This case reminds us that healthcare regulators in particular may often find themselves in control of “mixed data” documents, which contain sensitive personal data regarding both patients and the healthcare professionals under investigation. This decision gives important clarity to the data controllers of the test to apply when considering subject access requests for disclosure of such data, if the other party objects.
1. Why is this case important?
This case gives important clarity to data controllers in confirming the correct test to be applied when considering a Subject Access Requests in “mixed data” cases.
2. The facts
A patient (P) made a complaint to the GMC about his GP, Dr B. The patient claimed that Dr B’s actions had caused a delay in P receiving treatment for cancer.
The GMC carried out a fitness to practise investigation and instructed an expert to prepare a report. The expert, whilst critical of Dr B’s care in some respects, concluded that most GPs in the same circumstances would not have suspected cancer. The GMC did not take any further action against Dr B. The expert’s report contained personal data about both P and Dr B, and can therefore be referred to as “mixed data”.
The GMC sent a summary of the expert’s report to P, who then requested a full copy. The GMC dealt with this request as a subject access request under the Data Protection Act 1998. Dr B objected to P being provided with a copy of the report on the basis that it was his personal data, and that P had requested the report with a view to litigation. The GMC carried out a balancing exercise, weighing up the interests of both parties, and concluded that the report should be disclosed to P.
Dr B successfully appealed to the High Court and secured an injunction to prevent the GMC from disclosing the report. The High Court held that the GMC had failed to give adequate weight to Dr B’s interests as a data subject and his express refusal of consent. The GMC appealed to the Court of Appeal.
3. The decision
The appeal was allowed. The High Court judge had relied on the case of Durant v Financial Services Authority (Disclosure) 2003 EWCA Civ 1746 which suggested there should be a presumption of no disclosure in a mixed data case where one party has objected. In the Court of Appeal LJ Sales concluded that this was opinion and not binding.
LJ Sales determined that there was no basis for a presumption in favour of either the requesting party or the objecting party at the outset. The correct test was that set out in s.7 (4) (b) of the Data Protection Act, namely whether “it was reasonable in all the circumstances to comply with the [subject access] request without the consent of the other individual”. The Act seeks to strike a balance between the parties’ competing interests, both of which are enshrined in Article 8 of the ECHR and Directive 95/46.
If, after carrying out its balancing exercise, the data controller is at an equilibrium, then there will be a presumption in favour of withholding disclosure. The presumption is therefore a “tie-break” test to be applied only after weighing up the interests of both parties, rather than a hurdle to be overcome at the outset.
In this case, LJ Sales held, the GMC had given positive reasons why it considered it reasonable in all the circumstances to comply with P’s disclosure request. Accordingly, the “tie-break” presumption of non-disclosure did not need to come into play.
Importantly, LJ Sales also criticised the reliance placed on P’s motivation for requesting the report. The rights of subject access to personal data under art.12 of the Directive and s.7 of the Act were not dependent on appropriate motivation on the requester’s part.
Healthcare regulators in particular may often find themselves in control of “mixed data” documents, which contain sensitive personal data regarding both patients and the healthcare professionals under investigation. This decision gives important clarity to the data controllers of the test to apply when considering subject access requests for disclosure of such data, if the other party objects. A careful balancing exercise should be carried out, weighing up the interests of both parties, and only if the outcome of that exercise is equal should there be a presumption in favour of the objecting party. This judgment will apply to mixed data cases subsequently considered under the GDPR and Data Protection Act 2018, the Schedule 2 paragraph 16 of the DPA 2018 largely replicating s7 of the DPA 1998.
Enjoy That? You Might Like These: