern about P’s rights under the HRA 1998. There was no expressed concern about Dr B’s privacy and no more than an assertion that a balancing exercise had been conducted.
I would thus reject the criticisms of the judge on this Ground.
Ground 4: That the Court (a) “effectively substituted” its own assessment of the case for disclosure, rather than review the decision of the data processor, (b) over-estimated the risk of P publishing the report, and failed to consider that Dr B had preventive legal options open to him to block such abuse, and (c) gave inadequate consideration to P’s “fundamental rights … to obtain and understand information about him of a highly sensitive nature”
It will be clear from the foregoing paragraphs that I consider the judge properly fastened on errors of approach by the GMC, and I do not consider he merely “effectively substituted” his own assessment of the case for disclosure. Nor do I accept that the judge gave inadequate consideration to P’s “fundamental rights to obtain … information of a highly sensitive nature”. It seems to me the last criticism blurs a necessary distinction.
The mixed data did indeed contain “sensitive personal data” of P, within the definition in s.2(1)(e) of the DPA. However, it seems to me that the summary had already provided that information to P. There was no factual information as to P’s “physical or mental health or condition” which was not provided in the summary. What was not contained in the summary was the full reasoning of the expert as to his or her conclusions on the quality of care provided by Dr B. It does not seem to me that material falls within the definition of “sensitive personal data”. In broad terms, the withheld information did not relate to P’s physical or mental health or condition, but rather was comment and opinion on Dr B’s assessment of that health or condition and his actions (or inaction) proceeding from that assessment.
It may be that the judge placed rather too much emphasis on the risk of “unauthorised” disclosure of the report by P. There was indeed no evidence of misuse of the summary by P. However, it is surely part of a rational consideration of the competing interests here that, once such a report is communicated to a data subject, there may be formidable obstacles in the way of any further legal remedy to publication by someone in P’s position. Any attempt at such a remedy would be bound to be met by the argument that the data controller had balanced the competing considerations and found that P’s interests and rights in disclosure properly overrode those of Dr B, and had done so, moreover, without requiring P to enter a data protection agreement, a measure exacted by the GMC in other, broadly analogous circumstances.
Conclusion
Following his decision, the judge received submissions as to what Order he should make, and subsequently made the Order of 22 September 2016, preventing the disclosure of further information to P. In my view that was an appropriate Order, since P had already received sufficient information as to what of his own personal data was held by the GMC.
For these reasons, I would dismiss the appeal.
Lord Justice Sales:
I refer to a case involving personal data of the person making the subject access request (“SAR”) which also comprise personal data of another person as a “mixed data” case. In the case before us, it is common ground that the entirety of the expert report obtained by the GMC (“the Report”) should be regarded as comprising the mixed personal data of Dr B and P and that there is no distinction to be drawn between the data themselves and the contents of the Report. Thus, although there is no right under section 7 of the DPA to be provided with documents when a SAR is made, as opposed to being provided with “the information constituting any personal data of which [the individual making the SAR] is the data subject” (section 7(1)(c) of the DPA), the distinction between documents and information constituting personal data which may be important in some cases has no materiality in this.
In respectful disagreement with Irwin LJ, I would allow the appeal on each of the four grounds advanced by Mr Hopkins for the GMC. I discuss each ground of appeal in turn below.
In addition to the account of the facts presented by Irwin LJ, it is relevant to refer to an internal memorandum of the GMC dated 31 October 2014, from Mr Julian Graves (Information Access Manager), which set out the consideration of the balance of interests under section 7(4)-(6) of the DPA which was the foundation of the GMC’s decision to disclose the Report to P, and which it continued to defend throughout the proceedings (see [17]-[24]). The memorandum considered both the SAR from P and the written representations made by Dr B’s solicitors setting out his objection to disclosure of the Report and the reasons for that objection. In the memorandum, Mr Graves correctly identified this as a mixed data case and referred to the regime for balancing the interests of P and Dr B as set out in section 7(4)-(6). He wrote this:
“It is clear that [Dr B], via BLM [his solicitors], is concerned about the perceived encouragement to the claims industry that would be given by the GMC should disclosure be made and I accept that this is a valid concern. However, the report itself is largely supportive of the actions taken by [Dr B] and as such I am doubtful that the disclosure of the report will assist [P] in any legal action he chooses to take.
Nevertheless, taking account of the transparency of our decision making process, I feel there is a strong case to justify providing [P] with a document which played a key role in the GMC’s decision to close his complaint at an early stage. There is certainly the potential for [P] having considered the comment of the expert, to seek a Rule 12 review with the GMC. His opportunity for doing this without sight of this key piece of evidence will undoubtedly be hampered.
My decision on balance is therefore that the report should be disclosed to [P] on the basis that disclosure would be, on balance, fair and lawful and not in breach of the DPA Principles. I believe that Schedule 2, conditions 3 and 6 are satisfied in this case. …
Given the robustness of the objection raised by BLM, I would suggest that the advice that we intend to disclose the documents [after prior notice to BLM] in order that they may decide if they wish to take further action.”
The reasoning here is tolerably clear. P’s complaint to the GMC about the conduct of Dr B was dealt with under the General Medical Council (Fitness to Practise) Rules 2004 (SI 2004/2608). The complaint was referred to case examiners pursuant to rule 8 for investigation, in the course of which the Report was commissioned. In light of the Report, the case examiners decided that the allegation against Dr B should not proceed further. Thus, P had an interest to see the detail of the information about him and his medical treatment as set out in the Report in order to check that the expert and the case examiners had made a proper evaluation of his complaint on the basis of accurate information about him. Further, under rule 12, P had a right to seek a review of the decision not to proceed with his complaint, if he could persuade the Registrar of the GMC that the decision was materially flawed or that there was new information available which may have led to a different decision (rule 12(4)). Provision of the detail of the information about him as set out in the Report would allow him to check to see if there was any inaccuracy in that information which might have affected the views expressed in the Report, or if any significant relevant information about him had been omitted. Also, the reference to the objections to disclosure raised in correspondence by BLM on behalf of Dr B shows that Mr Graves was well aware, and took into account, that Dr B strenuously objected to the disclosure of the Report to P. Mr Graves plainly gave weight to that factor, in that he expressed his conclusion in favour of disclosure as being one arrived at “on balance” and by recommending that the disclosure not occur immediately, but only after giving notice to Dr B to allow him to take legal proceedings, if so advised.
In my view, this reasoning by the GMC is legitimate and proper. A person who makes a complaint about a doctor with respect to the medical treatment he has received has a legitimate interest in understanding, and being in a position to check, the basis in respect of his personal data for a decision by the GMC not to pursue the allegation by instigating a disciplinary procedure against the doctor. The complainant also has a legitimate interest in receiving information which will enable him to see whether there may be grounds for making a request for a reconsideration pursuant to rule 12. These are interests which are within the scope of the type of interest which the subject access rights under Article 12 of the Directive and section 7 of the DPA are intended to safeguard.
Further, the reasoning makes it clear that Mr Graves had considered Dr B’s objection that disclosure of the Report would provide undue assistance to P if he decided to commence legal proceedings against Dr B in respect of his treatment. Mr Graves concluded that the Report was unlikely to help P very much, because it had largely exonerated Dr B from blame. In my view, this assessment was plainly rationally open to Mr Graves to make and cannot be faulted.
Ground 1: improper reliance on an alleged presumption that there should be no disclosure in a mixed data case.
In my view, the judge was in error in saying that there is a presumption under section 7(4) of the DPA in favour of a person who has not consented to or who objects to disclosure (“the objector”) pursuant to a SAR in a mixed data case as against a person requesting disclosure (“the requester”), and in criticising the GMC for failing to adopt this as the starting point for its consideration under section 7(4) whether disclosure should be given in this case of the data in the expert’s report: see [68] and [88(2)].
The judge’s position on this was taken from a passage in the judgment of Auld LJ in Durant v Financial Services Authority [2003] EWCA Civ 1746; [2004] FSR 28 at [55], where he said this:
“There are two basic points to make about the scheme of sections 7(4)-(6), and 8(7), for balancing the interests of the data subject seeking access to his personal data and those of another individual who may be identified in such data. The first is that the balancing exercise only arises if the information relating to the other person forms part of the “personal data” of the data subject, as defined in section 1(1) of the Act. The second is that the provisions appear to create a presumption or starting point that the information relating to that other, including his identity, should not be disclosed without his consent. The presumption may, however, be rebutted if the data controller considers that it is reasonable “in all the circumstances”, including those in section 7(6), to disclose it without such consent.”
In relation to the first ground of appeal, I do not consider that we are bound, as a matter of authority, to accept and follow Auld LJ’s observation concerning his second point. In my opinion, it does not form part of the ratio decidendi of his judgment or the decision in the case. This is indicated by Auld LJ’s own slightly tentative way of expressing himself in [55] (“… the provisions appear to create a presumption …”) and by the fact that his observation was not critical to the decision in the case. Most of the disclosure requested by Mr Durant did not comprise his personal data at all (and so, as a result of the first basic point made by Auld LJ, did not fall within the regime in section 7(4)-(6) governing cases involving mixed data); and for the two instances where mixed data was involved, it is clear that Auld LJ considered that redaction of the relevant information in question (the names of persons who had had conversations with Mr Durant) was reasonable whatever starting point or presumption was applied (if any), because the information was “of little or no value to Mr Durant”, whereas the objectors had good reason to request that their names should not be provided to him, since he had abused them over the telephone: see [67].
As we are not bound by precedent, we have to consider Mr Hopkins’s submissions in support of this ground of appeal on their merits. In my view, Auld LJ was wrong to identify a basic presumption or starting point in favour of the objector in a mixed data case. Presumptions come in various different forms and with different effects in the law. Sometimes the only function that a presumption has in a particular context is to operate as a tie-breaker at the end of a process of analysis, if all other competing factors are otherwise precisely in balance. But to say that a presumption applies as a starting point for a particular exercise of analysis (rather than as a final tie-break) suggests that there is some significant hurdle or threshold which one party has to overcome before a decision can be made in his favour.
The disclosure regime under section 7(4)-(6) of the DPA seeks to strike a balance between competing interests of the requester and the objector, both of which are anchored in the right to respect for private life in Article 8 of the European Convention on Human Rights (“ECHR”), as reflected in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (“the Directive”). The recitals to the Directive explain that data-processing must respect the fundamental rights and freedoms of individuals, notably the right to privacy (see Recitals (2), (7) and (10)); and Article 1(1) confirms this. As part of the rights or interests of data subjects which the Directive is intended to protect, data subjects are accorded a right under certain conditions to have access to their personal data held by a data controller to check that those data are accurate: Article 12. A data subject’s right to respect for his private life may be infringed if things are done by a data controller on the basis of personal data about him which are materially wrong or inaccurate in some way. Such a subject access right is important in helping individuals ascertain whether their personal data are correct and are being processed lawfully: see Cases C-141/12 and C-372/12, YS v Minister voor Immigratie [2015] 1 CMLR 18, [44] (“the protection of the fundamental right to respect for private life means, inter alia, that [the data subject] may be certain that the personal data concerning him are correct and that they are processed in a lawful manner”). Section 7 of the DPA implements this right in domestic law. On the other hand, in a mixed data case, the objector may also have a right or interest in the non-disclosure of his personal data, in order to maintain his privacy in respect of it; and Article 13(1)(g) of the Directive provides that a Member State may adopt legislative measures to restrict the scope of the rights provided for in Article 12 “when such a restriction constitutes a necessary measure to safeguard … (g) the protection of the data subject or of the rights and freedoms of others”. This rubric reflects that in Article 8(2) of the ECHR, which governs when the rights set out in Article 8(1) (including the right to respect for private life) may be interfered with. Article 13(1)(g) of the Directive provides the legislative basis in EU law for the regime for mixed data cases in section 7(4)-(6) of the DPA.
Contrary to the view of Auld LJ and the judge below, I do not think that the balancing regime in section 7(4)-(6) of the DPA includes any presumptive starting point or hurdle which either the requestor or the objector has to overcome. The circumstances in which the balancing exercise has to be carried out from case to case will be many and varied, and where no consent has been given for disclosure (or where objection has been raised, as in this case) the outcome of the exercise will inevitably depend on the particular facts and context. The question is simply whether “it is reasonable in all the circumstances to comply with the [SAR] without the consent of the other individual” (section 7(4)(b)). Although section 7(6) specifies that regard should be had to certain listed matters “in particular”, it does not limit the other matters which may be relevant circumstances; nor does it specify the weight to be given to the listed matters either as between the items in the list or as against other, non-listed relevant circumstances. There is no sound basis for saying that one should load the exercise at the outset in favour of either the objector or the requester. The rights and interests engaged on each side are both rooted in Article 8 of the ECHR and in specific protective provisions in the Directive. Both sets of rights and interests are important and there is no simple or obvious priority as between them which emerges from consideration of their nature or their place in the legislative regime. In that regard I note that the Information Commissioner, in her guidance, does not recognise or endorse any presumption of the kind referred to by the judge: see her Subject Access Code of Practice (version 1.1, February 2014, at pp. 30-34; version 1.2, June 2017, at pp. 36-40).
It is conceivable, but in practice I think unlikely, that a data controller who carries out the balancing exercise in section 7(4)-(6) in a mixed data case might be left with factors for and against disclosure which are found to be in perfect equilibrium with nothing to choose between them. In that situation there would be a need to apply a presumption at the end of the exercise, in order to arrive at a decision one way or the other. In my view, the presumption to be applied at this stage would be in favour of withholding disclosure. I emphasise that this would be a presumption of the weak, tie-breaker type referred to above. It is not a significant or substantive presumption to be applied at the outset.
My reason for saying that the tie-breaker assumption operates in favour of the third party data subject, rather than the requestor in this situation is that, although section 7(1) of the DPA creates a right for the data subject as against the data controller to have his personal data disclosed to him upon making a SAR, by virtue of section 7(4) the data controller is relieved of that obligation where information comprising those personal data cannot be disclosed “without disclosing information relating to another individual who can be identified from that information”, unless either of sub-paragraphs (a) or (b) is satisfied. As regards sub-paragraph (b), it must appear that it is “reasonable in all the circumstances to comply with the request without the consent of the other individual”; that is to say, having regard to the strength of the interest of the requester (as reflected in the legislative regime set out in the Directive and the DPA) in obtaining disclosure, to the strength of the interest of the objector in maintaining his privacy in relation to the information in question and to any further public interest factors which may be relevant. If the considerations for and against disclosure really are precisely balanced, the data controller (or anyone else applying the test in section 7(4)) cannot positively say that it is reasonable to comply without the consent of the other individual. This indicates that the tie-break presumption should operate in this residual sense against disclosure.
Turning to the present case, the GMC gave positive reasons why it considered it reasonable in all the circumstances to comply with P’s request for disclosure of his personal data set out in the Report, notwithstanding that it also comprised personal data of Dr B. Therefore, there was no scope for application of any residual tie-break presumption to resolve the case.
I consider that the judge erred by treating the relevant presumption as something to be applied at the outset of the analysis, i.e. as constituting a substantive threshold which had to be overcome by the GMC in order to justify its decision to disclose the Report. The judge was wrong to criticise the GMC for proceeding in the way it did, by considering what was reasonable in the case without reference to any presumption. In my view the judge was also wrong to apply a strong, substantive presumption in favour of the objector in his own assessment of how to strike the balance between P and Dr B, in [88]. These were not immaterial errors, but go to the heart of the judge’s approach.
Ground 2: improper reliance on the motive of P in making the SAR
The judge held that the GMC’s decision “took no adequate account of the fact … that the purpose of the request was to use the Report and its information in the intended litigation against [Dr B]”: [77]. This was a further basis on which the judge decided it was right for him to set aside the GMC’s own assessment of the balance of interests and to impose his own. In his own assessment, the judge held that “if it appears that the sole or dominant purpose is to obtain a document for the purpose of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the court procedure under CPR 31” ([88(3)]). In my view, the judge erred on both these points as well.
I begin here with two factual points. As I have noted above, the GMC plainly did take account of the allegation by Dr B that the purpose of the SAR was to obtain the Report and to use it in litigation against him. The GMC was prepared to proceed on the basis that this was a valid concern, but treated it as having only limited weight because obtaining the Report was unlikely to assist P very much in any proceedings he might bring. That was a rational and lawful assessment. The judge was wrong to criticise it as inadequate.
Moreover, although Dr B made this allegation about P’s motivation, it is by no means clear that this was P’s sole or dominant purpose in seeking disclosure. He had made a complaint to the GMC about Dr B and had a legitimate interest in seeing that it was properly considered and not dismissed without adequate grounds. The fair inference is that this was a significant part of the reason why P wished to check the information which had been available to the expert in writing the Report. I do not think there was any sound evidential basis on which the judge could infer that P’s sole or dominant purpose in making what came to be treated as a SAR was to obtain the Report in order to use it in litigation. In fact, as I have noted, it is well established that a person making a SAR is only entitled to disclosure of information, not documents. P could not have known that the Report itself would be disclosed as a result of a SAR by him.
However, there is a wider issue of principle here, namely what weight (if any) should be given to the motivation of a person in making a SAR in a mixed data case, where the motive or part of the motive is to seek to obtain information which might assist the requester in litigation against the objector. I respectfully disagree with Irwin LJ and the judge about this.
In my view, there is no general principle that the interests of the requester, when balanced against the interests of the objector, should be treated as devalued by reason of such motivation. The general position is that the rights of subject access to personal data under Article 12 of the Directive and section 7 of the DPA are not dependent on appropriate motivation on the part of the requester: see Durham County Council v Dunn [2012] EWCA Civ 1654, [16] (Maurice Kay LJ); Gurieva v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB), [72] (Warby J); Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74; [2017] 1 WLR 3255, [105]-[113] (Arden LJ); Itthadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121; [2017] 3 WLR 811, [104]-[110] (Lewison LJ); and see also the Information Commissioner’s Subject Access Code of Practice (“the purpose for which a [SAR] is made does not affect its validity, or [a data controller’s] duty to respond to it”: version 1.1, p. 20; version 1.2, p. 26). Moreover, where a person has two rights to obtain something (here, access to information), the usual position is that he is entitled to rely on whichever right is the more effective from his point of view. On the other hand, when carrying out the balancing exercise under section 7(4) in a mixed data case, it will be relevant to have regard to the extent to which the interests on either side which are of a kind which are protected by the legislation are engaged and may be prejudiced by a decision one way or the other.
In this case, it appears that a material part of P’s object in making a SAR was to check that accurate personal data of his had been used by the GMC and the expert in their consideration of how to react to his complaint about Dr B’s conduct. That is an object which is squarely within the purpose for which subject access rights are conferred by Article 13 of the Directive and section 7 of the DPA. Even if part of P’s object was to try to obtain material which might help him in litigation against Dr P, that in no way diminishes the legitimacy or force of his interest to have communicated to him under section 7 information about his personal data as processed by the GMC and the expert. The GMC rightly focused on this interest in its reasoning. Even if there might have been another way in which P could have sought to obtain access to such information pursuant to CPR Part 31, it was not incumbent on him to seek to employ that route. He was entitled to try to obtain the relevant information in this case by means of a SAR, e.g. if that appeared to him to be cheaper and more effective. The judge was wrong to treat CPR Part 31 as “the more appropriate forum” in this case and accordingly to devalue P’s interest in disclosure of his personal data pursuant to his SAR when comparing it with Dr B’s interest in resisting disclosure.
Before leaving this ground of appeal, I would make three further comments. First, by contrast with P’s legitimate interest in securing disclosure of his personal data in this case, it seems to me that Dr B’s own legitimate interest (in terms of his interest in maintaining privacy in relation to those data) was considerably weaker. It was not in doubt that Dr B had been the doctor who treated P. P already knew how he had been treated by Dr B. A significant object of his SAR was to check that accurate personal data about him (P) had been used by the GMC and its expert in processing his complaint about Dr B. This is a legitimate objective for DPA purposes: see YS v Minister voor Immigratie above and Ittihadieh at [90]. It is difficult to see what legitimate privacy reason Dr B had for objecting to the disclosure to P. He could not legitimately say that the GMC and its expert should be treated as being immune from having the accuracy of the personal data of P checked in this way or that he had any proper interest of his own in them proceeding on the basis of false information. I also think it is noteworthy that the personal data of P constituted “sensitive personal data” within the meaning of section 2 of the DPA, as “information as to … (e) his physical or mental health or condition”, whereas the same data in relation to Dr B did not have that enhanced status. Under the scheme of the Directive and the DPA, sensitive personal data is treated as having special sensitivity and significance and as generally meriting enhanced protection. Further, there is force in Mr Hopkins’s submission that the incremental intrusion upon Dr B’s privacy interest by disclosure of the Report, by comparison with the summary of it already provided to P by the GMC, was very modest. I do not go so far as to say that a desire on Dr B’s part to be protected from litigation was wholly irrelevant in the balancing exercise under section 7(4), but it is a matter which is peripheral to the main focus of that balancing exercise, which is concerned with weighing the privacy interests of the requester and the objector. In any event, the GMC took Dr B’s desire into account, but for rational reasons decided that it could not be treated as determinative. There was no suggestion that P was proposing to use the Report by releasing it into the wider public domain, e.g. in an attempt to damage Dr B’s reputation.
Secondly, in a mixed data case where (as here) a data controller gives the objector a full opportunity to state his grounds of objection to disclosure, the data controller will generally be entitled to focus on the objector’s arguments in evaluating his interest in having disclosure withheld. The data controller does not have to cast around for further reasons which have not been raised by the objector, at any rate so long as they are not matters which are so obvious that they must be taken into account in the balancing exercise under section 7(4) whether raised or not. In this case, Dr B and BLM did not mention the argument regarding CPR Part 31 on which the judge came to rely so heavily. It was not an obvious point. The GMC was not under any obligation to raise it of its own motion when conducting the balancing exercise under section 7(4). It did properly address the argument which Dr B did make in his written representations, which was concerned with the assistance that disclosure of the Report might afford to P in any litigation he commenced against Dr B.
Thirdly, in view of the wide-ranging submissions we heard on this appeal, I should mention a possible half-way house which may be open to data controllers which conduct a balancing exercise under section 7(4). In some cases, the balance between the legitimate protected interests of a requester and those of an objector may be more finely balanced than in this. For example, it might appear that the requester has good reasons for wishing to check on the accuracy of his personal data used in processing by the data controller whilst at the same time there are objective grounds to think that he wishes to use the information obtained for an illegitimate purpose, e,g, to post the information on the internet to try to traduce the objector. In such a case it might be reasonable (within the meaning of section 7(4)(b)) to make disclosure of the information to the requester if there can be appropriate assurance that no wider inappropriate dissemination of the information will occur, whilst it might not be reasonable to make disclosure in the absence of such assurance. In my view, it would be open to the data controller in such a case to invite the requester to consider giving a binding contractual undertaking to the data controller or the objector or both, to restrict the use to which the information might be put. In conducting the balancing exercise under section 7(4), the data controller would then be entitled to take into account whether such an undertaking had been proffered, or not, when deciding whether it was reasonable to make disclosure. To be clear, I do not think that this would usually be an appropriate course to try to restrict a requester from using information sought by means of a SAR in litigation thereafter. Later use in litigation is not something which is illegitimate in itself, so far as the subject access regime is concerned.
Ground 3: the judge’s reliance on other factors in favour of non-disclosure
The judge held that inadequate consideration was given by the GMC to Dr B’s privacy rights ([69]-[75]); that no adequate account was taken by the GMC of Dr B’s express refusal of consent ([76]); and that the GMC’s assessment of the incremental impact on Dr B of the disclosure of the Report (as compared with the summary which the GMC had already provided to P) was flawed, in that it gave too little weight to Dr B’s wish to preserve his right of privacy or to his assessment and concern about potential risk to his professional reputation ([84]). The GMC submits that the judgment is flawed on each of these points as well.
In my view, the judge erred in relation to each of these points. The legal and factual contexts are both important.
The legal context is that the relevant duties under section 7(1) and under section 7(4)-(6) are duties imposed on data controllers. In a mixed data case falling for consideration under section 7(4)(b), a data controller will be obliged to disclose relevant information if it is reasonable in all the circumstances to do so. It is the data controller who is the primary decision-maker in assessing whether it is reasonable or not. The class of persons who qualify as data controllers under the DPA is a very wide one. They come in all shapes and sizes, across a very wide range in terms of resources available to them to deal with SARs which may be made to them. The legislation confers rights on the whole population. The potential number of SARs is huge. In this context, the legislature contemplated that individual data controllers should be afforded a wide margin of assessment in making the evaluative judgments required in balancing the privacy rights and other interests in issue under section 7(4). The incommensurable and very varied nature of the interests of requesters, objectors and data controllers which might be taken into consideration in the balancing exercise under section 7(4)-(6) also indicates that individual data controllers have a wide margin of assessment under section 7(4)(b). This corresponds to the wide margin of appreciation which a public authority enjoys when competing Convention rights under Article 8 of the ECHR fall to be balanced against each other: see Evans v United Kingdom (2008) 46 EHRR 34, [77]. The effect of all this is that, apart from the mandatory relevant considerations identified in section 7(6), data controllers generally have a wide discretion as to which particular factors to treat as relevant to the balancing exercise: cf R (Corner House Research) v Director of the Serious Fraud Office [2008] UKHL 60; [2009] 1 AC 756, [40] per Lord Bingham of Cornhill. They also have a wide discretion as to the weight to be given to each factor they treat as relevant. As Auld LJ stated in Durant at [60]:
“… Parliament cannot have intended that courts in applications under section 7(9) should be able routinely to ‘second-guess’ decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed. To so interpret the legislation would encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act. …”
If a data controller refuses to accede to a SAR in a mixed data case under section 7(4)(b), the requester may apply to the court under section 7(9) and if the court is satisfied that the data controller has not complied with its obligations under section 7(4) it may order him to comply with the SAR. On the other hand, if the data controller proposes to disclose the personal data to the requester, the objector may apply to the court using the general procedure under CPR Part 8, as has happened here. Either way round, the question for the court is similar: was it reasonable in all the circumstances for the data controller to refuse the request (in the first case) or to decide to comply with the request (in the second). If the data controller did not make a reasonable assessment, in either case the court has a discretion to make the relevant assessment itself and then order the data controller to act on that assessment or to quash the data controller’s existing assessment and remit the matter for fresh determination by the data controller. If the court decides to make the relevant assessment itself, it has to seek to balance the competing rights and interests as primary decision-maker.
As regards the factual context, I consider that the GMC did give proper consideration to Dr B’s privacy interests. In its reasoning it addressed the particular arguments against disclosure raised in the representations made by BLM on Dr B’s behalf. The weight to be attached to Dr B’s interests in all the circumstances was a matter for the GMC as data controller. I accept Mr Hopkins’s submission that the judge erred in law by, in substance, substituting his own assessment of the weight to be given to Dr B’s privacy rights in the balancing exercise for that of the GMC.
I have already noted above that the GMC plainly did take into account that Dr B had expressly refused his consent to the disclosure to be made to P. The weight to be accorded to that factor was again a matter for the GMC as data controller. There is no good ground for the judge’s conclusion that it failed to take this matter adequately into account.
I also consider that the judge erred in his assessment at [84]. The GMC did consider the arguments raised by Dr B in relation to the impact of disclosure upon him. It made a lawful and rational assessment of the points he made. The weight to be accorded to them in the balancing exercise was a matter for the GMC as data controller. Its assessment cannot be faulted.
Ground 4: the judge’s approach to the factors in favour of disclosure
The judge criticised the GMC for its approach in assessing factors in favour of disclosure in two respects: (i) he said that no significant weight should have been given to providing P with a more detailed understanding of why the GMC had decided to take no further action in respect of his complaint against Dr B, because it had a practice simply to provide complainants with summaries of documents such as the Report ([81]-[83]); and (ii) although there was no evidence that P had an intention to disseminate or publish the Report, “this was a matter which the GMC should have had in mind in any event; particularly given its practice [of requiring the giving of a non-disclosure undertaking] when making disclosures under [the Medical Act 1983], section 35B(2)” ([85]). Mr Hopkins submits that the judge was in error on both these points as well. I agree with this submission.
The principal reason for finding that the judge has erred is, again, that he has departed from the basic approach which is applicable in reviewing the decision of a data controller under section 7(4), as set out above. The judge improperly substituted his own views regarding relevant factors and their weight for those of the GMC as data controller. The assessment made by the GMC under section 7(4) was rational and lawful.
There is nothing wrong or inconsistent in the GMC having a practice of disclosing summaries of expert reports to complainants on a proactive basis, when it explains a decision not to pursue a complaint further under the disciplinary rules, and separately considering whether further disclosure of personal data should be made later on pursuant to a SAR. As noted above, a complainant making a SAR has a legitimate interest within the contemplation of the Directive and the DPA to check that the personal data which have been used by the GMC and the expert in forming their views are accurate.
The GMC was not required to approach disclosure under a SAR in the same way as a public interest disclosure under the 1983 Act. Dr B and his representatives had not suggested that it should. There was no suggestion made by them that P was proposing to publish the Report in an inappropriate way and it was not incumbent on the GMC to speculate about that. As I have indicated above, if Dr B was worried about the possibility of dissemination of the Report by P for wholly inappropriate or illegitimate purposes, it was open to him and his advisers to ask the GMC to seek undertakings from P to protect against that. They did not suggest that this was a course which merited consideration.
Conclusion
For the reasons I have set out above, I would allow the appeal. In my view, the GMC’s assessment under section 7(4)(b) of the DPA that disclosure should be made of the Report (on the basis that it comprises in its entirety personal data of P) was a lawful one.
Lady Justice Arden:
I have had the considerable benefit of reading the judgments of Lord Justice Irwin and Lord Justice Sales, and I am indebted to them both. I agree with Lord Justice Sales, and so I too would allow this appeal. I do so for the reasons given by Lord Justice Sales subject to the following additions.
Ground 1
In Durant v Financial Services Authority [2003] EWCA Civ 1746 at [55], Lord Justice Auld, with reference to section 7(4) of the Data Protection Act 1988 (“DPA”), explained that there was a “presumption or starting point” against disclosure where the person whose data would be disclosed had not given his consent to disclosure. Lord Justice Sales concludes that this was not part of the ratio decidendi of Durant and I agree with him for the reasons he gives. As I see it, the more natural reading of section 7(4) DPA is that the data controller has alternative courses of action. He can either obtain a valid consent but if he does not do so he can disclose only under section 7(4)(b) DPA. The data subject who does not give consent is adequately protected by section 7(4) (b) without the need for a presumption against disclosure.
Ground 2
I specifically agree with Lord Justice Sales that a litigation motive is not irrelevant under section 7(4) but nor yet is it a disqualifying factor (see paragraph 81 above). Section 7(4) DPA is a special provision dealing with mixed data (adopting Lord Justice Sales’ definition of that term). As Lord Justice Auld explained in Durant, there are two stages. At the first stage, the data controller must determine whether the information can be disclosed without disclosing data of another identifiable data subject. At the second stage, the data controller must decide, if he wishes to disclose mixed data, whether “it is reasonable in all the circumstances” to comply with the request without the consent of the other individual whose personal data is included in the mixed data. Parliament’s instruction to the data controller is therefore that he must consider every aspect of the matter (as well as follow the instruction in section 7(6) DPA), and that would include any evidence as to the litigation motive of the party making the request.
However, in my judgment, in the usual case the fact that the person requesting the data has it in mind that he may bring litigation should not disqualify him from receiving the mixed data. It is simply a factor to be weighed in the balance by the data controller. There could be exceptional cases where the data controller concludes that the litigation motive outweighs every other consideration, as where the person requesting mixed data is a vexatious litigant or wishes to bring further litigation of a kind that has previously been held to be an abuse of the court. I have taken two extreme examples and there may be other circumstances where the litigation motive carried real weight.
I also agree with Lord Justice Sales that the data controller can take into account any satisfactory undertaking which he is offered as to the future use or integrity of the data (see paragraph 83 above). Before he accepted any such undertaking, he would have to be satisfied that he could properly rely on it, and it might have to be given in a form that was enforceable by the other data subject. The acceptance of such an undertaking could not relieve the data controller of his duty to form a view that the disclosure is reasonable in all the circumstances. Although we have had no argument on this point, it would seem to me provisionally that despite the possible inflexibility of section 7(9) in terms of options for enforcement of compliance, it ought to be possible for the court to be able to accept undertakings in the exercise of its discretion under that sub-section.
It follows on this view that the role played by litigation motive in respect of mixed data is different from that played by it in relation to other data. However, I do not find this surprising. Mixed data involves the use of data which does not pertain solely to the requesting party. Accordingly, it is understandable that Parliament might require the courts to have regard to all the circumstances in this situation.
I further agree with Lord Justice Sales that there is neither evidence of an intended abuse of information by P nor evidence of any request by Dr B for any undertaking to be requested. In those circumstances, these points about litigation motive and undertakings do not make any practical difference to the outcome of this appeal.
Ground 3
The structure of section 7 is important. There is a clear statutory remedy in section 7(9) if a data controller refuses to comply with a request under section 7. However, if the data controller forms a view under section 7(4), there is no specific statutory remedy for an objector. The objector must instead start CPR Part 8 proceedings for a declaration and/or an injunction. The question then for the court will be whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual where section 7(4)(b) applies.
At the hearing, the data controller will adduce his evidence as to the circumstances which in his view make it reasonable to reach that conclusion. If he proves that that disclosure without the consent of the other data subject is reasonable in all the circumstances to the satisfaction of the court, it is not necessary or appropriate for the court to consider whether any other course is reasonable, still less to substitute its own view as to what is reasonable.
It is therefore in my judgment significant that Parliament has used the word “reasonable” and not some other word such as “appropriate”. The word “reasonable” conveys that there may be one or more courses open to the data controller and that his choice, if within subsection (4), will prevail. In that sense, I agree with Lord Justice Sales that the court should defer to the data controller and not substitute the court’s own opinion.
That brings me to the relief on this appeal. As explained above, I agree it should be allowed.
ANNEX 1
DATA PROTECTION ACT 1998
Part I
Preliminary
1 (1) In this Act, unless the context otherwise requires—
…
“personal data” means data which relate to a living individual who can be identified –
…
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
…
2 In this Act “sensitive personal data” means personal data consisting of information as to—
(1) …
…
(e) his physical or mental health or condition,
…
4 (1) References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.
(2) Those principles are to be interpreted in accordance with Part II of Schedule 1.
…
(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
…
Part II
Rights of data subjects and others
7 (1) Subject to the following provisions of this section and to sections 8, 9 an individual is entitled—
…
(c) to have communicated to him in an intelligible form—
(i) the information constituting any personal data of which that individual is the data subject, and
(ii) any information available to the data controller as to the source of those data, and …
…
(4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—
(a) the other individual has consented to the disclosure of the information to the person making the request, or
(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.
(6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—
(a) any duty of confidentiality owed to the other individual,
(b) any steps taken by the data controller with a view to seeking the consent of the other individual,
(c) whether the other individual is capable of giving consent, and
(d) any express refusal of consent by the other individual.
…
(9) If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.
…
Part IV
Exemptions
(1) References in any of the data protection principles or any provision of Parts II and III to personal data or to the processing of personal data do not include references to data or processing which by virtue of this Part are exempt from that principle or other provision.
(2) In this Part “the subject information provisions” means—
(a) the first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1, and
(b) section 7.
…
(5) Except as provided by this Part, the subject information provisions shall have effect notwithstanding any enactment or rule of law prohibiting or restricting the disclosure, or authorising the withholding, of information.
SCHEDULE 1
The data protection principles
Part I
The Principles
1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
…
6 Personal data shall be processed in accordance with the rights of data subjects under this Act.
…
Part II
Interpretation of the principles in Part I
The first principle
1 (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.
(2) Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who—
(a) is authorised by or under any enactment to supply it, or
(b) is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.
…
The second principle
6 In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.
…
The sixth principle
8 A person is to be regarded as contravening the sixth principle if, but only if—
(a) he contravenes section 7 by failing to supply information in accordance with that section,
EDPB Guidance
Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak
Adopted on 21 April 2020
Version history
Version 1.1 30 April 2020 Minor corrections
Version 1.0 21 April 2020 Adoption of the Guidelines
Table of contents
1 Introduction 4
2 Application of the GDPR 4
3 Definitions 5
3.1 “Data concerning health” 5
3.2 “Processing for the purpose of scientific research” 5
3.3 “Further processing” 6
4 Legal basis for the processing 6
4.1 Consent 6
4.2 National legislations 7
5 Data protection principles 8
5.1 Transparency and information to data subjects 8
5.1.1 When must the data subject be informed? 8
5.1.2 Exemptions 8
5.2 Purpose limitation and presumption of compatibility 10
5.3 Data minimisation and storage limitation 10
5.4 Integrity and confidentiality 10
6 Exercise of the rights of data subjects 11
7 International data transfers for scientific research purposes 12
8 Summary 13
The European Data Protection Board
Having regard to Article 70 (1) (e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter “GDPR”),
Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,
Having regard to Article 12 and Article 22 of its Rules of Procedure,
HAS ADOPTED THE FOLLOWING GUIDELINES
1 INTRODUCTION
1. Due to the COVID-19 pandemic, there are currently great scientific research efforts in the fight against the SARS-CoV-2 in order to produce research results as fast as possible.
2. At the same time, legal questions concerning the use of health data pursuant to Article 4 (15) GDPR for such research purposes keep arising. The present guidelines aim to shed light on the most urgent of these questions such as the legal basis, the implementation of adequate safeguards for such processing of health data and the exercise of the data subject rights.
3. Please note that the development of a further and more detailed guidance for the processing of health data for the purpose of scientific research is part of the annual work plan of the EDPB. Also, please note that the current guidelines do not revolve around the processing of personal data for epidemiological surveillance.
2 APPLICATION OF THE GDPR
4. Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the COVID- 19 pandemic.1 The GDPR is a broad piece of legislation and provides for several provisions that allow to handle the processing of personal data for the purpose of scientific research connected to the COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data protection.2 The GDPR also foresees a specific derogation to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for these purposes of scientific research. 3
5. Fundamental Rights of the EU must be applied when processing health data for the purpose of scientific research connected to the COVID-19 pandemic. Neither the Data Protection Rules nor the Freedom of Science pursuant to Article 13 of the Charter of Fundamental Rights of the EU have
1 See the Statement of the EDPB from 19.3.2020 on the general processing of personal data in the context of the COVID-19 outbreak, available at https://edpb.europa.eu/our-work-tools/our-documents/other/statement- processing-personal-data-context-covid-19-outbreak_en.
2 See for example Article 5 (1) (b) and(e), Article 14 (5) (b) and Article 17 (3) (d) GDPR.
3 See for example Article 9 (2) (j) and Article 89 (2) GDPR.
precedence over the other. Rather, these rights and freedoms must be carefully assessed and balanced, resulting in an outcome which respects the essence of both.
3 DEFINITIONS
6. It is important to understand which processing operations benefit from the special regime foreseen in the GDPR and elaborated on in the present guidelines. Therefore, the terms “data concerning health”, “processing for the purpose of scientific research” as well as “further processing” (also referred to as “primary and secondary usage of health data”) must be defined.
3.1 “Data concerning health”
7. According to Article 4 (15) GDPR, “data concerning health” means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. As indicated by Recital 53, data concerning health deserves higher protection, as the use of such sensitive data may have significant adverse impacts for data subjects. In the light of this and the relevant jurisprudence of the European Court of Justice (“ECJ”),4 the term “data concerning health” must be given a wide interpretation.
8. Data concerning health can be derived from different sources, for example:
1. Information collected by a health care provider in a patient record (such as medical history and results of examinations and treatments).
2. Information that becomes health data by cross referencing with other data thus revealing the state of health or health risks (such as the assumption that a person has a higher risk of suffering heart attacks based on the high blood pressure measured over a certain period of time).
3. Information from a “self check” survey, where data subjects answer questions related to their health (such as stating symptoms).
4. Information that becomes health data because of its usage in a specific context (such as information regarding a recent trip to or presence in a region affected with COVID-19 processed by a medical professional to make a diagnosis).
3.2 “Processing for the purpose of scientific research”
9. Article 4 GDPR does not entail an explicit definition of “processing for the purpose of scientific research”. As indicated by Recital 159, “the term processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union’s objective under Article 179 (1) TFEU of achieving a European Research Area. Scientific research purposes should also include studies conducted in the public interest in the area of public health.”
10. The former Article 29-Working-Party has already pointed out that the term may not be stretched beyond its common meaning though and understands that “scientific research” in this context means
4 See for example, regarding the Directive 95/46/EC, ECJ 6.11.2003, C-101/01 (Lindqvist) paragraph 50.
“a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice”.5
3.3 “Further processing”
11. Finally, when talking about “processing of health data for the purpose of scientific research”, there are two types of data usages:
1. Research on personal (health) data which consists in the use of data directly collected for the purpose of scientific studies (“primary use”).
2. Research on personal (health) data which consists of the further processing of data initially collected for another purpose (“secondary use”).
12. Example 1: For conducting a clinical trial on individuals suspected to be infected with SARS-CoV-2, health data are collected and questionnaires are used. This is a case of “primary use” of health data as defined above.
13. Example 2: A data subject has consulted a health care provider as a patient regarding symptoms of the SARS-CoV-2. If health data recorded by the health care provider is being used for scientific research purposes later on, this usage is classified as further processing of health data (secondary use) that has been collected for another initial purpose.
14. The distinction between scientific research based on primary or secondary usage of health data will become particularly important when talking about the legal basis for the processing, the information obligations and the purpose limitation principle pursuant to Article 5 (1) (b) GDPR as outlined below.
4 LEGAL BASIS FOR THE PROCESSING
15. All processing of personal data concerning health must comply with the principles relating to processing set out in Article 5 GDPR and with one of the legal grounds and the specific derogations listed respectively in Article 6 and Article 9 GDPR for the lawful processing of this special category of personal data.6
16. Legal bases and applicable derogations for processing health data for the purpose of scientific research are provided for respectively in Article 6 and Article 9. In the following section, the rules concerning consent and respective national legislation are addressed. It has to be noted that there is no ranking between the legal bases stipulated in the GDPR.
4.1 Consent
17. The consent of the data subject, collected pursuant to Article 6 (1) (a) and Article 9 (2) (a) GDPR, may provide a legal basis for the processing of data concerning health in the COVID-19 context.
18. However, it has to be noted that all the conditions for explicit consent, particularly those found in Article 4 (11), Article 6 (1) (a), Article 7 and Article 9 (2) (a) GDPR, must be fulfilled. Notably, consent must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement or “clear affirmative action”.
5 See the Guidelines on Consent under Regulation 2016/679 of the former Article 29 Working-Party from 10.04.2018, WP259 rev.01, 17EN, page 27 (endorsed by the EDPB). Available at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051.
6 See for example, regarding the Directive 95/46/EC ECJ 13.5.2014, C‑131/12 (Google Spain), paragraph 71.
19. As stated in Recital 43, consent cannot be considered freely given if there is a clear imbalance between the data subject and the controller. It is therefore important that a data subject is not pressured and does not suffer from disadvantages if they decide not to give consent. The EDPB has already addressed consent in the context of clinical trials.7 Further guidance, particularly on the topic of explicit consent, can be found in the consent guidelines of the former Article 29-Working-Party.8
20. Example: A survey is conducted as part of a non-interventional study on a given population, researching symptoms and the progress of a disease. For the processing of such health data, the researchers may seek the consent of the data subject under the conditions as stipulated in Article 7 GDPR.
21. In the view of the EDPB, the example above is not considered a case of “clear imbalance of power” as mentioned in Recital 43 and the data subject should be able to give the consent to the researchers. 9 In the example, the data subjects are not in a situation of whatsoever dependency with the researchers that could inappropriately influence the exercise of their free will and it is also clear that it will have no adverse consequences if they refuse to give their consent.
22. However, researchers should be aware that if consent is used as the lawful basis for processing, there must be a possibility for individuals to withdraw that consent at any time pursuant to Article 7 (3) GDPR. If consent is withdrawn, all data processing operations that were based on consent remain lawful in accordance with the GDPR, but the controller shall stop the processing actions concerned and if there is no other lawful basis justifying the retention for further processing, the data should be deleted by the controller.10
4.2 National legislations
23. Article 6 (1) e or 6 (1) f GDPR in combination with the enacted derogations under Article 9 (2) (j) or Article 9 (2) (i) GDPR can provide a legal basis for the processing of personal (health) data for scientific research. In the context of clinical trial this has already been clarified by the Board. 11
24. Example: A large population based study conducted on medical charts of COVID-19 patients.
25. As outlined above, the EU as well as the national legislator of each Member State may enact specific laws pursuant to Article 9 (2) (j) or Article 9 (2) (i) GDPR to provide a legal basis for the processing of health data for the purpose of scientific research. Therefore, the conditions and the extent for such processing vary depending on the enacted laws of the particular Member State.
26. As stipulated in Article 9 (2) (i) GDPR, such laws shall provide “for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy” . As similarly stipulated in Article 9 (2) (j) GDPR, such enacted laws “shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.
7 See Opinion 3/2019 of the EDPB from 23.1.2019 on concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR), available at https://edpb.europa.eu/our-work-tools/our-documents/avis-art-70/opinion-32019-concerning-questions-and- answers-interplay_en.
8 Guidelines on Consent under Regulation 2016/679 of the former Article 29 Working-Party from 10.04.2018,
WP259 rev.01, 17EN, page 18 (endorsed by the EDPB).
9 Assuming that the data subject has not been pressuredor threatened withdisadvantages when not giving his or her consent.
10 See Article17 (1) (b) and(3) GDPR.
11 See Opinion 3/2019 of the EDPB from 23.1.2019, page 7.
27. Furthermore, such enacted laws must be interpreted in the light of the principles pursuant to Article 5 GDPR and in consideration of the jurisprudence of the ECJ. In particular, derogations and limitations in relation to the protection of data provided in Article 9 (2) (j) and Article 89 GDPR must apply only in so far as is strictly necessary.12
5 DATA PROTECTION PRINCIPLES
28. The principles relating to processing of personal data pursuant to Article 5 GDPR shall be respected by the controller and processor, especially considering that a great amount of personal data may be processed for the purpose of scientific research. Considering the context of the present guidelines, the most important aspects of these principles are addressed in the following.
5.1 Transparency and information to data subjects
29. The principle of transparency means that personal data shall be processed fairly and in a transparent manner in relation to the data subject. This principle is strongly connected with the information obligations pursuant to Article 13 or Article 14 GDPR.
30. In general, a data subject must be individually informed of the existence of the processing operation and that personal (health) data is being processed for scientific purposes. The information delivered should contain all the elements stated in Article 13 or Article 14 GDPR.
31. It has to be noted that researchers often process health data that they have not obtained directly from the data subject, for instance using data from patient records or data from patients in other countries. Therefore, Article 14 GDPR, which covers information obligations where personal data is not collected directly from the data subject, will be the focus of this section.
5.1.1 When must the data subject be informed?
32. When personal data have not been obtained from the data subject, Article 14 (3) (a) GDPR stipulates that the controller shall provide the information “within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed”.
33. In the current context, it has to be particularly noted that according to Article 14 (4) GDPR, where “the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose”.
34. In the case of the further processing of data for scientific purposes and taking into account the sensitivity of the data processed, an appropriate safeguard according to Article 89 (1) is to deliver the information to the data subject within a reasonable period of time before the implementation of the new research project. This allows the data subject to become aware of the research project and enables the possibility to exercise his/her rights beforehand.
5.1.2 Exemptions
35. However, Article (14) (5) GDPR stipulates four exemptions of the information obligation. In the current context, the exemption pursuant to Article (14) (5) (b) (“proves impossible or would involve a disproportionate effort”) and (c) (“obtaining or disclosure is expressly laid down by Union or Member
12 See for example, regarding the Directive 95/46/EC ECJ 14.2.2019, C–345/17 (Buivids) paragraph 64.
State law“) GDPR are of particular relevance, especially for the information obligation pursuant to Article 14 (4) GDPR.
5.1.2.1 Proves impossible
36. In its Guidelines regarding the principle of Transparency, 13 the former Article 29-Working-Party has already pointed out that “the situation where it “proves impossible” under Article 14 (5) (b) to provide the information is an all or nothing situation because something is either impossible or it is not; there are no degrees of impossibility. Thus, if a data controller seeks to rely on this exemption it must demonstrate the factors that actually prevent it from providing the information in question to data subjects. If, after a certain period of time, the factors that caused the “impossibility” no longer exist and it becomes possible to provide the information to data subjects then the data controller should immediately do so. In practice, there will be very few situations in which a data controller can demonstrate that it is actually impossible to provide the information to data subjects.”
5.1.2.2 Disproportionate effort
37. In determining what constitutes disproportionate effort, Recital 62 refers to the number of data subjects, the age of the data and appropriate safeguards in place as possible indicative factors. In the Transparency Guidelines mentioned above,14 it is recommended that the controller should therefore carry out a balancing exercise to assess the effort involved to provide the information to data subjects against the impact and effects on the data subject if they are not provided with the information.
38. Example: A large number of data subjects where there is no available contact information could be considered as a disproportionate effort to provide the information.
5.1.2.3 Serious impairment of objectives
39. To rely on this exception, data controllers must demonstrate that the provision of the information set out in Article 14 (1) per se would render impossible or seriously impair the achievement of the objectives of the processing.
40. In a case where the exemption of Article (14) (5) (b) GDPR applies, “the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available”.
5.1.2.4 Obtaining or disclosure is expressly laid down by Union or Member State law
41. Article 14 (5) (c) GDPR allows for a derogation of the information requirements in Articles 14 (1), (2) and (4) insofar as the obtaining or disclosure of personal data “is expressly laid down by Union or Member State law to which the controller is subject”. This exemption is conditional upon the law in question providing “appropriate measures to protect the data subject’s legitimate interests”. As stated in the above mentioned Transparency Guidelines,15 such law must directly address the data controller and the obtaining or disclosure in question should be mandatory upon the data controller. When relying on this exemption, the EDPB recalls that the data controller must be able to demonstrate how
13 See the Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from 11.4.2018, WP260 rev.01, 17/EN, page 29 (endorsed by the EDPB). Available at https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227.
14 Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from 11.4.2018, WP260 rev.01, 17/EN, page 31 (endorsedby the EDPB).
15 Guidelines on transparency under Regulation 2016/679 of the former Article-29 Working-Party from 11.4.2018, WP260 rev.01, 17/EN, page 32 (endorsedby the EDPB).
the law in question applies to them and requires them to either obtain or disclose the personal data in question.
5.2 Purpose limitation and presumption of compatibility
42. As a general rule, data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” pursuant to Article 5 (1) (b) GDPR.
43. However the “compatibility presumption” provided by Article 5 (1) (b) GDPR states that “further processing for […] scientific research purposes […] shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes”. This topic, due to its horizontal and complex nature, will be considered in more detail in the planned EDPB guidelines on the processing of health data for the purpose of scientific research.
44. Article 89 (1) GDPR stipulates that the processing of data for research purposes “shall be subject to appropriate safeguards” and that those “safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner”.
45. The requirements of Article 89 (1) GDPR emphasise the importance of the data minimisation principle and the principle of integrity and confidentiality as well as the principle of data protection by design and by default (see below).16 Consequently, considering the sensitive nature of health data and the risks when re-using health data for the purpose of scientific research, strong measures must be taken in order to ensure an appropriate level of security as required by Article 32 (1) GDPR.
5.3 Data minimisation and storage limitation
46. In scientific research, data minimisation can be achieved through the requirement of specifying the research questions and assessing the type and amount of data necessary to properly answer these research questions. Which data is needed depends on the purpose of the research even when the research has an explorative nature and should always comply with the purpose limitation principle pursuant to Article 5 (1) (b) GDPR. It has to be noted that the data has to be anonymised where it is possible to perform the scientific research with anonymised data.
47. In addition, proportionate storage periods shall be set. As stipulated by Article 5 (1) (e) GDPR “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving […] scientific purposes […] in accordance with Article 89 (1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject”
48. In order to define storage periods (timelines), criteria such as the length and the purpose of the research should be taken into account. It has to be noted that national provisions may stipulate rules concerning the storage period as well.
5.4 Integrity and confidentiality
49. As mentioned above, sensitive data such as health data merit higher protection as their processing is likelier to lead to negative impacts for data subjects. This consideration especially applies in the COVID-
16 Also see the Guidelines 4/2019 of the EDPB from 13.11.2019 on Data Protection by Design and by Default (version for public consultation), available at https://edpb.europa.eu/our-work-tools/public-consultations-art- 704/2019/guidelines-42019-article-25-data-protection-design_en
19 outbreak as the foreseeable re-use of health data for scientific purposes leads to an increase in the number and type of entities processing such data.
50. It has to be noted that the principle of integrity and confidentiality must be read in conjunction with the requirements of Article 32 (1) GDPR and Article 89 (1) GDPR. The cited provisions must be fully complied with. Therefore, considering the high risks as outlined above, appropriate technical and organisational up-to-date measures must be implemented to ensure a sufficient level of security.
51. Such measures should at least consist of pseudonymisation,17 encryption, non-disclosure agreements and strict access role distribution, access role restrictions as well as access logs. It has to be noted that national provisions may stipulate concrete technical requirements or other safeguards such as adherence to professional secrecy rules.
52. Furthermore, a data protection impact assessment pursuant to Article 35 GDPR must be carried out when such processing is “likely to result in a high risk to the rights and freedoms of natural persons” pursuant to Article 35 (1) GDPR. The lists pursuant to Article 35 (4) and (5) GDPR shall be taken into account.
53. At this point, the EDPB emphasises the importance of data protection officers. Where applicable, data protection officers should be consulted on processing of health data for the purpose of scientific research in the context of the COVID-19 outbreak.
54. Finally, the adopted measures to protect data (including during transfers) should be properly documented in the record of processing activities.
6 EXERCISE OF THE RIGHTS OF DATA SUBJECTS
55. In principle, situations as the current COVID-19 outbreak do not suspend or restrict the possibility of data subjects to exercise their rights pursuant to Article 12 to 22 GDPR. However, Article 89 (2) GDPR allows the national legislator to restrict (some) of the data subject’s rights as set in Chapter 3 of the regulation. Because of this, the restrictions of the rights of data subjects may vary depending on the enacted laws of the particular Member State.
56. Furthermore, some restrictions of the rights of data subjects can be based directly on the Regulation, such as the access right restriction pursuant to Article 15 (4) GDPR and the restriction of the right to erasure pursuant to Article 17 (3) (d) GDPR. The information obligation exemptions pursuant to Article 14 (5) GDPR have already been addressed above.
57. It has to be noted that, in the light of the jurisprudence of the ECJ, all restrictions of the rights of data subjects must apply only in so far as it is strictly necessary.18
17 It has to be noted that personal(health data) that has been pseudonymised is still regarded as “personal data“ pursuant to Article 4 (1) GDPR andmust not be confused with “anonymiseddata” where it is no longer possible for anyone to refer back to individual data subjects. See for example Recital 28.
18 See for example, regarding the Directive 95/46/EC ECJ 14.2.2019, C–345/17 (Buivids) paragraph 64.
7 INTERNATIONAL DATA TRANSFERS FOR SCIENTIFIC RESEARCH PURPOSES
58. Within the context of research and specifically in the context of the COVID-19 pandemic, there will probably be a need for international cooperation that may also imply international transfers of health data for the purpose of scientific research outside of the EEA.
59. When personal data is transferred to a non-EEA country or international organisation, in addition to complying with the rules set out in GDPR,19 especially its Articles 5 (data protection principles), Article 6 (lawfulness) and Article 9 (special categories of data), 20 the data exporter shall also comply with Chapter V (data transfers).21
60. In addition to the regular transparency requirement as mentioned on page 7 of the present guidelines, a duty rests on the data exporter to inform data subjects that it intends to transfer personal data to a third country or international organisation. This includes information about the existence or absence of an adequacy decision by the European Commission, or whether the transfer is based on a suitable safeguard from Article 46 or on a derogation of Article 49 (1). This duty exists irrespective of whether the personal data was obtained directly from the data subject or not.
61. In general, when considering how to address such conditions for transfers of personal data to third countries or international organisations, data exporters should assess the risks to the rights and the freedoms of data subjects of each transfer22 and favour solutions that guarantee data subjects the continuous protection of their fundamental rights and safeguards as regards the processing of their data, even after it has been transferred. This will be the case for transfers to countries having an adequate level of protection,23 or in case of use of one of the appropriate safeguards included in Article 46 GDPR,24 ensuring that enforceable rights and effective legal remedies are available for data subjects.
62. In the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, Article 49 GDPR envisages certain specific situations under which transfers of personal data can take place as an exception. The derogations enshrined in Article 49 GDPR are thus exemptions from the general rule and, therefore, must be interpreted restrictively, and on a case-by-case basis.25 Applied to the current COVID-19 crisis, those addressed in Article 49 (1) (d) (“transfer necessary for important reasons of public interest”) and (a) (“explicit consent”) may apply.
63. The COVID-19 pandemic causes an exceptional sanitary crisis of an unprecedented nature and scale. In this context, the EDPB considers that the fight against COVID-19 has been recognised by the EU and
19 Article 44 GDPR.
20 See sections 4 to 6 of the present Guidelines.
21 See the Guidelines 2/018 of the EDPB from 25.5.2018 on derogations of Article 49 under Regulation 2016/679, page 3, on the two-step test, available at https://edpb.europa.eu/our-work-tools/our- documents/smjernice/guidelines-22018-derogations-article-49-under-regulation_en.
22 International Data Transfers maybe a risk factor to consider when performing a DPIA as referred to inpage 10 of the present guidelines.
23 The list of countries recognised adequate by the European Commission is available at
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy- decisions_en
24 For example standard data protection clauses pursuant to Article 46 (2) (c) or (d) GDPR, ad hoc contractual clauses pursuant to Article 46 (3) (a) GDPR) or administrative arrangements pursuant to Article 46 (3) (b) GDPR. 25 See Guidelines 2/2018, page 3.
most of its Member States as an important public interest,26 which may require urgent action in the field of scientific research (for example to identify treatments and/or develop vaccines), and may also involve transfers to third countries or international organisations. 27
64. Not only public authorities, but also private entities playing a role in pursuing such public interest (for example, a university’s research institute cooperating on the development of a vaccine in the context of an international partnership) could, under the current pandemic context, rely upon the derogation mentioned above.
65. In addition, in certain situations, in particular where transfers are performed by private entities for the purpose of medical research aiming at fighting the COVID-19 pandemic,28 such transfers of personal data could alternatively take place on the basis of the explicit consent of the data subjects. 29
66. Public authorities and private entities may, under the current pandemic context, when it is not possible to rely on an adequacy decision pursuant to Article 45 (3) or on appropriate safeguards pursuant to Article 46, rely upon the applicable derogations mentioned above, mainly as a temporary measure due to the urgency of the medical situation globally.
67. Indeed, if the nature of the COVID-19 crisis may justify the use of the applicable derogations for initial transfers carried out for the purpose of research in this context, repetitive transfers of data to third countries part of a long lasting research project in this regard would need to be framed with appropriate safeguards in accordance with Article 46 GDPR. 30
68. Finally, it has to be noted that any such transfers will need to take into consideration on a case-by-case basis the respective roles (controller, processor, joint controller) and related obligations of the actors involved (sponsor, investigator) in order to identify the appropriate measures for framing the transfer.
8 SUMMARY
69. The key findings of these guidelines are:
1. The GDPR provides special rules for the processing of health data for the purpose of scientific research that are also applicable in the context of the COVID-19 pandemic.
2. The national legislator of each Member State may enact specific laws pursuant to Article (9)
(2) (i) and (j) GDPR to enable the processing of health data for scientific research purposes. The processing of health data for the purpose of scientific research must also be covered by
26 Article 168 of the Treaty on the Functioning of the European Union recognises a high level of human health protection as an important objective that should be ensured in the implementation of all Union policies and activities. On this basis, Union action supports national policies to improve public health, including incombatting against major health scourges and serious cross-border threats to health, e.g. by promoting researchinto their causes, transmission andprevention. Similarly, Recitals 46 and 112 of the GDPR refer to processing carriedout in the context of the fight against epidemics as an example of processing serving important grounds of public interest. In the context of the COVID-19 pandemic, the EU has adopted a series of measures in a broad range of areas (e.g. funding of healthcare systems, support to cross-border patients and deployment of medical staff, financial assistance to the most deprived, transport, medical devices etc.) premised on the understanding that the EU is facing a major public health emergencyrequiring an urgent response.
27 The EDPB underlines that the GDPR, in its Recital 112, refers to the international data exchange between
services competent for public healthpurposes as an example of the applicationof this derogation.
28 In accordance with Article 49 (3) GDPR, consent cannot be used for activities carriedout by public authorities in the exercise of their public powers.
29 See EDPB Guidelines 2/2018, section 2.1.
30 See EDPB Guidelines 2/2018, page 5.
one of the legal bases in Article 6 (1) GDPR. Therefore, the conditions and the extent for such processing varies depending on the enacted laws of the particular member state.
3. All enacted laws based on Article (9) (2) (i) and (j) GDPR must be interpreted in the light of the principles pursuant to Article 5 GDPR and in consideration of the jurisprudence of the ECJ. In particular, derogations and limitations in relation to the protection of data provided in Article 9 (2) (j) and Article 89 (2) GDPR must apply only in so far as is strictly necessary.
4. Considering the processing risks in the context of the COVID-19 outbreak, high emphasise must be put on compliance with Article 5 (1) (f), Article 32 (1) and Article 89 (1) GDPR. There must be an assessment if a DPIA pursuant to Article 35 GDPR has to be carried out.
5. Storage periods (timelines) shall be set and must be proportionate. In order to define such storage periods, criteria such as the length and the purpose of the research should be taken into account. National provisions may stipulate rules concerning the storage period as well and must therefore be considered.
6. In principle, situations as the current COVID-19 outbreak do not suspend or restrict the possibility of data subjects to exercise their rights pursuant to Article 12 to 22 GDPR. However, Article 89 (2) GDPR allows the national legislator to restrict (some) of the data subject’s rights as set in Chapter 3 of the GDPR. Because of this, the restrictions of the rights of data subjects may vary depending on the enacted laws of the particular Member State.
7. With respect to international transfers, in the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, public authorities and private entities may rely upon the applicable derogations pursuant to Article 49 GDPR. However, the derogations of Article 49 GDPR do have exceptional character only.
For the European Data Protection Board The Chair
(Andrea Jelinek)