Data Protection Commissioner

[text version]

CASE STUDY 1/97

Hospital patient's data disclosed for research – data not obtained fairly for this purpose

The complainant attended the accident and emergency department of a public hospital. A few months later, she was contacted by an organisation carrying out research. The researchers knew when she had attended the hospital and why, and they asked her to answer some questions.

The complainant objected to the fact that the hospital had told the researchers about her visit. She took this up herself with the hospital, but was not happy with the response and she complained to me. She said she had not been informed, when she attended the hospital, that her personal data would be used in this way.

I identified the data protection issue in this case as one of fair obtaining. Section 2(1)(a) provides that "data or, as the case may be, the information constituting the data shall have been obtained ? fairly". I set out to establish whether, and if so in what way, the complainant's personal information had been fairly obtained for the purpose of the research. I sought the hospital's observations.

The hospital was in fact aware of its obligations under the Data Protection Act, but it contended that it had met these in two ways. First of all, it had listed "personnel engaged in medical research" as disclosees in its entry in the Public Register of Data Controllers which is maintained by my Office. Secondly, it had sought to make patients aware of the research project by putting a notice in the waiting area of the accident and emergency department. This notice told patients that the hospital intended to disclose their information to the researchers, and invited them to let the receptionist know if they objected.

I was unable to accept the hospital's arguments. Its contention about the effects of registration with my Office raised an important issue which I discuss in more detail in Part 3 of this Report (page 36). A data controller who must register with my Office under section 16 of the Act is legally obliged to provide details of the uses and disclosures of data. However this is a separate obligation from that of obtaining data fairly. I am of the opinion that for personal data to be fairly obtained, a data controller must make the data subject aware, directly and at the time his or her data are being obtained, of how such data may be used and to whom they may be disclosed, in order to get the person's informed consent to the uses and disclosures described.

The hospital's second argument related to the notice which it had placed in the waiting area. In my view, the issue to be decided was whether this was an adequate way of informing patients that their information would be disclosed to the researchers. In different circumstances, it might have been. In this case, however, account ought to have been taken of the particular environment in which patients' data were obtained. Many patients presenting themselves at the casualty department of a hospital may be expected to be in a state of some anxiety or discomfort. Consequently, they may not be expected to be alert to matters not relating directly to their condition. In such circumstances there is a special need for the data controller to satisfy itself that any uses of the data which are unlikely to be anticipated by the data subject are fully explained. For this reason, I took the view that the intention to disclose should have been brought to the specific attention of the complainant before data relating to her were obtained. This was essential to ensure that she was in a position to make an informed choice whether or not to furnish her information for such a purpose.

I upheld this complaint on the grounds that the measures taken by the hospital did not adequately fulfil its obligation of fair obtaining under section 2(1)(a).






» Permanent Link