Is your organisation dealing with data subject access requests properly?

December 09, 2016

By Tughan Thuraisingam and Shervin Nahid

The High Court judgment in Dr DB vs General Medical Council [2016] EWHC 2331 (QB) held that if the dominant purpose behind a Data Subject Access Request (“DSAR”) is litigation, this can be “a weighty factor in favour of refusal” of the DSAR by a data controller.

Although this was widely reported as the key takeaway from the case, an equally important point arises as to (1) the extent to which the General Medical Council (“GMC”) had adequate policies, procedures and processes in place to deal with DSARs; and (2) if the answer to (1) is yes, would this have changed the Court’s decision?

What happened?

  • A patient with a medical disease complained about the service he received from his doctor (“Dr DB”).
  • The GMC conducted an internal investigation regarding Dr DB’s fitness to practice and instructed an independent expert to prepare a report.
  • The report turned out to be critical of the care provided by Dr DB however it was ultimately concluded that Dr DB’s conduct did not fall ‘seriously below’ the standard expected. As such, the investigation was concluded with no further action.
  • The patient disputed this decision and requested access to the full report, which was later dealt with by the GMC as a DSAR.
  • Dr DB refused to consent to the patient’s request and given that the report contained personal data of both Dr DB and the patient, the GMC’s Information Asset Manager conducted a ‘balance of interest test’ as required by section 7(6) of the Data Protection Act 1998 (“DPA”).
  • The GMC subsequently concluded that it would be fair and lawful (and not in breach of the data protection principles) to disclose the report to the patient.
  • Dr DB disagreed with this conclusion and argued that (amongst other things) the GMC had “unfairly prioritised its and the patient’s interests over Dr DB’s privacy rights which included the protection of his professional reputation”.

What did the Court decide?

In his judgment, Mr Justice Soole reminded himself that “it is not for the Court to substitute its own judgment or to ‘second guess’ the GMC” however he was “persuaded that the GMC’s balancing exercise did not adequately reflect” the following factors:

  1. Dr DB’s express refusal of consent to the disclosure of the report. This refusal of consent meant that the GMC should have started with the rebuttable presumption against disclosure;
  2. Dr DB’s status and privacy rights as a data subject; and
  3. the purpose of the patient’s request to use the report in the intended litigation against Dr DB.

With respect to point (3), the Court emphasised that the CPR 31 route[1] (which is available to the patient) provides both a less restrictive interference with Dr DB’s privacy right and the appropriate procedure for the patient’s real purpose in seeking the report (i.e. litigation).

Nevertheless, taking into account all three factors above, the Court has essentially unpicked the GMC’s DSAR process and held that “conscientious as it evidently was” it “fell into error and [the GMC] got the balance wrong”.

Handling DSARs – what does “good” look like?

In light of the Court’s decision in this case, it is important to appreciate what “good looks like” for an organisation in the context of having the ability to adequately handle DSARs. Ideally, an organisation would have a DSAR policy and/or procedure that:

  1. is in place;
  2. accurately reflects what is required by the DPA, the incoming EU General Data Protection Regulation (“GDPR”) and relevant ICO guidance as well as case-law;
  3. is well socialised and understood within the organisation (e.g. high-level DSAR training provided to staff annually and more specific role-based training to those responsible for responding to DSARs);
  4. is reviewed and updated where necessary in accordance with the outcomes of DSARs (which are continuously monitored); and
  5. is independently tested by a third party for assurance purposes. 

Together, the above points are all components of what we would consider as forming an "optimised" DSAR process.

GMC’s DSAR handling process

It is important to appreciate that even if an organisation has (1) to (5) above put in place, our experience in failure cases (together with lessons learned from our Enforcement Tracker) tells us that pure and simple “human error” can nevertheless occur and cause an organisation to be non-compliant under the DPA.  For example in this particular case, it was on or before 8th September 2014 when the patient made a telephone request to the GMC for a copy of the report.  In response, the GMC’s Investigation Officer erroneously referred the patient to the Freedom of Information Act 2000 and supplied a copy of the GMC’s “Information Request Form” for completion and return.  It was only after one month had passed (on 9th October 2014) that the GMC wrote to the patient stating that “a request for personal information fell under the data subject access provisions of the DPA”.

Significantly however, the Court’s decision was based on the GMC’s failure to appropriately take into account the factors described above in its balancing exercise.  This suggests that the GMC may not have had a policy and/or procedure for DSARs in place and even if it did, this policy and/or procedure may not have: (a) reflected the requirements under the DPA and case-law; and (b) been well socialised and understood by the organisation through appropriate and periodic training.

Would the Court’s decision have been different if…?

Whether the decision in this case will be appealed is yet to be seen, but it does leave an interesting question behind:

Would the same scrutiny have been applied by the Court and same outcome reached had the GMC operated with an “optimised” DSAR process in place?

The Court noted that it would not “second guess” the GMC. In light of this, perhaps if the GMC had an “optimised” DSAR process in place and maintained its position of disclosing the report, the Court may have had a more difficult time in identifying and scrutinising the errors of the GMC’s DSAR process in order to reach the outcome against disclosure of the report.  Equally however, if the GMC did have an optimised DSAR process in place, it may have reached the same conclusion as the Court after its balancing exercise.

 

[1] The Civil Procedure Rules (“CPR”) make up a procedural code that parties pursuing or defending claims have to abide by in England & Wales. The overriding aim of the CPR is to enable the courts in England & Wales to deal with litigious cases justly. CPR Part 31 deals with the disclosure and inspection of documents pursuant to such cases.

Tughan Thuraisingam  | Solicitor – Cyber Security and Data Protection Legal Services | PwC - UK
[email protected] | +44 (0)20 7804 3770

More articles by Tughan Thuraisingam

 

Shervin Nahid  | Paralegal – Cyber Security and Data Protection Legal Services | PwC - UK
[email protected] | +44 (0)20 7213 3844