Data protection: disclosure of third party data in subject access request

<p class[="kilo">The High Court ruled that the General Medical Council (GMC) should not disclose a GP's fitness to practise report to a former patient in response to a data subject access request (SAR).

Background

Individuals have a right of access to their personal data, exercisable by making a data SAR (section 7, Data Protection Act 1998) (DPA) (section 7).
Where a data controller cannot comply with a request without disclosing information relating to another identifiable individual, it need not comply with the request unless that individual has consented to disclosure, or if it is reasonable in all the circumstances to comply with the request without this consent (sections 7(4) and 7(5), DPA). 

There is a presumption that the individual's consent should be obtained before disclosure, but this may be rebutted it is reasonable in all the circumstances to comply with the request without obtaining consent (Durant v Financial Services Authority).

Section 7(6) of the DPA identifies four non-exhaustive factors in the balancing exercise, which include any duty of confidentiality owed to the other individual and any express refusal of consent by the other individual. 

The court may make an order for disclosure of documents before civil proceedings have started in certain circumstances (Civil Procedure Rule (CPR) 31.16). Generally, a document that is disclosed under CPR 31 may only be used for the purpose of the proceedings in which it is disclosed (CPR 31.22).

Article 8 of the European Convention on Human Rights (Article 8) provides that everyone has the right to respect for their private and family life, their home and their correspondence.

Facts

P complained to the GMC, arguing that the incompetence of his GP, D, had resulted in a one-year delay in P's diagnosis of bladder cancer.

While investigating P's complaint, the GMC obtained an independent expert's report concerning D's professional competence. The report criticised the care that D had provided, concluding that it fell slightly below the expected standard. The GMC closed the complaint and provided a one-page summary of the report to D and P.

P submitted an SAR to the GMC for a full copy of the report. D refused to consent to disclosure of the report to P on the basis that it was D's personal data and the purpose of the request was litigation. However, the GMC decided that it was entitled to disclose the report to P without D's consent on the basis that this was consistent with its legitimate interests in the transparency of its decision-making process.

D issued proceedings against the GMC to prevent it from disclosing the report.

Decision

The High Court held that the medical report should not be disclosed to P.

The competing privacy rights of P and D in the personal data in the report had to be balanced. The GMC had given undue weight to less relevant factors such as the transparency of its proceedings. However, four factors pointed to refusal of the disclosure request:

• Following Durant, the GMC should have started with the rebuttable presumption against disclosure in the absence of D's consent.
• The focus of the report was on D's professional competence and the GMC had not given adequate weight either to D's status as a data subject or his privacy right in the report. D's privacy rights under Article 8 included the protection of his professional reputation. D had a reasonable expectation of privacy in the report, which was supported by the GMC's policy of disclosing a one-page summary to complainants in the event of a decision to take no further action. Interference with privacy rights had to be proportionate to the achievement of a legitimate aim. 
• D had explicitly refused to consent to disclosure and the GMC had not given that fact sufficient weight. 
• The GMC's decision did not take adequate account of the purpose of the request, which was intended litigation against D. P was not seeking the information to ensure the accuracy of personal data as contemplated by the DPA. If the report were to be disclosed under the DPA, D would be deprived of the protection provided by CPR 31 and in particular the CPR 31.22 restrictions on subsequent use of the document. CPR 31 was the appropriate procedure, given P's real interest in obtaining the report and the reduced interference with D's privacy rights. 

The court set out three steps to guide data controllers in future balancing exercises:

• The exercise involves a balance between the respective privacy rights of data subjects. 
• In the absence of consent, the starting point is against disclosure. Express refusal of consent is an additional specific factor to take into account. 
• If the sole or dominant purpose is to obtain a document for litigation purposes, then that is a weighty factor in favour of refusal on the basis that CPR 31 is the appropriate procedure. 

Comment

This decision demonstrates the difficulty of conducting the balancing exercise to protect the rights and interests of both parties in mixed data cases. Although each case must be decided on its own merits, the judgment sets out three-step guidance for data controllers on conducting balancing exercises in cases of this type. As consent is a key factor, data controllers should consider contacting any third-party data subject identified soon after receiving an SAR to ask if they consent to disclosure.

If the sole or dominant purpose of the SAR is litigation, that is a weighty factor in favour of refusing the request. CPR 31 provides a more appropriate procedure, with protection against subsequent use of the disclosed document. Potential requesters should bear this in mind when considering the procedure to obtain the information, and when framing their request.

Case: Dr DB v General Medical Council [2016] EWHC 2331 (QB).

First published in the November issue of PLC Magazine and reproduced with the kind permission of the publishers. Subscription enquiries 020 7202 1200.