Although the decision considered the requirements of the Data Protection Act 1998 (DPA) which has now been replaced by the General Data Protection Regulation and the Data Protection Act 2018, it does give data controllers some helpful guidance on how to deal with requests for information that contain mixed personal data that should still be relevant under the GDPR and DPA 2018.
Dr B was a GP. One of his patients, P, was diagnosed with bladder cancer. P subsequently complained to the GMC about Dr B, alleging that a failure by Dr B to deal with him competently led to an avoidable delay of about one year in P's diagnosis.
The GMC commissioned a fitness to practise investigation by an independent expert GP. The resulting investigation report, which was sent to Dr B, found that Dr B's care fell "below" but not "seriously below" the standard of care expected. It was decided that no further action would be taken, and the GMC wrote to both Dr B and P to confirm the decision. A summary of the report (but not the report itself) was included in that letter. P's solicitors subsequently requested, amongst other things, a copy of the full report and this was treated as a subject access request under the DPA.
The difficulty for the GMC was that the personal data of P was mixed with information about Dr B. When this happens the information is only disclosable if the other person (here Dr B) consents or it is reasonable in all of the circumstances to disclose without their consent. The determination of what is reasonable involves balancing the right of the requester to receive their personal data against the rights of the other individual. The GMC therefore asked Dr B to consent to the disclosure of the full report to P. Dr B refused.
The GMC ultimately decided to disclose the report considering this to be reasonable without Dr B's consent. Dr B sought an injunction in the High Court to prevent the GMC from doing this. The High Court granted the injunction and ruled that in mixed personal data cases, there was a presumption against disclosure. This decision was then appealed by the GMC.
The Court of Appeal heard the appeal and found that the GMC's decision to disclose the report was lawful, and the appeal was therefore successful on a majority.
Amongst other things, the Court determined that in "mixed data" cases, there is only a presumption in favour of withholding the personal data if the interests of the requester and the other person are equally balanced when carrying out the balancing exercise. The High Court was incorrect to find that the starting point is a presumption in favour of withholding the information.
The Court also ruled that the data controllers have a wide margin of discretion when carrying out the balancing exercise.
Even though the DPA has been superseded, the new law also contains a provision which requires a balancing exercise to be carried out if the other individual does not consent to the disclosure. This case does therefore provide some helpful guidance on how to deal with requests for mixed data.
That being said, health professionals should be aware of a new provision under the Data Protection Act 2018 which concerns health records and mixed data. Where the information in question is contained in a health record and the other individual is a health professional who has compiled or contributed to the health record, or has been involved in the diagnosis, care or treatment of the data subject, it is to be considered reasonable to disclose their information without their consent.