Individuals have a right of access to their personal data, exercisable by making a data SAR (section 7, Data Protection Act 1998) (DPA) (section 7).
Where a data controller cannot comply with a request without disclosing information relating to another identifiable individual, it need not comply with the request unless that individual has consented to disclosure, or if it is reasonable in all the circumstances to comply with the request without this consent (sections 7(4) and 7(5), DPA).
There is a presumption that the individual's consent should be obtained before disclosure, but this may be rebutted it is reasonable in all the circumstances to comply with the request without obtaining consent (Durant v Financial Services Authority).
Section 7(6) of the DPA identifies four non-exhaustive factors in the balancing exercise, which include any duty of confidentiality owed to the other individual and any express refusal of consent by the other individual.
The court may make an order for disclosure of documents before civil proceedings have started in certain circumstances (Civil Procedure Rule (CPR) 31.16). Generally, a document that is disclosed under CPR 31 may only be used for the purpose of the proceedings in which it is disclosed (CPR 31.22).
Article 8 of the European Convention on Human Rights (Article 8) provides that everyone has the right to respect for their private and family life, their home and their correspondence.
P complained to the GMC, arguing that the incompetence of his GP, D, had resulted in a one-year delay in P's diagnosis of bladder cancer.
While investigating P's complaint, the GMC obtained an independent expert's report concerning D's professional competence. The report criticised the care that D had provided, concluding that it fell slightly below the expected standard. The GMC closed the complaint and provided a one-page summary of the report to D and P.
P submitted an SAR to the GMC for a full copy of the report. D refused to consent to disclosure of the report to P on the basis that it was D's personal data and the purpose of the request was litigation. However, the GMC decided that it was entitled to disclose the report to P without D's consent on the basis that this was consistent with its legitimate interests in the transparency of its decision-making process.
D issued proceedings against the GMC to prevent it from disclosing the report.
The High Court held that the medical report should not be disclosed to P.
The competing privacy rights of P and D in the personal data in the report had to be balanced. The GMC had given undue weight to less relevant factors such as the transparency of its proceedings. However, four factors pointed to refusal of the disclosure request:
The court set out three steps to guide data controllers in future balancing exercises:
This decision demonstrates the difficulty of conducting the balancing exercise to protect the rights and interests of both parties in mixed data cases. Although each case must be decided on its own merits, the judgment sets out three-step guidance for data controllers on conducting balancing exercises in cases of this type. As consent is a key factor, data controllers should consider contacting any third-party data subject identified soon after receiving an SAR to ask if they consent to disclosure.
If the sole or dominant purpose of the SAR is litigation, that is a weighty factor in favour of refusing the request. CPR 31 provides a more appropriate procedure, with protection against subsequent use of the disclosed document. Potential requesters should bear this in mind when considering the procedure to obtain the information, and when framing their request.
Case: Dr DB v General Medical Council [2016] EWHC 2331 (QB).
First published in the November issue of PLC Magazine and reproduced with the kind permission of the publishers. Subscription enquiries 020 7202 1200.