Data controllers working in health and care organisations will find this latest decision welcome guidance on the approach to managing mixed data cases.
A GMC fitness to practise case highlights the difficult balancing exercise data controllers face when trying to manage the competing privacy rights of a patient and doctor. The background to DB v GMC is set out in an earlier article here.
Briefly, the regulator had to consider whether to disclose to a patient an expert report into a doctor’s fitness to practise. The GMC took the decision to disclose the report but the doctor applied for an injunction which was granted by the High Court.
The GMC appealed to the Court of Appeal (CA) on four grounds – the appeal was allowed on the basis that, the GMC’s assessment under section 7(4)(b) of the Data Protection Act 1998 (DPA) that disclosure of the report should be made (on the basis that it comprises in its entirety personal data of P) was "rational and a lawful one".
The CA concluded the High Court was wrong to criticise the GMC’s approach and to apply a "strong, substantive presumption in the objector’s favour".
The CA’s decision provides some helpful guidance for those conducting the balancing exercise in mixed data cases.
The decision and its points of wider interest for data controllers
- Improper reliance on an alleged presumption that there should be no disclosure in a mixed data case.
The judge had been wrong to say that there is a presumption under section 7(4) of the DPA – a position adopted based on the decision in Durant. The CA decided that they did not have to follow comments made in Durant.
Simply put, the test for data controllers is whether “it is reasonable in all the circumstances to comply with the [SAR] without the consent of the other individual” – the balancing of interests in section 7(4) –(6) of the DPA does not include any presumptive starting point or hurdle which either requestor or the objector has to overcome.
- The purpose behind a subject access request – where the dominant purpose is to obtain information for the purpose of litigation.
The CA found no general principle that the "interests of the requester, when balanced against the interests of the objector, should be treated as devalued by reason of such motivation."
The general position is that the "rights of subject access to personal data under Article 12 of the Directive and section 7 of the DPA are not dependent on appropriate motivation on the part of the requester".
In this case, a material part of the patient's objection was to check that accurate personal data of his had been used by the GMC and the expert in their consideration of his complaint. That objective was "squarely within the purpose for which subject rights are conferred by Article 13 of the Directive and section 7 of the DPA. Even if part of P's object was to obtain material which might help him in litigation against Dr P, that in no way diminishes the legitimacy or force of his interest to have communicated to him under section 7 information about his personal data as processed by the GMC and the expert."
- That the court effectively substituted its own assessment of the case for disclosure rather than review the decision of the data processor.
The CA took a broad approach to the discretion given to data controllers and made three interesting comments which are worth noting (paragraph 86 of the judgment).
- "It is the data controller who is the primary decision- maker in assessing whether it is reasonable or not".
- "the legislature contemplated that individual data controllers should be afforded a wide margin of assessment in making the evaluative judgments required in balancing the privacy rights and other interests in issue under section 7(4)."
- "data controllers generally have a wide discretion as to which particular factors to treat as relevant to the balancing exercise."
GDPR and data subject requests
The CA’s decision was under the DPA 1998. Now, with the GDPR, there a number of changes to the scope and type of rights available to data subjects.
Where a data subject exercised their rights before 25 May 2018 (i.e. under the previous law), the UK Data Protection Act 2018 includes transitional arrangements where the data controller had not yet completed the request by 25 May (broadly speaking, the DPA 1998 will still apply to such requests).
As with the exercise of data subject rights under the previous law, health and care organisations will need to continue to apply careful judgement when responding to data subject requests. Such judgements will need to take account of the legal obligations to data subjects including, where appropriate, to “third party” data subjects.
For more information read: Health and Care GDPR update.