What’s this about?
The European Court has given a wide interpretation about the data protection law subject access right and obtaining medical records. This article briefly looks at the issues.
What’s the legal and factual background?
Data protection rules allow for individuals to make so-called “Subject Access Requests” where they can seek to obtain copies of the personal data held about them by organisations and certain other related information about how that data is stored and processed.
In this particular case, an individual (in Germany) asked their dentist for a copy of the individual’s medical records, with, it seems, a view to considering bringing legal action for errors allegedly made in providing the individual with dental care. The dentist demanded that the individual in question cover the costs connected with providing a copy of the medical records, as provided for under German law (the Civil Code).
The individual took the view that they were entitled to a free copy of the medical records and so brought legal proceedings before the German courts. Both at first instance and on appeal the individual’s request to be provided with a first copy of their medical records free of charge was upheld. The dentist then brought an appeal on a point of law before a higher court which in turn sought a preliminary ruling from the European Court of Justice (“the European Court”) where the European Court saw the legal questions it was being asked as follows:
- Whether the applicable transparency and subject access rights provisions of EU GPDR (Article 12(5) and Article 15(1) and (3)) are to be interpreted as meaning that a data controller is under an obligation to provide a data subject, free of charge, with a first copy of their personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital 63 of EU GDPR (“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing”);
- Whether the applicable provision of EU GDPR (Article 23(1)(i)) that allows an EU country to restrict certain EU GDPR rights and obligations is to be interpreted as permitting a piece of national legislation, adopted prior to the entry into force of EU GDPR, which, with a view to protecting the economic interests of the data controller, makes a data subject bear the costs of a first copy of their personal data undergoing processing; and,
- Whether the provision of EU GDPR which states that “[t]he controller shall provide a copy of the personal data undergoing processing” (Article 15(3)) is to be interpreted as meaning that, in the context of a doctor-patient relationship, the right to obtain a copy of personal data undergoing processing means that a data subject is to be provided with a full copy of the documents included in their medical records and containing their personal data, or solely with a copy of those data as such.
What did the court rule?
The European Court ruled that:
- Under the applicable transparency and subject access rights provisions of EU GPDR in question, a data controller is under an obligation to provide a data subject, free of charge, with a first copy of his or her personal data undergoing processing, even where the reason for that request is not related to those referred to in the first sentence of recital 63 of EU GDPR;
- Under the applicable provision of EU GDPR that allows an EU country to restrict certain EU GDPR rights and obligations, a piece of national legislation adopted prior to the entry into force of EU GDPR is capable of falling within the scope of that provision. However, this does not permit the adoption of a piece of national legislation which, with a view to protecting the economic interests of a data controller, makes the data subject bear the costs of a first copy of his or her personal data undergoing processing; and,
- Under the provision of EU GDPR which states that “[t]he controller shall provide a copy of the personal data undergoing processing”, in the context of a doctor-patient relationship, the right to obtain a copy of personal data undergoing processing means that a data subject must be given a faithful and intelligible reproduction of all those data. That right entails the right to obtain a full copy of the documents included in the data subject’s medical records and containing, amongst other things, those data if the provision of such a copy is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible. Regarding data relating to the health of the data subject, that right includes in any event the right to obtain a copy of the data in his or her medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided to him or her. The European Court stated that: “Regarding examination results, assessments by treating physicians and treatments or interventions provided to a patient, which, as a general rule, involve a large amount of technical data, or even images, the provision of a simple summary or a compilation of those data by the medical practitioner, in order to present them in an aggregated form, could create the risk of some relevant data being omitted or incorrectly reproduced, or, in any event, of it being made harder for the patient to verify how accurate and exhaustive those data are and to understand those data.”
What are the takeaways?
This ruling is in line with the European Court’s recent rulings giving a wide meaning to the interpretation of “copy” of personal data to be supplied in the context of Subject Access Requests. Organisations should accordingly take note in terms of factoring this into their internal Subject Access Request policy and procedures sections about supplying a “copy” of personal health data, whilst also noting that the right to obtain a “full copy” seems to be limited to where providing such a copy “is essential in order to enable the data subject to verify how accurate and exhaustive those data are, as well as to ensure they are intelligible.”
From a UK perspective, post-Brexit this ruling does not bind the UK. Further, it may in any event not sit squarely with what the UK’s data protection regulator the ICO says in its official guidance about “copies”, as follows:
“The right of access enables individuals to obtain their personal data rather than giving them a right to see copies of documents containing their personal data. You may therefore provide the information in the form of transcripts of relevant documents (or of sections of documents that contain the personal data), or by providing a print-out of the relevant information from your computer systems. While it is reasonable to supply a transcript if it exists, we do not expect controllers to create new information to respond to a SAR. Although the easiest way to provide the relevant information is often to supply copies of original documents, you are not obliged to do so”.
It should be noted of course that guidance is just guidance and it is for the courts to make definitive interpretations about the law.
We have written about ICO Guidance On Employee Health Data here: https://www.corderycompliance.com/ico-ehd-1023-08/.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
We have written about Subject Access Requests here: https://www.corderycompliance.com/ecj-pd-0823-07/, here: https://www.corderycompliance.com/dpi-sar-0823-05/, here: https://www.corderycompliance.com/ico-sar-qa-0623-04/, here: https://www.corderycompliance.com/ec-sar-0523-02/, here: https://www.corderycompliance.com/ico-sar-uk1/, here: https://www.corderycompliance.com/sars-under-gdpr/, here: https://www.corderycompliance.com/limits-on-sars-uk-court-rulings/, here: https://www.corderycompliance.com/ico-sars-enforcement-lewisham-council/, and here: https://www.corderycompliance.com/uk-appeal-court-ruling-on-balancing-test-in-sars-2/.
The European Court judgment can be found here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=279125&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=305076.
The ICO’s subject access guidance can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/how-should-we-supply-information-to-the-requester/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|