What is this about?
The UK’s Data Protection Act 1998 (DPA) allows for individuals to make so-called “Subject Access Request” (SAR) where they can seek to obtain copies of the personal data held about them by organisations and certain other related information about how that data is stored and processed. It is notable that in the UK there have been a considerable increase in the number of SARs. Some of these cases have also been litigated – the recent case of Dr DB -v- General Medical Council is illustrative of how things can go in a particular direction depending on the facts.
What is the background to the case?
In this case a patient made a complaint about his treatment by his doctor (“GP”) to the UK doctors’ regulatory body the General Medical Council (“GMC”). The GMC undertook a so-called fitness to practice investigation into the GP including commissioning an independent expert’s report. Although the report was critical of the care provided by the GP it nevertheless concluded that the standard of care had not fallen seriously below the expected standard and therefore the GMC took no further action as regards the GP.
In its response to the patient the GMC had included a one-page summary of the independent expert’s report. The patient then in effect made an SAR to the GMC to see the full report with (it seems) a view to bringing a possible clinical negligence claim. The GP did not consent to disclosure of the report, arguing in particular that the report constituted the GP’s personal data only and that the SAR was being used as a vehicle for disclosure with a view to litigation or further complaint. The GMC decided that, on balance it would be fair and lawful and not in breach of data protection principles, and, in the interests of transparency, it should disclose the report to the patient. The GP brought legal proceedings to stop disclosure of the report – the GMC agreed to not to disclose the report until the issue was resolved by the court.
What did the court decide?
Although the court was not substituting itself as the decision-maker in place of the GMC it decided that the GMC had got the balance wrong. The court concluded that in conducting the balancing exercise in “mixed data” cases of this type (i.e. mixing the patient’s personal data and the GP’s personal data):
- It is essential to keep in mind that the exercise involves a balance between the respective privacy rights of data subjects;
- In the absence of consent, the rebuttable presumption or starting point is against disclosure, and, the express refusal of consent is a specific factor to be taken into account;
- If it appears that the sole or dominant purpose is to obtain a document for the purpose of a claim against the other data subject, that is a weighty factor in favour of refusal, on the basis that the more appropriate forum is the court civil procedural rules concerning disclosure of specific information
The full judgment can be found here: http://www.bailii.org/ew/cases/EWHC/QB/2016/2331.html.
What is the takeaway?
SARs are being frequently used in the litigation context but with mixed end-results – here the court came down in favour of non-disclosure – see here for our report about the important Gurieva case where a different result was reached (in a different context) http://www.corderycompliance.com/subject-access-requests-and-investigations/.
It should also be noted that once the EU General Data Protection Regulation is fully applicable from May 2018 SARs will become free (at the moment a small charge can be made) and the time to respond will be tighter (albeit with the possibility of extensions) – for more details about this please see our GDPR FAQs here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/.
We report about data protection issues, including SARs, here: http://www.corderycompliance.com/category/data-protection-privacy/.
Cordery’s GDPR Navigator includes more resources to help deal with SARs – http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1785
Office: +44 (0)207 075 1784