BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

This Office received a complaint from a solicitor acting on behalf of a data subject concerning the alleged further processing of the complainant’s personal data contained in medical records held by her General Practitioner (GP). It was alleged that medical records relating to the complainant were released to an insurance company by her GP, following a request made to the GP. The complaint stated that the GP had received a request from an insurance company seeking the complainant's medical records relating to a knee injury she had suffered. It was alleged that, in replying to this request, the GP not only released data relevant to the knee injury, but he also disclosed other sensitive medical information - including cervical smear test results, a colposcopy, correspondence regarding lesions and records relating to Carpel Tunnel Syndrome, none of which were related to the knee injury.

 

We wrote to the GP and we asked that he provide an explanation as to what had occurred in this case. He responded stating that an insurance company had requested relevant information with respect to the patient concerned and her knee injury. He informed us that the request received stated that it 'required copies of clinical consultations / surgery notes, investigations and associated results, treatments, referrals, outpatient appointments and repeat prescriptions from 18.2.2009 to the present date'. He stated that, inadvertently, copies of the patient’s records were supplied to the insurance company with some details which were not relevant to her knee injury and that this was obviously an oversight. He stated that he was deeply sorry that he had caused any distress or upset to his patient whom he had known for thirty five years. The GP stated that the complainant knew that he always endeavoured to keep a high standard in the practice and that she should understand his disappointment that the system used in releasing this information fell below the standard expected by the complainant and himself. He further stated that he hoped that she would accept his unreserved apology for the inadvertent disclosure of her records to the insurance company and that he completely understood how upset and disappointed she must be. He said that since this unpleasant and unfortunate error he had overhauled his practice procedures.

 

We wrote to the solicitor for the complainant outlining the GP's response and also conveying the GP's apologies. We stated that this Office's approach to complaints is to try to seek an amicable resolution to the matter which is the subject of the complaint and we asked if his client would like to try to reach an amicable resolution of the complaint. They responded stating that their client wished for a formal decision of the Commissioner on the matter.

 

In considering this case, the key issue from a data protection perspective was the issue of consent. It was noted from the material provided that the complainant had completed and signed an insurance claim form which contained the following consent clause: "I authorise Financial Insurance Company Limited (the Underwriters) to make any enquiries and get any information they consider relevant from my doctor, employers or elsewhere. I understand that I must provide evidence to Financial Insurance Company Limited to prove my claim." On the same claim form, the complainant supplied details of her accident and explained, as follows, why it prevented her from working: "Left knee injury. Tore Ligaments. Recovery Time Unknown. Waiting for Knee Surgery. On Waiting List."

 

The insurance company concerned had sought the complainant's medical records, supplied the relevant consent form and used the following terms in its request to the GP: "Can you please provide us with copies of the claimant's medical records relevant to this claim. This includes all records relating to the medical conditions and associated symptoms which are the subject of this claim."

 

It was clear from the insurance company’s request for medical records that it sought medical records relevant to the claim only. As the claim related to the complainant’s knee injury, the medical records sought related to that injury and the request did not extend beyond that. Equally, the complainant’s consent authorised the insurance company to make enquiries and to get any information considered relevant from her doctor and others. The consent was clearly limited to relevant information and it could not be interpreted as extending to all medical records held by the GP.

 

This Office issued a decision on this complaint which stated that the Commissioner was of the opinion, following the investigation of this complaint, that Section 2(1)(c)(ii)of the Data Protection Acts, 1988 & 2003 had been contravened by the GP by the further processing of the complainant's sensitive personal data in the form of medical records unrelated to her knee injury. The contravention occurred when the GP, in responding to a request from an insurance company, disclosed to that insurance company certain medical records of the complainant without her consent.