Consultant surgeon in breach of Data Protection Act

Following consultation and being operated on by a consultant surgeon, a female patient indicated her desire to consult another medical professional, and requested access to the medical records drawn up by her original physician. Although the hospital records of the establishment, where she was operated on, were made available, the surgeon did not provide access to those records or notes which he had prepared himself.

The patient filed a complaint with the Medical Council, where, among other things, she requested access to the surgeon's records about her. The Medical Council declined to inquire into the matter, and did not indicate whether this course of action was taken because the matter was considered to be of a trivial nature.

Subsequently, the patient filed a complaint with the Office of Data Protection where she contended that, by failing to provide access to her medical records, the surgeon had effectively breached Section 26 of the Data Protection Act.

This states that a data controller should implement appropriate technical and organisational measures to protect the personal data that is processed against accidental destruction or loss or unlawful forms of processing. In the same act, a data controller is defined as a person who determines the purpose and means of the processing of personal data, and processing is taken to include recording, use, erasure and destruction of information.

A doctor who takes down medical information thus falls within the parameters of the definition of a data controller and is obliged to abide by the requirements of the Data Protection Act. During the course of proceedings, the surgeon in question stated in a written submission that he could not find the card pertaining to this particular patient and was therefore not in a position to provide her with access to it.

On the strength of these findings the Data Protection Commissioner concluded that the surgeon had admitted to having been in possession of data relating to the complainant and therefore was a data controller in relation to the information held about her. The loss or misplacement of the card containing the relevant patient information was due to the absence of appropriate technical or organisational measures required by law. Consequently, it was concluded that the surgeon had breached Section 26 (1) of the Data Protection Act for failing to provide an adequate level of security.

The Data Protection Commissioner is empowered by law to impose administrative fines if the adequate security measures are not put into effect. In this particular case, no rectification or fines were imposed, and the form of sanctions imposed, if any, is unclear.