Health Use
Data Protection Commission Case Studies
Doctor discloses sensitive personal data to insurance company without consent
This Office received a complaint from a solicitor acting on behalf of a data subject concerning the alleged further processing of the complainant’s personal data contained in medical records held by her General Practitioner (GP). It was alleged that medical records relating to the complainant were released to an insurance company by her GP, following a request made to the GP. The complaint stated that the GP had received a request from an insurance company seeking the complainant’s medical records relating to a knee injury she had suffered. It was alleged that, in replying to this request, the GP not only released data relevant to the knee injury, but he also disclosed other sensitive medical information – including cervical smear test results, a colposcopy, correspondence regarding lesions and records relating to Carpel Tunnel Syndrome, none of which were related to the knee injury.
We wrote to the GP and we asked that he provide an explanation as to what had occurred in this case. He responded stating that an insurance company had requested relevant information with respect to the patient concerned and her knee injury. He informed us that the request received stated that it ‘required copies of clinical consultations / surgery notes, investigations and associated results, treatments, referrals, outpatient appointments and repeat prescriptions from 18.2.2009 to the present date’. He stated that, inadvertently, copies of the patient’s records were supplied to the insurance company with some details which were not relevant to her knee injury and that this was obviously an oversight. He stated that he was deeply sorry that he had caused any distress or upset to his patient whom he had known for thirty five years. The GP stated that the complainant knew that he always endeavoured to keep a high standard in the practice and that she should understand his disappointment that the system used in releasing this information fell below the standard expected by the complainant and himself. He further stated that he hoped that she would accept his unreserved apology for the inadvertent disclosure of her records to the insurance company and that he completely understood how upset and disappointed she must be. He said that since this unpleasant and unfortunate error he had overhauled his practice procedures.
We wrote to the solicitor for the complainant outlining the GP’s response and also conveying the GP’s apologies. We stated that this Office’s approach to complaints is to try to seek an amicable resolution to the matter which is the subject of the complaint and we asked if his client would like to try to reach an amicable resolution of the complaint. They responded stating that their client wished for a formal decision of the Commissioner on the matter.
In considering this case, the key issue from a data protection perspective was the issue of consent. It was noted from the material provided that the complainant had completed and signed an insurance claim form which contained the following consent clause: “I authorise Financial Insurance Company Limited (the Underwriters) to make any enquiries and get any information they consider relevant from my doctor, employers or elsewhere. I understand that I must provide evidence to Financial Insurance Company Limited to prove my claim.” On the same claim form, the complainant supplied details of her accident and explained, as follows, why it prevented her from working: “Left knee injury. Tore Ligaments. Recovery Time Unknown. Waiting for Knee Surgery. On Waiting List.”
The insurance company concerned had sought the complainant’s medical records, supplied the relevant consent form and used the following terms in its request to the GP: “Can you please provide us with copies of the claimant’s medical records relevant to this claim. This includes all records relating to the medical conditions and associated symptoms which are the subject of this claim.”
It was clear from the insurance company’s request for medical records that it sought medical records relevant to the claim only. As the claim related to the complainant’s knee injury, the medical records sought related to that injury and the request did not extend beyond that. Equally, the complainant’s consent authorised the insurance company to make enquiries and to get any information considered relevant from her doctor and others. The consent was clearly limited to relevant information and it could not be interpreted as extending to all medical records held by the GP.
This Office issued a decision on this complaint which stated that the Commissioner was of the opinion, following the investigation of this complaint, that Section 2(1)(c)(ii)of the Data Protection Acts, 1988 & 2003 had been contravened by the GP by the further processing of the complainant’s sensitive personal data in the form of medical records unrelated to her knee injury. The contravention occurred when the GP, in responding to a request from an insurance company, disclosed to that insurance company certain medical records of the complainant without her consent.
Department of Education Circular Leads to Complaint about Sick Leave Information
We received a complaint relating to a Department of Education Circular (No. 0060/2010) concerning sick leave for registered teachers.
Specifically, the complaint focussed on certified sick leave and the requirement in the Circular that the nature of illness must be stated in a medical certificate in order for it to be acceptable.
Under the Data Protection Acts, medical data falls into the category of “sensitive personal data.” An employer has a legitimate interest in knowing how long an employee is likely to be on sick leave absence from work. It also has a legitimate interest in knowing whether an employee, following an accident or illness, is capable of doing particular types of work. Requiring employees to produce standard medical certificates to cover absences due to illness does not therefore present any data protection issues. But an employer would not normally have a legitimate interest in knowing the precise nature of an illness and it would therefore be at risk of breaching the Data Protection Acts if it sought such information. Even the consent of the employee may not allow the disclosure of such information to an employer as there may be a doubt as to whether such consent could be considered to be freely given in an employment context.
The Office raised the matter with the Department of Education. The Department indicated that the purpose of such information was to ensure that there was sufficient information available to the employer to make an informed decision as to whether or not to make a referral to the Occupational Health Service and/or to take appropriate steps, where necessary, in relation to health and safety matters. It said that in the context of a school, where the employer has a duty of care to its students and staff and where a teacher often has sole and unsupervised access to, and responsibility for, children this was particularly important. It stated that in the Department’s view, there was a strong legitimate public interest in ensuring that there was sufficient information to enable the employer to deal with any health and safety issues that may arise.
We accept that there are limited circumstances where employers may seek information from an employee in the context of an illness-related absence from work. Such situations may also permit a health professional to provide details of illness on request to an employer in specific circumstances where specifically warranted in a workplace context. Our guidance in relation to this matter (FAQ 3.7 on our website) makes it clear that in certain very specific circumstances a doctor may be legally obliged to report certain illnesses to an employer for health and safety reasons and we recognise the need for this practice, particularly in the case of contagious diseases.
However, any general practice of requiring all employees to specifically disclose their condition or illness to account for their sick absences from work does give rise to serious concerns from a data protection perspective as it does not adequately protect the sensitive personal data of those employees who may have an illness/condition which they consider private or sensitive.
We indicated to the Department that all of the considerations it had outlined had been considered by a Working Group established by the Department of Finance in 2010, which included representation from various Government Departments, this Office and the Attorney General’s Office. This led to the adoption of Department of Finance Circular 09/2010 setting out the Civil Service policy on the management of sick leave. In particular, Section 11 of that Circular states, among other things, that “While the nature of the illness does not have to be included in all circumstances, if it is not stated this may give rise to difficulties if seeking to have the absence discounted.” We consider that this approach represents an appropriate balance between the concerns outlined by the Department and the legitimate privacy expectations of employees.
Following our intervention, the Department confirmed that it was no longer advising schools/teachers that the nature of illness must be stated in all cases where a medical certificate is required. The Department also undertook to reflect this change when revising the current sick leave circular for teachers in order to ensure compliance with the Data Protection Acts. In addition, the Department indicated that relevant staff had been notified of our findings on this matter.
This case study highlights that employers should be aware that, in general, only limited relevant information should be sought from an employee submitting a medical certificate to account for a period of sick absence. Seeking excessive sensitive personal data in that context is a clear breach of the Data Protection Acts.
HSE West and a consultant ophthalmic surgeon breach the Acts
I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller. The data subject was involved in an insurance action with a third party in relation to an eye injury. The third party’s insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in Limerick. The consultant was also a consultant ophthalmic surgeon at the Mid-Western Regional Hospital in Limerick. The data subject had previously attended another consultant ophthalmic surgeon at the Mid-Western Regional Hospital as a public patient in relation to his eye injury.
The complaint was two fold. The first aspect related to the alleged release of the data subject’s hospital chart by the Mid-Western Regional Hospital to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice. It was alleged that this took place without the data subject’s consent. The second aspect of the complaint related to the alleged unfair obtaining of the data subject’s hospital chart by the consultant ophthalmic surgeon.
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted ‘sensitive personal data’ as defined in the Acts. The central issue to be considered in this case, from a data protection point of view, was whether the HSE West, Mid-Western Regional Hospital complied in full with its obligations under the Acts.
Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data. I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the Mid-Western Regional Hospital’s collection, processing, keeping and use of the data subject’s sensitive personal data. However, the disclosure of the data subject’s medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act. This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected. It was clear from my Office’s investigation that the consultant ophthalmic surgeon’s secretary at his private rooms contacted his secretary at the Mid-Western Regional Hospital to locate the data subject’s medical records relating to his eye condition. Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon’s private surgery.
In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon’s work within the HSE West, Mid-Western Regional Hospital as an employee of that hospital and his work carried out privately on behalf of an insurance company. The hospital’s disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the HSE West, Mid-Western Regional Hospital) to another (the consultant surgeon’s private surgery). It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject’s medical record from the hospital in his capacity as a separate data controller. In this instance he was not acting in his capacity as an employee of the HSE.
The medical record at the Mid-Western Regional Hospital in respect of the data subject was compiled in the course of his treatment for an eye condition. This was a specific, explicit and legitimate purpose. Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data. The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject’s eye condition on behalf of an insurance company to facilitate their processing of an insurance claim. The processing of an insurance claim related to the data subject’s eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the Mid-Western Regional Hospital.
There was also an obligation to meet the conditions set out in Section 2A of the Acts. These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:
· the performance of a contract to which the data subject is a party;
· in order to take steps at the request of the data subject prior to entering into a contract;
· compliance with a legal obligation, other than that imposed by contract;
· to prevent injury or other damage to the health of the data subject;
· to prevent serious loss or damage to property of the data subject;
· to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the performance of any other function of a public nature performed in the public interest; or
· for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
In this case, the data subject did not give his consent to the Mid-Western Regional Hospital for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon. In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above. In this instance, the hospital did not meet any of those conditions.
To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
– the data subject must give explicit consent to the processing or
– the processing must be necessary for one of the following reasons:
· for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
· to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
· it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
· the information being processed has been made public as a result of steps deliberately taken by the data subject;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
· for medical purposes;
· for the purposes of political parties or candidates for election in the context of an election;
· for the assessment or payment of a tax liability; or
· in relation to the administration of a Social Welfare scheme.
As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the Mid-Western Regional Hospital to the consultant surgeon. There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed. In this instance, the Mid-Western Regional Hospital did not meet any of those conditions.
I formed the opinion that the HSE West, Mid-Western Regional Hospital contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject’s sensitive personal data in a manner which was incompatible with the purpose for which it was obtained. This processing occurred when the consultant surgeon’s secretary at the Mid-Western Regional Hospital disclosed the data subject’s hospital medical file to his private practice secretary. In response to this incident the HSE West put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held. I welcome this.
I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the Mid-Western Regional Hospital.
In light of my previous decision which found a number of contraventions of the Acts by the HSE West, it followed that the consultant surgeon unfairly obtained the data subject’s hospital file. However, it was also clear that this was done unintentionally and in good faith.
I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split). This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems. However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company). Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts. These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data.
Data Controller breaches several provisions in its processing of Sensitive Personal Data
I received a complaint in May 2006 from a data subject regarding the use by her former employer, Baxter Healthcare S.A., of two medical reports relating to her. The data subject had been involved in an industrial accident at work in April 2002 which subsequently resulted in a prolonged absence from the workplace. During this absence, the data subject pursued a personal injuries claim against Baxter Healthcare. As part of this process, at the request of the solicitor acting on behalf of Baxter Healthcare’s insurers, she attended a consultant neurologist on two occasions for medical evaluation in 2003 and 2004. Early in 2005, the data subject became aware that the medical reports compiled as a result of those evaluations were in the possession of Baxter Healthcare. Through her solicitor, the data subject made an access request to Baxter Healthcare for copies of the medical reports. She was advised in writing that, as these reports were obtained in the context of her personal injury proceedings, her access request should be addressed to the solicitors,
P. O’Connor & Son, acting for the insurers. Shortly afterwards, the data subject’s contract of employment was terminated. The decision by Baxter Healthcare to terminate the employment was stated to be on the basis of the medical evidence available to the company, including the medical reports compiled in 2003 and 2004 in the context of the data subject’s personal injury claim. Following her dismissal, the data subject brought a claim to the Labour Relations Commission against Baxter Healthcare under the Unfair Dismissals Act 1977 to 2001. A hearing in relation to this case took place in April 2006 and the data subject alleged that, in the course of the hearing, copies of the medical reports were furnished by Baxter Healthcare to herself, to the Rights Commissioner and to all present. These medical reports had not been previously provided to her in response to her access request.
My Office conducted a detailed and extensive investigation of this complaint. This focused on 2 primary data protection issues, namely the use of the medical reports obtained to defend an insurance claim to support the dismissal of the data subject and the disclosure of those same medical reports at a labour relations hearing. The company’s solicitor stated that the medical reports of the consultant neurologist were obtained for the legitimate purpose of defending personal injury proceedings instituted by the data subject and that the medical reports were also employed and required for the legitimate purpose of defending separate legal proceedings against Baxter Healthcare under the Unfair Dismissals Acts 1977 to 2001. It submitted that Section 2(1)(c)(i) of the Acts specifically envisages that the data may be obtained and used for more than one purpose, provided that both purposes are legitimate. It went on to state that Section 2(1)(c) (ii) of the Acts only prohibits further processing insofar as that processing is incompatible with the original purpose or purposes. It argued that the use of the reports to defend legal proceedings against Baxter Healthcare under the Unfair Dismissals Act could not be said to be incompatible with the original purpose as the original purpose was to defend legal proceedings instituted by the data subject and the subsequent use was to also defend legal proceedings, albeit separate proceedings by the data subject.
The data subject sought a decision on her complaint under Section 10(1)(b(ii) of the Acts in June 2007. In my analysis of the data protection issues arising from this complaint, I found that the medical reports in question constitute ‘sensitive personal data’ within the meaning of the Acts. The medical reports were commissioned on behalf of Baxter Healthcare’s insurers, by its solicitors, for the purpose of the defence of the High Court personal injury claim instituted by the data subject. The reports were, however, used for three purposes:
They were used for the purpose for which they were generated in the first place, i.e. for the defence by Baxter Healthcare’s insurers of the High Court personal injury claim instituted by the data subject.
They were used in the decision taken by Baxter Healthcare to terminate the employment of the data subject.
They were used to defend legal proceedings taken by the data subject against Baxter Healthcare under the Unfair Dismissals Act at a hearing in April 2006.
No data protection issue arose in relation to the first use of the medical reports by Baxter Healthcare’s insurers in the context of its defence of the personal injury claim brought by the data subject.
With regard to the second use by Baxter Healthcare of the medical reports in the decision to terminate the data subject’s employment, this was done without the data subject’s consent. The general requirements that must be complied with by a data controller under the Acts in relation to the personal data of a data subject include the following:
the data shall have been obtained only for one or more specified, explicit and legitimate purposes
the data shall not be further processed in a manner incompatible with that purpose or those purposes
the data subject is informed of the purposes or purposes for which the data are intended to be processed
The consent of the data subject is the default position, as it were, for the fair processing and obtaining of personal data. Where it is absent, the data controller may not process personal data unless it can find another basis in the Acts. The Acts provide for the following exemptions which were potentially applicable in the present case:
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject (Section 2A (1)(d));
and (because sensitive data is involved)
the processing is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings or is otherwise necessary for the purpose of establishing, exercising or defending legal rights (Section 2B (b)( vii)).
All of these conditions must be met.
In my analysis of this complaint, I considered that the purpose for which the medical reports were originally obtained (the defence by Baxter’s insurers of the High Court personal injury claim instituted by the data subject) was not compatible with their further use to support the data controller’s decision to dismiss the data subject. I considered that, in the absence of the data subject’s consent, this processing of the data subject’s sensitive personal data constituted a breach of the Acts.
With regard to the third use by Baxter Healthcare of the medical reports to defend legal proceedings under the Unfair Dismissals Act, the same considerations arose in relation to the further use of the sensitive personal data at a hearing before a Rights Commissioner in April 2006, with the aggravating factor that the sensitive personal data was further disclosed to those involved in the hearing.
However, I had to consider if the processing of personal data in this case might benefit from the exemption in Section 8(f) of the Acts which provides that: “Any restrictions in this Act on the processing of personal data do not apply if the processing is …required…for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.”
I formed the opinion that this exemption cannot apply to sensitive personal data which has already been improperly processed to support the decision (dismissal) which was the subject matter of the legal process. I concluded that the use of the medical records to defend the Unfair Dismissals claim constituted a further breach of the Acts.
For completeness, my Decision in this case also found that Baxter had failed to comply fully with an access request made by the data subject.
This case demonstrates the care which data controllers must exercise in the processing of all personal data, including sensitive personal data, in its possession. It is unacceptable for a data controller to seek to take advantage of personal data which may be in its possession and to use it for some purpose unrelated to the purpose for which it was originally obtai
Caredoc: Failure to comply with an access request and appeal of an enforcement notice
I received a complaint from the parents of a child that Caredoc (a medical facility in Carlow) had failed to comply with an access request under Section 4 of the Acts for access to the child’s personal data.
My Office received the complaint in January 2006 and commenced an investigation. We established that the child had attended Caredoc in May 2004 and that the access request was made by the solicitor for the child’s family in August 2005. Prior to the complaint being submitted to my Office, Caredoc’s solicitors informed the legal representative for the child’s family that the access request raised matters of serious importance to their clients and that they wished to be absolutely sure of their position prior to making a formal reply.
During the course of my Office’s investigation, we exchanged correspondence on several occasions with Caredoc’s solicitors. We posed a number of key questions on the matter, none of which were answered to the satisfaction of my Office. At one point we were advised that the access request had thrown up a serious difficulty with which Caredoc was trying to come to terms. Caredoc’s solicitors acknowledged that their client owed statutory obligations on foot of the Data Protection Acts but stated that their client also owed a number of other conflicting obligations which needed to be reconciled properly with all the persons concerned before they were in a position to comply with the access request. In later correspondence, my Office was told that the request had raised a fundamental problem for Caredoc concerning the information gathered by them both physically and electronically and that the opinion of Senior Counsel was required. This was accepted in good faith on the basis that such advice would be forthcoming promptly. In a further letter, Caredoc’s solicitors informed my Office that genuine difficulties had arisen as a result of the circumstances thrown up by the access request and that Caredoc was anxious not to have any adverse precedents set in relation to the confidentiality issue as between doctor and patient. Throughout the investigation, my Office continued to remind Caredoc of its obligations to comply with the access request and we advised them that failure to proceed to release the information was a contravention of Section 4(1) of the Acts. At the end of June 2006, having exchanged a large volume of correspondence and with no prospect of the legal advice emerging, my Office gave Caredoc’s solicitors a final opportunity to respond to the key questions which we had raised with them. They failed to respond and I subsequently served an Enforcement Notice on Caredoc in July 2006 pursuant to Section 10 of the Acts.
There were a number of reasons for my decision to serve an Enforcement Notice on Caredoc. From the information available to me, I believed that information collected by Caredoc on the date in question likely constituted sensitive personal data within the meaning of the Acts. I believed that Caredoc had not complied with an access request and was, therefore, in contravention of Section 4(1) of the Acts. Furthermore, I believed that, given the passage of time and the continued failure of the data controller or their legal representatives to engage substantively with my Office, an Enforcement Notice was required to ensure compliance.
The Enforcement Notice required Caredoc, within a period of twenty one days, to provide the solicitor of the child’s family with the personal data relating to the attendance of the child at Caredoc’s facility in Carlow in May 2004. In line with their legal entitlements, pursuant to Section 26 of the Acts, Caredoc appealed to the Circuit Court against the requirement specified in the Enforcement Notice. The appeal was listed for hearing in Carlow Circuit Court in December 2006. At the Court hearing, Caredoc withdrew the appeal and agreed to supply the personal data sought.
I was very satisfied with the outcome of this case. Firstly, it ensured that the patient in question received access to their full medical records. Secondly, the case was significant for my Office as I used my full legislative powers to compel the provision of the records in question when Caredoc had repeatedly delayed in doing so. Thirdly, the case was all the more acute as it related to sensitive medical information which a patient has a right to access except in certain very limited circumstances. Finally, the patient in question was a minor and the access request was made on his behalf by his mother.
Life assurance company and medical reports – access request denied
I received a complaint from a data subject who had not been given copies of medical reports, commissioned from independent specialists by a life assurance company in connection with her on-going income continuance claims – the Company had discontinued her claims on the basis that she was no longer fulfilling the definition of disability, as required under her policy.
In investigating this complaint, I reiterated that the Data Protection Acts give people a statutory right of access to their data, including their medical records, and that this right can only be limited or set aside in very specific and narrow circumstances.
The Company had cited the exemptions in section 5(1)(f) and 5(1)(g) as a basis for denying access to certain reports.
Section 5(1)(f) of the Acts provides that the right of access to personal data does not apply to personal data:
“(f) consisting of an estimate of, or kept for the purpose of estimating, the amount of liability of the data controller concerned on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of the section would be likely to prejudice the interests of the data controller in relation to the claim.”
I considered that medical reports commissioned by a life assurance company are for the purpose of assessing a claim. I found that the exemption in section 5(1)(f) permits a data controller, who puts on file an estimate of the amount of money that may be needed to meet a claim for compensation, to plead an exemption if the release of that estimate would be prejudicial. The contents of the medical reports at issue in this case did not relate to estimating liability per se. Rather, they related to whether or not there is a disability and opinions about capacity to work. It was therefore my view that this exemption cannot be claimed in respect of medical reports.
The company also proposed to withhold other reports on the basis of legal privilege as provided in section 5(1)(g), as they believed that they would ‘seriously prejudice (their) defence in any action’. Section 5(1)(g) provides that the right of access to personal data does not apply in respect of data :
“(g) in respect of which a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers.”
In assessing whether privilege could be claimed, it is necessary to look at the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice. My staff outlined to the Company that it is important when a life assurance company commissions a report that the claimant fully understands the purpose of the examination e.g. the purpose being for the company to assess and to come to a decision on a claim. Whether the reports were commissioned in anticipation or furtherance of litigation and thus attract privilege, falls to be determined on a case by case basis.
It was understood that the decision in this case might ultimately be challenged in court and the Company indicated that in their opinion there was a high likelihood of this. The exemption refers to a potential situation where ‘a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers’. In this case, my staff considered that it was conceivable that such a claim could be maintained in a court. Therefore, it was held that certain medical reports specified by the company may be withheld pursuant to section 5(1)(g) pending any court proceedings.
Disclosure of patient details to the National Treatment Purchase Fund
I received a complaint from a public hospital patient whose data had been disclosed to the National Treatment Purchase Fund (NTPF).
My staff noted that regulation 4 (b) of Statutory Instrument 179 of the 2004 National Treatment Purchase Fund Board Establishment Order 2004 states –
“Without prejudice to section 52 of the Health Act, 1970 the functions of the board are as follows :
(b) to collect, collate and validate information in relation to persons waiting for hospital treatment and to put in place information systems and procedures for that purpose”.
As the hospitals had collected the patient data for the purpose of patient treatment, it was considered that disclosure to the Fund is compatible with the purpose for which the patients had given their data to the hospital in the first place. Furthermore, the transmission of the data was for a statutory purpose relating to treatment. It was therefore considered that disclosure of data to the NTPF Waiting List Register was compatible with the purpose for which hospitals hold the data and therefore satisfied section 2(1) of the Data Protection Acts.
It was also considered that section 2A(1)(c) (iv) provides a basis for disclosing the data. This provides for processing of personal data (defined to include ‘disclosure’) necessary “for the performance of any other function of a public nature performed in the public interest by a person”.
As the data includes sensitive personal data as to health, one of the conditions specified in section 2B must also be satisfied. In this regard section 2B (1)(b)(vi)(11) provides that sensitive data shall not be processed (defined to include ‘disclosure’) unless, inter alia,
“the processing is necessary –
(11) for the performance of a function conferred on a person by or under an enactment”.
I was of the view that this allows the National Treatment Purchase Fund to collect information in respect of persons on waiting lists in order to manage and facilitate their treatment and that this was compliant with the Acts.
The National Treatment Purchase Fund had consulted my Office about this process and our advice was that patients should be informed that the disclosure had been made and given the opportunity to have their data deleted by the Fund. This advice was implemented. It is important to also emphasise that the Waiting List Register does not involve the publication of personal data. Only the National Treatment Purchase Fund and the relevant hospital (in respect of its own patients) has access to specific personal data.
Employment matters – claim of legal privilege and access to medical data in the workplace
An employee of a major national company had been requested to attend a doctor nominated by the employer in the context of his on-going sick leave. His employment was subsequently terminated and he made an access request under section 4 of the Data Protection Acts for a copy of the medical report. The company refused him access on the grounds that the employee had initiated legal proceedings against the company and that the report was privileged and that it did not have to be released as section 5(1) (g) applied. This section provides that the right of access under section 4 of the Acts does not apply to personal data
“(g)in respect of which a claim of privilege could be maintained in proceedings in a Court in relation to communications between a client and his
professional legal advisers or between those advisers.”
I pointed out that there are two main categories of legal professional privilege recognised by Irish Courts:
? Confidential communications between a person and his lawyer seeking or giving legal advice and documents created by either party to provide or to obtain such advice are privileged.
? Documents created by either lawyer or client in anticipation or furtherance of litigation are also privileged. Therefore, communications between a person and his lawyer which provide legal advice or assistance and documents created to obtain or produce such advice or assistance are privileged if given or created in anticipation or furtherance of litigation.
In deciding whether privilege could be claimed, I considered the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice or whether the purpose was to determine fitness for work.
The complainant stated that he had been requested by letter to attend the doctor to have his condition assessed due to his on-going sick leave – no reference was made to attendance being requested in connection with any court proceedings. The company however sought to claim to my Office that the report had been sought on legal advice and in anticipation of possible future legal proceedings. I found that while there may indeed have been a possibility of legal proceedings in relation to other matters, the first formal notification of court proceedings was sent by the data subject’s solicitors many months later. I further found that the purpose of the medical examination should be clear to the data subject at the time that he attends the doctor.
The employee in this case was clearly under the impression that the referral was related to assessing his fitness for work only. It is an important Data Protection principle that another purpose cannot be introduced retrospectively. Furthermore, information about the purpose is required to be provided to the employee (data subject) pursuant to section 2(D)(i) and (ii) of the Acts, otherwise personal data is not treated as “fairly processed”.
Privilege is an important feature of court proceedings but it should not be used as a veil to seek to restrict access where it cannot be justified. As section 5(1)(g) relates to personal data in relation to communications between a client and his professional legal advisers or between those advisers, I took the view in this case that a copy of a medical report prepared for a specific personnel purpose could not be considered as such a “communication” which would attract privilege. Also, there are very limited restrictions on an individual’s right of access to his or her medical data. The Data Protection (Access Modification)(Health) Regulations, 1989 provide that restrictions on access must be based on opinion by a medical professional that allowing access would cause serious harm to the individual’s physical or mental health. As “harm” was not an issue, I therefore concluded that section 5(1)(g) of the Data Protection Acts, 1988 and 2003 could not be relied upon by the company to restrict his access to a copy of the medical report in question. I was pleased that the company accepted my view.
In another employment related case, I established that a data controller cannot avoid dealing with an access request for an employee’s medical report on the premise that it has been returned to the author of the report. To deal with such requests, organisations should have a clear procedure in place. The request may be for (1) the report itself and/or (2) the data on the medical file. When an access request for medical data is received, the Company Doctor/Medical Officer should be immediately advised and should make the data available unless it is considered ‘harmful’ to do so.
On a related question, it is sometimes considered that the employee’s consent is needed for referral to a company doctor. Generally, an employer will have the right under the contract of employment to refer an employee for a medical report. Processing of personal data in a medical report involves sensitive data and section 2(B)(i) of the Acts provides that a data controller must obtain “explicit” consent from a data subject before sensitive data may be processed. Alternatively, section 2B(ii) provides for processing which “is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.”.
Relying on freely given consent implies that an employee has a right to refuse referral. Given the employer’s rights under the contract of employment, this may not fully reflect the entirety of the rights and obligations involved. Therefore when the employee agrees to attend the doctor, what is important is that the employee clearly understands that s/he is required to attend the medical assessment for a particular purpose e.g. to determine whether s/he is fit to return to work and attends on that basis alone. On the other hand, if the purpose is connected with anticipation of or defence of legal proceedings then the employee should know that this is the basis for the referral.
Privilege is an important feature of court proceedings but it should not be used as a veil to seek to restrict access where it cannot be justified- generally, an employer will have the right under the contract of employment to refer an employee for a medical report
Drogheda Hospital- investigation into a consultant’s practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
I received many complaints from former patients of a Drogheda hospital in relation to the manner in which an investigation was carried out by a health board into the conduct of a consultant’s practice. They complained that in the course of its investigation, the health board had sent copies of patients’ records and charts to a UK based healthcare risk management group and to an Irish review group without the consent of the individuals involved in 1998 and subsequently.
When I began to investigate the matter, I established that the data that had been disclosed by the Health Board prior to1 July, 2003 was manual data, consisting of patient files, theatre files, etc. While the Data Protection Act, 1988 only applied to personal data on computer the Data Protection (Amendment) Act, 2003 applies to manual data from 1 July, 2003.Whilst manual data, therefore, was involved, and was not subject to the remit of my Office as the manual data in question was referred in 1998, nevertheless, given the major issue involved, the matter was given full consideration as if the principles of both Acts applied.
The background to these complaints was that in October, 1998 the Health Board was made aware of serious concerns in relation to the management of patients under the care of a Consultant Obstetrician/ Gynaecologist, as a result of which a preliminary assessment was carried out in relation to the perceived concerns regarding his clinical practice. The records of 42 patients were involved and to ensure patient privacy and confidentiality, patients were numbered consecutively and this numbering was used in the management of all subsequent classifications in the review process.
Initially the records of 3 patients were sent to the UK based company for risk assessment review. Consultation was then undertaken by the Health Board with the Chairman of the Institute of Obstetrician and Gynaecologists in Ireland, who indicated that the Institute would assist the Board in order to conduct a review. The Board stated that it was their intention to deal with the alleged serious concerns regarding the Consultant and his practice in a confidential and sensitive process, having regard to the Board’s statutory duty of care and service management to patients availing of services within its area. The Review was carried out by the Institute at the request of the Health Board, and consisted of three independent Obstetrician Gynaecologists. The Terms of Reference included a request to assess and consider the nature and merit of the concerns of the Health Board.
The Health Board maintained that it had a duty of care to patients within the Health Board area and when it was appraised of serious concerns relating to patient care, immediate legal and medical advice was sought and that it was in this regard that charts were provided in a confidential manner to the Review Group following consultation with the Institute of Obstetricians and Gynaecologists. It also stated that at this stage the well being of patients and the wider population was the primary concern. The Health Board set up help lines and counselling services, following the significant media coverage of the concerns in December, 1998 regarding the consultant’s practice. Following receipt of the Review Group’s Report in April1999, the help-line was re-activated and direct contact was made with the General Practitioners of patients involved by way of letter and telephone, who were asked to advise patients directly about the report and the options available to them.
The general principle of the Data Protection Acts is that personal data should only be processed and disclosed to other parties with the patient’s consent unless one of the provisions of section 8, which lift the restrictions on disclosure in limited and defined circumstances, apply.
Section 8(b) provides that –
“8.-Any restrictions in this Act on the processing of personal data do not apply if the processing is –
((b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid…”
while section 8(d) provides that –
“8- Any restrictions in this Act on the processing of personal data do not apply if the processing is-
(d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property.”
Section 8 therefore recognises that privacy rights are in no sense absolute and must constantly be balanced against other competing interests including society’s right to be made aware of particular information.
The matter which had to be considered by me, therefore, in terms of the Data Protection Acts, was whether the Board could rely on any of the provisions of section 8 as a basis for the referral of case files to the UK company and subsequently to the Enquiry by the Institute of Obstetricians and Gynaecologists, without the consent of the patients involved.
In routine referrals anonymised information should only be disclosed; charts etc might not need to be forwarded and indeed prior patient consent should be sought. However, in a case such as this when a serious matter, with implications for the health and welfare of past patients and indeed possible dangers for current and future patients, was brought to its attention, I deemed that the Board had a duty to fully establish all of the facts using whatever expert resources were necessary and indeed in a speedy and urgent manner. I considered that the Board were justified in disclosing the files in order to protect the health of those who had had the procedures carried out by the consultant and also so that necessary steps could be identified to avoid inappropriate procedures in the future. Having regard to the serious and far-reaching public health issues and circumstances involved, I considered that the Board were justified in making the disclosures under section 8(b) and section 8(d) of the Acts.
Furthermore, I considered that the disclosure by the Board was a compatible disclosure within the meaning of section 2 of the Acts. Section 2 (1) (c) (ii) provides that “data shall not be further processed in a manner incompatible with that purpose or those purposes” (for which it is held). I considered that the disclosure of patient data for the limited purpose of practice review in the wider interest of public health and, subject to confidentiality and privacy safeguards, was consistent with the purpose for which personal data was held by a healthcare provider. However, while names of patients were also included in the charts supplied to the reviewing bodies it would have been prudent, if it were feasible, given the urgency and importance of the investigation, to delete all references to patients so that only anonymised information was released.
I deeply appreciate and I am glad that the matter was brought to my attention by concerned and reasonable patients as it raised serious matters in the healthcare area regarding data protection.
Access to medical records on a change of general practitioner
A person contacted me regarding her difficulty in obtaining her actual medical file which she had formally requested from the local Health Centre under section 4 of the Data Protection Acts. She explained that she was a private patient of a doctor at the Centre which catered for General Medical Service’s patients – the doctor treated patients on a private basis also. Her doctor had left the practice and had passed her records to his replacement in the Centre. She had received advice from her local Health Board that, under normal protocols, files associated with a general practitioner would transfer to the successor on the General Medical Service’s panel. However, files relating to private consultations between an individual and their general practitioner were a different matter. This is an important and correct distinction in Data Protection Law because the patient was a private patient. The doctor is therefore the data controller in respect of private patients and not the Health Centre or the Health Board.
In the course of our investigations, my Office established that the replacement GP had offered the complainant a copy of her medical notes but not the actual file, which is consistent with his obligations under the Acts. He had taken legal advice regarding the transfer of her notes to him and was satisfied that he, as a principal of the health centre, was entitled to custody of the complainant’s file.
My Office informed the complainant that she had a right, under section 4 of the Acts, to access her data, but did not have a right to obtain her actual file. I also advised that if she wished to transfer as a patient to another practitioner outside the health centre, she could request that a copy of her medical records be sent to her new GP. However, the GP at the health centre is entitled to retain custody of her file for medico-legal and other professional requirements.
General Practitioners are at the coal face of the medical service and patients are happy to put confidence and trust in them regarding their personal data. A health service can be delivered in an efficient and effective manner while at the same time respecting peoples’ privacy. The general nature of data protection law, to the extent that it leaves scope for ambiguity, entails a certain lack of legal certainty and clarity. For this reason, I liaised with the Irish College of General Practitioners and the National General Practice Information Technology Group which led to the timely publication in November 2003 of “An Information Guide to the Data Protection Acts for General Practitioners”. The Guide addresses the issues surrounding custody of patients’ data raised in this case and advises that General Practitioners should take prompt reasonable steps to notify patients of cessation of practice and allow them the opportunity to transfer their health information to another provider. It also says that
“where a patient decides to transfer to another doctor, the existing doctor should, in accordance with data protection law and ethical guidelines, facilitate that decision by making available to the patient’s new doctor a copy of the patient’s health information. The existing doctor should, however, maintain the patient information record accumulated at that time for an adequate period consistent with meeting legal and other professional responsibilities. During that period, the provisions of the Data Protection Acts continue to apply to that information.”
In this case, I was pleased that the newly appointed doctor was following the guidance on the transfer of records. The case also highlights the important distinction between a data controller in respect of public patients (which is the Health Board or hospital or Health Centre as the case may be) and private patients (which is the relevant health professional).
Prosecution of Glen Collection Investments Limited and One of its Directors
The investigation in this case established that the defendant company obtained access to records held on computer databases in the Department of Social Protection over a lengthy period of time and that a company director used a family relative employed in the Department of Social Protection to access the records. The defendant company had been hired by a Dublin-based firm of solicitors to trace the current addresses of bank customers that the respective banks were interested in pursuing in relation to outstanding debts. Having obtained current address information or confirmed existing addresses of the bank customers concerned from the records held by the Department of Social Protection, the defendant company submitted trace reports containing this information to the firm of solicitors which acted for the banks. The case came to light on foot of a complaint which we received in February 2015 from a customer of AIB bank who alleged that an address associated with him and which was known only to the Department of Social Protection was disclosed by that department to an agent working on behalf of AIB bank.
The Data Protection Commissioner decided to prosecute both the company and the director in question, Mr Michael Ryan. Glen Collection Investments Limited was charged with seventy-six counts of breaches of the Data Protection Acts, 1988 & 2003. Sixty-one charges related to breaches of Section 19(4) of the Data Protection Acts for processing personal data as a data processor while there was no entry recorded for the company in the public register which is maintained by the Data Protection Commissioner under Section 16(2) of the Data Protection Acts. Fifteen charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person.
Mr. Michael Ryan, a director of Glen Collection Investments Limited, was separately charged with seventy-six counts of breaches of Section 29 of the Data Protection Acts, 1988 & 2003 for his part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of the company directors or other officers.
The cases against Glen Collection Investments Limited and its director were called in Tuam District Court in January, May and July of 2016 before the defendants eventually entered guilty pleas on 10 October 2016. While the defendant company was legally represented in court on all occasions, the Court issued a bench warrant for the arrest of the company director, Mr Ryan, on 10 May 2016 after he had twice failed to appear. The bench warrant was executed at Tuam District Court on 10 October, 2016 prior to the commencement of that day’s proceedings.
At Tuam District Court on 10 October 2016 Glen Collection Investments Limited pleaded guilty to twenty-five sample charges – thirteen in relation to offences under Section 22 and twelve in relation to offences under Section 19(4). The company was convicted on the first five counts with the remainder taken into consideration. The court imposed five fines of €500 each. Mr. Ryan pleaded guilty to ten sample charges under Section 29. He was convicted on all ten charges and the court imposed ten fines of €500 each. In summary, the total amount of fines imposed in relation to this prosecution was €7,500.
The Necessity to Give Clear Notice When Collecting Biometric Data at a Point of Entry
In October 2015, we received a complaint from a contractor in relation to the alleged unfair obtaining and processing of their personal data. The complainant stated that in the course of attending a data centre for work-related purposes the company had collected their biometric data without their consent and had also retained their passport until they had completed the training course. While the complainant had been advised in advance by the data controller to bring identification on the day of attendance at the data centre for security purposes, they had not been informed at that time that the data controller would be collecting their biometric data upon arrival at the data centre.
In the course of our investigation, we established that the data controller had collected the complainant’s biometric data upon their arrival at the data centre by way of a fingerprint scan. However, no information about this process had been provided to the complainant at that time – they were simply told that they could not go through security without this biometric fingerprinting. The data controller confirmed to us that this fingerprint scan data had not been retained, rather it had been used to generate a numerical template which was then stored in encrypted form and that numerical information was associated with a temporary access badge provided to the complainant for the duration of the time which the complainant was in attendance at the data centre. The data controller confirmed that it had deleted this information from its system and back-up files at the data subject’s request upon the data subject’s departure from the data centre. The data controller further confirmed that, while it had retained the complainant’s passport for the duration of the complainant’s attendance at the data centre pursuant to a policy to ensure the return of temporary access badges, it had not taken or retained a copy of the complainant’s passport.
The complainant in this case did not wish to accept the offer of amicable resolution made by the data controller and instead requested that the Commissioner make a formal decision on their complaint.
The decision by the Data Protection Commissioner in October 2016 found that the data controller contravened Section 2(1)(a) and Section 2D(1) of the Data Protection Acts 1988 and 2003 as the data controller should have supplied the complainant with the purposes of the collection and processing of the biometric data, the period for which it would be held and the manner in which it would be retained, used and, if applicable disclosed to third parties. This could have been done by the data controller either when it was in contact with the complainant to advise them of the requirement to bring identification to gain entry to the data centre, or at the latest, at the time the complainant arrived at the data centre.
However in relation to the obtaining and processing of the complainant’s biometric data, having reviewed the information provided by the data controller in the course of the investigation by this office, the Data Protection Commissioner found that the data controller had a legitimate interest under Section 2A(1)(d) of the Acts in implementing appropriate security procedures for the purposes of safeguarding the security of data centre, in particular for the purposes of regulating and controlling access by third parties to the data centre. Given that the biometric data was used solely for the purposes of access at the data centre, it was not transferred to any other party and was deleted in its entirely at the data subject’s request upon departing the data centre, the Data Protection Commissioner’s view was that this did not amount to potential prejudice which outweighed the legitimate interests of the data controller in protecting the integrity of the data centre and preventing unauthorised access to it. Accordingly, the Data Protection Commissioner concluded that the data controller had a legal basis for processing the complainant’s biometric data.
In relation to the retention of the complainant’s passport for the duration of their visit at the data centre, the Commissioner found that this did not give rise to any contravention of the Data Protection Acts 1988 and 2003, as the data controller had a legitimate interest in doing so and the limited processing of the complainant’s passport information (i.e. the retention of the passport itself) did not give rise to any disproportionate interference with the complainant’s fundamental rights.
Transparency is a key principle under data protection law and the giving of notice of processing of personal data to a data subject is a major element of demonstrating compliance with this principle. In particular, the central tenet that individuals whose data is collected and processed should not generally be “surprised” at the collection and processing or its scale or scope, should inform all aspects of a data controller’s data processing operations.
Residential Care Home’s Legimate Use of Audio Recording and Photograph of Data Subject Concerning Allegations of Misconduct
We received a complaint from a former employee of a residential care home who claimed that photographic evidence and an audio recording of them were used in a disciplinary case against them by their employer resulting in their dismissal.
During our investigation, the complainant’s former employer (the operators of the residential care home) advised us that a formal, externally led investigation had been conducted into allegations that the complainant had been found by a supervisor to be asleep during a night shift on two separate occasions. On the nights in question, the complainant had been the sole staff member on duty responsible for the care of a number of highly vulnerable and dependent adults who had complex medical and care needs and who needed to be checked regularly. Having discovered the complainant asleep on the first occasion, the supervisor had warned the complainant that if it happened again it would be reported in line with the employer’s grievance and disciplinary procedure. On the second occasion, when the supervisor discovered the complainant to be asleep, fully covered by a duvet on a recliner with the lights in the room dimmed and the television off, the supervisor had used their personal phone to take photographs of the complainant sleeping and make a sound recording of the complainant snoring. The allegations had been upheld by the investigation team and a report prepared. This was followed by a disciplinary hearing convened by the employer. The employer had informed the complainant at that hearing that it accepted the verbal and written account given by the supervisor. The employer had found that the act of sleeping on duty constituted gross misconduct in light of the vulnerabilities and dependencies of the clients in the complainant’s care and the complainant had been dismissed.
Having regard to the information supplied to us by the operators of the residential care home and, in particular, the vulnerability of the clients involved and the nature of the complainant’s duties, we formed the view that no breach of the Data Protection Acts 1988 and 2003 had occurred. In this case, we considered that the processing of the complainant’s data, by way of the photograph and audio recording made by the supervisor, and the subsequent disclosure of these to the employer was necessary for the purposes of the legitimate interests pursued by the data controller, the employer, under Section 2A(1)(d) of the Data Protection Acts 1988 and 2003. This legal basis for processing requires the balancing of the data controller’s (or a third party’s or parties’) legitimate interests against the fundamental rights and freedoms or legitimate interests of the data subject, including an evaluation of any prejudice caused to those rights of the data subject.
We considered that the processing of personal data here was limited in nature and scope as it consisted of a one-off taking of a photograph and the making of an audio recording by the supervisor, who acted of their own volition and not in response to any direction or request from the employer. There had been limited further disclosure of the personal data concerned afterwards, i.e. to the employer, while the original photograph and recording were deleted from the supervisor’s phone. A copy of the material had also been provided to the complainant in advance of the complainant meeting the investigation team. We therefore considered that, in the circumstances, the processing was proportionate and that the legitimate interests of the data controller (and indeed the legitimate interests of third parties, being the clients of the residential care home) outweighed the complainant’s right to protection of their personal data.
While the right to protection of one’s personal data attracts statutory protection within the national legal system and, moreover, is a fundamental right under EU law, such rights are not absolute. Accordingly, they must be interpreted to allow a fair balance to be struck between the various rights guaranteed by the EU legal order. In particular, as this case demonstrates, data-protection rights should not be used to ‘trump’ the rights of particularly vulnerable members of society or the legitimate interests pursued by those organisations responsible for safeguarding the health and life of such persons in discharging their duties of care and protection
The Necessity to Give Clear Notice When Collecting Biometric Data at a Point of Entry
In October 2015, we received a complaint from a contractor in relation to the alleged unfair obtaining and processing of their personal data. The complainant stated that in the course of attending a data centre for work-related purposes the company had collected their biometric data without their consent and had also retained their passport until they had completed the training course. While the complainant had been advised in advance by the data controller to bring identification on the day of attendance at the data centre for security purposes, they had not been informed at that time that the data controller would be collecting their biometric data upon arrival at the data centre.
In the course of our investigation, we established that the data controller had collected the complainant’s biometric data upon their arrival at the data centre by way of a fingerprint scan. However, no information about this process had been provided to the complainant at that time – they were simply told that they could not go through security without this biometric fingerprinting. The data controller confirmed to us that this fingerprint scan data had not been retained, rather it had been used to generate a numerical template which was then stored in encrypted form and that numerical information was associated with a temporary access badge provided to the complainant for the duration of the time which the complainant was in attendance at the data centre. The data controller confirmed that it had deleted this information from its system and back-up files at the data subject’s request upon the data subject’s departure from the data centre. The data controller further confirmed that, while it had retained the complainant’s passport for the duration of the complainant’s attendance at the data centre pursuant to a policy to ensure the return of temporary access badges, it had not taken or retained a copy of the complainant’s passport.
The complainant in this case did not wish to accept the offer of amicable resolution made by the data controller and instead requested that the Commissioner make a formal decision on their complaint.
The decision by the Data Protection Commissioner in October 2016 found that the data controller contravened Section 2(1)(a) and Section 2D(1) of the Data Protection Acts 1988 and 2003 as the data controller should have supplied the complainant with the purposes of the collection and processing of the biometric data, the period for which it would be held and the manner in which it would be retained, used and, if applicable disclosed to third parties. This could have been done by the data controller either when it was in contact with the complainant to advise them of the requirement to bring identification to gain entry to the data centre, or at the latest, at the time the complainant arrived at the data centre.
However in relation to the obtaining and processing of the complainant’s biometric data, having reviewed the information provided by the data controller in the course of the investigation by this office, the Data Protection Commissioner found that the data controller had a legitimate interest under Section 2A(1)(d) of the Acts in implementing appropriate security procedures for the purposes of safeguarding the security of data centre, in particular for the purposes of regulating and controlling access by third parties to the data centre. Given that the biometric data was used solely for the purposes of access at the data centre, it was not transferred to any other party and was deleted in its entirely at the data subject’s request upon departing the data centre, the Data Protection Commissioner’s view was that this did not amount to potential prejudice which outweighed the legitimate interests of the data controller in protecting the integrity of the data centre and preventing unauthorised access to it. Accordingly, the Data Protection Commissioner concluded that the data controller had a legal basis for processing the complainant’s biometric data.
In relation to the retention of the complainant’s passport for the duration of their visit at the data centre, the Commissioner found that this did not give rise to any contravention of the Data Protection Acts 1988 and 2003, as the data controller had a legitimate interest in doing so and the limited processing of the complainant’s passport information (i.e. the retention of the passport itself) did not give rise to any disproportionate interference with the complainant’s fundamental rights.
Transparency is a key principle under data protection law and the giving of notice of processing of personal data to a data subject is a major element of demonstrating compliance with this principle. In particular, the central tenet that individuals whose data is collected and processed should not generally be “surprised” at the collection and processing or its scale or scope, should inform all aspects of a data controller’s data processing operations.
HSE West and a consultant ophthalmic surgeon breach the Acts
I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller. The data subject was involved in an insurance action with a third party in relation to an eye injury. The third party’s insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in Limerick. The consultant was also a consultant ophthalmic surgeon at the Mid-Western Regional Hospital in Limerick. The data subject had previously attended another consultant ophthalmic surgeon at the Mid-Western Regional Hospital as a public patient in relation to his eye injury.
The complaint was two fold. The first aspect related to the alleged release of the data subject’s hospital chart by the Mid-Western Regional Hospital to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice. It was alleged that this took place without the data subject’s consent. The second aspect of the complaint related to the alleged unfair obtaining of the data subject’s hospital chart by the consultant ophthalmic surgeon.
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted ‘sensitive personal data’ as defined in the Acts. The central issue to be considered in this case, from a data protection point of view, was whether the HSE West, Mid-Western Regional Hospital complied in full with its obligations under the Acts.
Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data. I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the Mid-Western Regional Hospital’s collection, processing, keeping and use of the data subject’s sensitive personal data. However, the disclosure of the data subject’s medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act. This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected. It was clear from my Office’s investigation that the consultant ophthalmic surgeon’s secretary at his private rooms contacted his secretary at the Mid-Western Regional Hospital to locate the data subject’s medical records relating to his eye condition. Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon’s private surgery.
In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon’s work within the HSE West, Mid-Western Regional Hospital as an employee of that hospital and his work carried out privately on behalf of an insurance company. The hospital’s disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the HSE West, Mid-Western Regional Hospital) to another (the consultant surgeon’s private surgery). It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject’s medical record from the hospital in his capacity as a separate data controller. In this instance he was not acting in his capacity as an employee of the HSE.
The medical record at the Mid-Western Regional Hospital in respect of the data subject was compiled in the course of his treatment for an eye condition. This was a specific, explicit and legitimate purpose. Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data. The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject’s eye condition on behalf of an insurance company to facilitate their processing of an insurance claim. The processing of an insurance claim related to the data subject’s eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the Mid-Western Regional Hospital.
There was also an obligation to meet the conditions set out in Section 2A of the Acts. These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:
· the performance of a contract to which the data subject is a party;
· in order to take steps at the request of the data subject prior to entering into a contract;
· compliance with a legal obligation, other than that imposed by contract;
· to prevent injury or other damage to the health of the data subject;
· to prevent serious loss or damage to property of the data subject;
· to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the performance of any other function of a public nature performed in the public interest; or
· for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
In this case, the data subject did not give his consent to the Mid-Western Regional Hospital for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon. In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above. In this instance, the hospital did not meet any of those conditions.
To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
– the data subject must give explicit consent to the processing or
– the processing must be necessary for one of the following reasons:
· for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
· to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
· it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
· the information being processed has been made public as a result of steps deliberately taken by the data subject;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
· for medical purposes;
· for the purposes of political parties or candidates for election in the context of an election;
· for the assessment or payment of a tax liability; or
· in relation to the administration of a Social Welfare scheme.
As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the Mid-Western Regional Hospital to the consultant surgeon. There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed. In this instance, the Mid-Western Regional Hospital did not meet any of those conditions.
I formed the opinion that the HSE West, Mid-Western Regional Hospital contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject’s sensitive personal data in a manner which was incompatible with the purpose for which it was obtained. This processing occurred when the consultant surgeon’s secretary at the Mid-Western Regional Hospital disclosed the data subject’s hospital medical file to his private practice secretary. In response to this incident the HSE West put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held. I welcome this.
I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the Mid-Western Regional Hospital.
In light of my previous decision which found a number of contraventions of the Acts by the HSE West, it followed that the consultant surgeon unfairly obtained the data subject’s hospital file. However, it was also clear that this was done unintentionally and in good faith.
I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split). This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems. However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company). Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts. These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data.
Data Controller breaches several provisions in its processing of Sensitive Personal Data
I received a complaint in May 2006 from a data subject regarding the use by her former employer, Baxter Healthcare S.A., of two medical reports relating to her. The data subject had been involved in an industrial accident at work in April 2002 which subsequently resulted in a prolonged absence from the workplace. During this absence, the data subject pursued a personal injuries claim against Baxter Healthcare. As part of this process, at the request of the solicitor acting on behalf of Baxter Healthcare’s insurers, she attended a consultant neurologist on two occasions for medical evaluation in 2003 and 2004. Early in 2005, the data subject became aware that the medical reports compiled as a result of those evaluations were in the possession of Baxter Healthcare. Through her solicitor, the data subject made an access request to Baxter Healthcare for copies of the medical reports. She was advised in writing that, as these reports were obtained in the context of her personal injury proceedings, her access request should be addressed to the solicitors,
P. O’Connor & Son, acting for the insurers. Shortly afterwards, the data subject’s contract of employment was terminated. The decision by Baxter Healthcare to terminate the employment was stated to be on the basis of the medical evidence available to the company, including the medical reports compiled in 2003 and 2004 in the context of the data subject’s personal injury claim. Following her dismissal, the data subject brought a claim to the Labour Relations Commission against Baxter Healthcare under the Unfair Dismissals Act 1977 to 2001. A hearing in relation to this case took place in April 2006 and the data subject alleged that, in the course of the hearing, copies of the medical reports were furnished by Baxter Healthcare to herself, to the Rights Commissioner and to all present. These medical reports had not been previously provided to her in response to her access request.
My Office conducted a detailed and extensive investigation of this complaint. This focused on 2 primary data protection issues, namely the use of the medical reports obtained to defend an insurance claim to support the dismissal of the data subject and the disclosure of those same medical reports at a labour relations hearing. The company’s solicitor stated that the medical reports of the consultant neurologist were obtained for the legitimate purpose of defending personal injury proceedings instituted by the data subject and that the medical reports were also employed and required for the legitimate purpose of defending separate legal proceedings against Baxter Healthcare under the Unfair Dismissals Acts 1977 to 2001. It submitted that Section 2(1)(c)(i) of the Acts specifically envisages that the data may be obtained and used for more than one purpose, provided that both purposes are legitimate. It went on to state that Section 2(1)(c) (ii) of the Acts only prohibits further processing insofar as that processing is incompatible with the original purpose or purposes. It argued that the use of the reports to defend legal proceedings against Baxter Healthcare under the Unfair Dismissals Act could not be said to be incompatible with the original purpose as the original purpose was to defend legal proceedings instituted by the data subject and the subsequent use was to also defend legal proceedings, albeit separate proceedings by the data subject.
The data subject sought a decision on her complaint under Section 10(1)(b(ii) of the Acts in June 2007. In my analysis of the data protection issues arising from this complaint, I found that the medical reports in question constitute ‘sensitive personal data’ within the meaning of the Acts. The medical reports were commissioned on behalf of Baxter Healthcare’s insurers, by its solicitors, for the purpose of the defence of the High Court personal injury claim instituted by the data subject. The reports were, however, used for three purposes:
They were used for the purpose for which they were generated in the first place, i.e. for the defence by Baxter Healthcare’s insurers of the High Court personal injury claim instituted by the data subject.
They were used in the decision taken by Baxter Healthcare to terminate the employment of the data subject.
They were used to defend legal proceedings taken by the data subject against Baxter Healthcare under the Unfair Dismissals Act at a hearing in April 2006.
No data protection issue arose in relation to the first use of the medical reports by Baxter Healthcare’s insurers in the context of its defence of the personal injury claim brought by the data subject.
With regard to the second use by Baxter Healthcare of the medical reports in the decision to terminate the data subject’s employment, this was done without the data subject’s consent. The general requirements that must be complied with by a data controller under the Acts in relation to the personal data of a data subject include the following:
the data shall have been obtained only for one or more specified, explicit and legitimate purposes
the data shall not be further processed in a manner incompatible with that purpose or those purposes
the data subject is informed of the purposes or purposes for which the data are intended to be processed
The consent of the data subject is the default position, as it were, for the fair processing and obtaining of personal data. Where it is absent, the data controller may not process personal data unless it can find another basis in the Acts. The Acts provide for the following exemptions which were potentially applicable in the present case:
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject (Section 2A (1)(d));
and (because sensitive data is involved)
the processing is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings or is otherwise necessary for the purpose of establishing, exercising or defending legal rights (Section 2B (b)( vii)).
All of these conditions must be met.
In my analysis of this complaint, I considered that the purpose for which the medical reports were originally obtained (the defence by Baxter’s insurers of the High Court personal injury claim instituted by the data subject) was not compatible with their further use to support the data controller’s decision to dismiss the data subject. I considered that, in the absence of the data subject’s consent, this processing of the data subject’s sensitive personal data constituted a breach of the Acts.
With regard to the third use by Baxter Healthcare of the medical reports to defend legal proceedings under the Unfair Dismissals Act, the same considerations arose in relation to the further use of the sensitive personal data at a hearing before a Rights Commissioner in April 2006, with the aggravating factor that the sensitive personal data was further disclosed to those involved in the hearing.
However, I had to consider if the processing of personal data in this case might benefit from the exemption in Section 8(f) of the Acts which provides that: “Any restrictions in this Act on the processing of personal data do not apply if the processing is …required…for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.”
I formed the opinion that this exemption cannot apply to sensitive personal data which has already been improperly processed to support the decision (dismissal) which was the subject matter of the legal process. I concluded that the use of the medical records to defend the Unfair Dismissals claim constituted a further breach of the Acts.
For completeness, my Decision in this case also found that Baxter had failed to comply fully with an access request made by the data subject.
This case demonstrates the care which data controllers must exercise in the processing of all personal data, including sensitive personal data, in its possession. It is unacceptable for a data controller to seek to take advantage of personal data which may be in its possession and to use it for some purpose unrelated to the purpose for which it was originally obtained.