[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]
	Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> H.W. and a consultant ophthalmic surgeon breach the Acts [2008] IEDPC 1 URL: http://www.bailii.org/ie/cases/IEDPC/2008/1.html Cite as: [2008] IEDPC 1

[New search] [Printable RTF version] [Help]

H.W. and a consultant ophthalmic surgeon breach the Acts [2008] IEDPC 1 (4 March 2008)

I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller.  The data subject was involved in an insurance action with a third party in relation to an eye injury.  The third party's insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in L..  The consultant was also a consultant ophthalmic surgeon at the X.N.H. in L..  The data subject had previously attended another consultant ophthalmic surgeon at the X.N.H. as a public patient in relation to his eye injury.

The complaint was two fold.  The first aspect related to the alleged release of the data subject's hospital chart by the X.N.H. to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice.  It was alleged that this took place without the data subject's consent.  The second aspect of the complaint related to the alleged unfair obtaining of the data subject's hospital chart by the consultant ophthalmic surgeon.
 
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted 'sensitive personal data' as defined in the Acts.  The central issue to be considered in this case, from a data protection point of view, was whether the H.W., X.N.H. complied in full with its obligations under the Acts.

Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data.  I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the X.N.H.'s collection, processing, keeping and use of the data subject's sensitive personal data.  However, the disclosure of the data subject's medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act.  This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected.  It was clear from my Office's investigation that the consultant ophthalmic surgeon's secretary at his private rooms contacted his secretary at the X.N.H. to locate the data subject's medical records relating to his eye condition.  Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon's private surgery.

In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon's work within the H.W., X.N.H. as an employee of that hospital and his work carried out privately on behalf of an insurance company.  The hospital's disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the H.W., X.N.H.) to another (the consultant surgeon's private surgery).  It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject's medical record from the hospital in his capacity as a separate data controller.  In this instance he was not acting in his capacity as an employee of the H.W.

The medical record at the X.N.H. in respect of the data subject was compiled in the course of his treatment for an eye condition.  This was a specific, explicit and legitimate purpose.  Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data.  The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject's eye condition on behalf of an insurance company to facilitate their processing of an insurance claim.  The processing of an insurance claim related to the data subject's eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the X.N.H.

There was also an obligation to meet the conditions set out in Section 2A of the Acts.  These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:

• the performance of a contract to which the data subject is a party;
• in order to take steps at the request of the data subject prior to entering into a contract;
• compliance with a legal obligation, other than that imposed by contract;
• to prevent injury or other damage to the health of the data subject;
• to prevent serious loss or damage to property of the data subject;
• to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
• for the administration of justice;
• for the performance of a function conferred on a person by or under an enactment;
• for the performance of a function of the Government or a Minister of the Government;
• for the performance of any other function of a public nature performed in the public interest; or
• for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject. 

In this case, the data subject did not give his consent to the X.N.H. for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon.  In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above.  In this instance, the hospital did not meet any of those conditions. 

To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
- the data subject must give explicit consent to the processing or
- the processing must be necessary for one of the following reasons:
• for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
• to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
• it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
• the information being processed has been made public as a result of steps deliberately taken by the data subject;
• for the administration of justice;
• for the performance of a function conferred on a person by or under an enactment;
• for the performance of a function of the Government or a Minister of the Government;
• for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
• for medical purposes;
• for the purposes of political parties or candidates for election in the context of an election;
• for the assessment or payment of a tax liability; or
• in relation to the administration of a Social Welfare scheme. 

As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the X.N.H. to the consultant surgeon.  There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed.  In this instance, the X.N.H. did not meet any of those conditions.

I formed the opinion that the H.W., X.N.H. contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject's sensitive personal data in a manner which was incompatible with the purpose for which it was obtained.  This processing occurred when the consultant surgeon's secretary at the X.N.H. disclosed the data subject's hospital medical file to his private practice secretary.  In response to this incident the H.W. put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held.  I welcome this.

I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the X.N.H..

In light of my previous decision which found a number of contraventions of the Acts by the H.W., it followed that the consultant surgeon unfairly obtained the data subject's hospital file.  However, it was also clear that this was done unintentionally and in good faith.

I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split).  This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems.  However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company).  Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts.  These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data.