What happens when you receive a Data Subject Access Request (DSAR) but complying with it would mean releasing someone else’s data? Tricky, right? Your instinctive reaction might be to think that it means meeting the DSAR is out of the question because it compromises another person’s data (or possibly more than one person).
But that would mean denying the applicant their right to see their data; so you might feel you’re in the wrong whichever way you go.
Thankfully, a recent legal case has provided clarity on these cases that involve data for more than one person (known as “mixed data” cases).
The case was originally heard in 2016 but was referred back to the Court of Appeal, who in July 2018 gave its judgment.
To summarise the case, a GP (Dr B) was investigated by the General Medical Council (GMC) regarding his work on the care of a patient (P), who was diagnosed with bladder cancer. P and his solicitors argued that Dr B should have spotted the cancer a year or so earlier than he, in fact, did.
The GMC commissioned an independent expert to produce a report on Dr B’s work. The report was critical and concluded that Dr B’s care “fell below” the expected standard of care, though “not seriously below”. The GMC concluded that no further action should be taken, and advised P and his solicitors to that effect.
This is where it gets tricky. P made a DSAR to the GMC to see the full report, and the GMC was minded to comply. Dr B, however, objected, and applied for an injunction to stop disclosure. The injunction was granted, and some commentators were relieved as they saw it as limiting disclosure requirements on data controllers.
The GMC applied to the Court of Appeal to overturn the injunction, and it was successful this month.
Kathryn Kerr of international law firm Allen & Overy picks out the salient points of the judgment for data controllers.
When faced with a DSAR involving mixed data, the data controller must carry out a balance of interests judgment. The Court of Appeal held that in such cases, you as data controller are the “primary decision-maker”, says Kerr: “You have broad discretion when assessing the balance, which factors are relevant, and the weight you give to them.”
If another employee objects to his or her data being disclosed, says Kerr, of course that must be taken into account but it does not trump the other party’s right to disclosure. It’s only if and when you cannot see any difference in the competing interests of the parties, where the interests are “evenly balanced”, that you have a “tie-break”, she says.
In that case, you should apply a “tie-break presumption” in favour of withholding the data, Kerr concedes. But agreeing with the Court of Appeal’s ruling, she says that the GMC “justifiably concluded that the patient’s interests outweighed the doctor’s interests in resisting disclosure”, so the grounds for the “tie-break presumption” did not arise.
Expect to see more of these cases as DSARs become more common; as data controller, you might find yourself needing to show the wisdom of Solomon in weighing competing claims.