Font Size

Access to Medical Reports

 By

Lawdit Solicitors - Expert Author

Legal Articles
Submit Articles   Back to Articles

Released 21 August 2008

If you are refused access to a medical report. You will apply to a court under section 7(9) of the Data Protection Act 1998 for access to the report.

The right to data

Section 7 of the Data Protection Act 1998 ("the 1998 Act") confers on individuals a right of access to personal data. In outline the section reads:

"(1) Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled

(c) to have communicated to him in an intelligible form

(i) the information constituting any personal data of which that individual is the data subject "

Personal data is defined in section 1 of the 1998 Act as: data

"which relates to a living individual who can be identified

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual "

The right derives from Directive 95/46/EC, [1995] OJ L281/31 ("the Data Protection Directive") to which, under ordinary principles, regard must be had when interpreting the relevant United Kingdom legislation. By Article 12(a) of the Directive, the rights available under it are to be available to individuals without constraint, at reasonable intervals and without excessive delay or expense. That is reinforced by the preamble to the Directive, to which reference can be made again under general principles. Recital 41 of the preamble refers to any person being able "to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing."

Neither in the Act nor in the Directive is there a requirement upon a data subject to provide a reason for wishing to make a request for access to data. By section 27(5) of the Act, the subject access rights contained in the Act have effect notwithstanding any legislative provision or rule of law prohibiting or restricting the disclosure, or authorising the withholding of information. This is in contrast to the provision at section 44 of the Freedom of Information Act 2000, which provides that information is exempt information if its disclosure by the public authority holding it is prohibited by or under any enactment. This has the effect that the sole means available to a data controller to restrict the subject access rights provided for in the 1998 Act is by recourse to the specific exemptions provided for in the Act.

But there are exceptions

The exceptions

Article 13 of the Data Protection Directive authorises member States to adopt legislative measures to restrict the scope of the obligations and rights provided for

"when such a restriction constitutes a necessary measure to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions;

(e) an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters;

(f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (c), (d) and (e);

(g) the protection of the data subject or of the rights and freedoms of others."

Recitals 42 and 43 of the Directive read:

"(42) Whereas Member States may, in the interest of the data subject or so as to protect the rights and freedoms of others, restrict rights of access and information; whereas they may, for example, specify that access to medical data may be obtained only through a health professional;

(43) Whereas restrictions on the rights of access and information and on certain obligations of the controller may similarly be imposed by Member States in so far as they are necessary to safeguard, for example, national security, defence, public safety, or important economic or financial interests of a Member State or the Union, as well as criminal investigations and prosecutions and action in respect of breaches of ethics in the regulated professions; whereas the list of exceptions and limitations should include the tasks of monitoring, inspection or regulation necessary in the three last-mentioned areas concerning public security, economic or financial interests and crime prevention; whereas the listing of tasks in these three areas does not affect the legitimacy of exceptions or restrictions for reasons of State security or defence "

Reflecting these provisions, there are exemptions from disclosure as set out at Part IV of the 1998 Act as well as in Orders made by the Secretary of State pursuant to specific provisions of Part IV. In particular section 30 empowers the Secretary of State to exempt from the "subject information provisions", defined in section 27 as including section 7 of the Act, personal data relating to health. Unlike the exemptions provided for under the Freedom of Information Act 2000, there is no distinction between "absolute" and "qualified" exemptions under the 1998 Act. In other words, data are either exempt or they are not.

One of the exemptions to section 7 disclosure is provided for by Article 5 of the Data Protection (Subject Access Modification) (Health) Order 2000, SI 2000 No 413 ("the Health Order"). That order applies to personal data consisting of information as to the physical or mental health or condition of the data subject (paragraph 3). Paragraph 5 of the Order reads:

"(1) Personal data to which this Order applies are exempt from section 7 in any case to the extent to which the application of that section would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person."

Paragraph 5(2) goes on to provide that a data controller who is not a health professional shall not withhold information constituting data to which the Order applies under the exemption unless the data controller has first consulted the person who appears to be the appropriate health professional. That health professional must be asked whether or not the exemption in paragraph (1) applies with respect to the information. In general terms the "appropriate health professional" is the health professional who is currently or was most recently responsible for the clinical care of the data subject in connection with the matters to which the information sought relates. Where there is more than one such health professional, that person is the health professional who is the most suitable to advise on the matters to which the information sought relates.

Michael Coyle is a solicitor advocate who specialises in information technology law and intellectual property law.


About the Author

Lawdit Solicitors offer services and advice for litigation, commercial contracts, Intellectual Property and IT legal agreements. We are experts in commercial law with a heavy emphasis on Intellectual Property, Internet and e-commerce law. Lawdit is a member of the International Trademark Association, the Solicitors' Association of Higher Court Advocates and we are the appointed Solicitors to the largest webdesign association in the world, the United Kingdom Website Designers Association.



Follow us @Scopulus_News

Article Published/Sorted/Amended on Scopulus 2008-09-15 21:00:33 in Legal Articles

All Articles

Copyright © 2004-2021 Scopulus Limited. All rights reserved.