Skip to main content

To disclose or not to disclose – the balancing of privacy rights




This particular question was considered in a recent UK case, Dr DB v. General Medical Council [2016] EWHC 2331 (QB).

Dr DB, a medical practitioner, issued proceedings against the UK General Medical Council (the “GMC”) for an order preventing the GMC from disclosing to his former patient (“P”), pursuant to a data access request, an independent expert report (the “Report”). The Report was obtained by the GMC for the purpose of investigating P's complaint concerning Dr DB’s professional competence.

Following a complaint by P against Dr DB in 2013, the GMC commenced an investigation of Dr DB's fitness to practise in accordance with its regulatory functions and procedures. For that purpose it instructed an independent expert to review the matter and prepare an opinion. The Report concluded that the care provided by Dr DB had fallen below “but not seriously below” the expected standard. The GMC concluded that the complaint required no further action and both parties were informed of the decision. Dr DB was sent a copy of the Report and P was sent a one page summary of the Report.

Request for disclosure

P's application for the Report was treated as a data access request under the UK’s equivalent of Section 4 of the Data Protection Acts 1988-2003 in this jurisdiction.

The purpose of the request was to use the Report and its information for intended clinical negligence litigation against Dr DB.

Submissions by Dr DB

The GMC invited Dr DB's views on the request for disclosure given that the Report concerned him as well as P. Dr DB submitted as follows:-

  1. He did not consent to the disclosure of the Report.
  2. The Report did not constitute the sole personal data of P.
  3. The request was being used as a vehicle for disclosure with a view to litigation or further complaint, contrary to certain observations made in Durant v FSA [2003] EWCA Civ 1747 wherein it was noted that there was a rebuttable presumption against disclosure in the absence of consent.
  4. He objected to disclosure of the Report under section 35B(2) of the Medical Act 1983 which empowers the GMC, if they consider it in the public interest to do so, to publish or disclose information which relates to a practitioner's fitness to practise.
Decision of the GMC

The GMC listed 7 non-exhaustive factors that were taken into account in the decision to disclose the Report:

  1. The Report contained P's sensitive personal data relating to his medical records and the complaint as to his health.
  2. The Report contained favourable/unfavourable conclusions on Dr DB's standard of care in treating P.
  3. The Report was prepared by an independent expert and therefore both parties should have sight of it.
  4. The GMC had a legitimate interest in ensuring fairness and transparency in its procedures.
  5. P had a legitimate interest in seeing the document which heavily influenced the final decision regarding his complaint
  6. There was minimal risk to Dr DB's reputation, as his treatment is considered to be of a reasonable standard.
  7. There was no evidence to suggest that P would 'misuse' the data in the Report.

The GMC, in deciding to disclose the Report to P, concluded as follows:-

  1. That the Report contained the joint personal data of P and Dr DB and that, in accordance with Article 8 and s.7 (4)-(6) of the UK Data Protection Act 1998, the privacy rights and freedoms of both P and Dr DB had to be balanced.

Dr DB, in response, pointed to his 25 years of unblemished practice, the possibility of online misuse of the Report, the lack of his own comment in response to the conclusions, and his expectation that once the GMC had decided not to bring fitness to practise proceedings the Report would be kept confidential.

The Judge’s conclusion

The Judge concluded that the GMC’s balancing exercise fell into error and got the balance wrong, for the following reasons:-

  1. In the absence of consent, the GMC should have started with a presumption against disclosure.
  2. The GMC gave no adequate weight to Dr DB’s status as a data subject or the privacy right which he had in relation to the Report. Whilst containing the (sensitive) personal data of P, the Report’s real focus is on Dr DB’s professional competence.
  3. The GMC’s decision took no adequate account of Dr DB's express refusal of consent.
  4. The decision took no adequate account of the fact that the purpose of the request was to use the Report and its information in the intended litigation against Dr DB. The significance of this factor was two-fold. First, the information was not being sought to protect P's privacy by ensuring the accuracy of the personal data, Secondly, in obtaining the Report by this route meant the Dr DB would be deprived of the protection provided by the UK’s ordinary civil procedure rules for disclosure. That route provides both a less restrictive interference with the GP’s privacy right and the appropriate procedure for the GP’s real purpose in seeking the document.

The Court found for Dr DB and deemed the GMC’s decision to disclose the Report to P as unlawful.

Guidance for mixed data cases

The Judge gave the following useful guidance, while highlighting that each data access request must be considered on its merits:-

  1. It is essential to keep in mind that the exercise involves a balance between the respective privacy rights of data subjects.
  2. In the absence of consent, the rebuttable presumption or starting point is against disclousre. Furthermore the express refusal of consent is a specific factor to be taken into account.
  3. If it appears that the sole or dominant purpose is to obtain a document for the purpose of a claim against the other data subject, which is a weighty factor in favour of refusal, the more appropriate forum is the Court procedure under Civil Procedure Rules Part 31 (Disclosure and Inspection of Documents).
Although decisions of the High Court of England and Wales are only of persuasive authority here, this case is instructive in terms of the challenge for regulators in balancing the privacy rights of data subjects following receipt of a data access request. Full details of the case can be found here.