The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Case Study 2 - Life assurance company and medical reports - access request denied

I received a complaint from a data subject who had not been given copies of medical reports, commissioned from independent specialists by a life assurance company in connection with her on-going income continuance claims – the Company had discontinued her claims on the basis that she was no longer fulfilling the definition of disability, as required under her policy.

In investigating this complaint, I reiterated  that the Data Protection Acts give people a statutory right of access to their data, including their medical records, and that this right can only be limited or set aside in very specific and narrow circumstances. 

The Company had cited the exemptions in section 5(1)(f) and 5(1)(g) as a basis for denying access to certain reports.

Section 5(1)(f) of the Acts provides that the right of access to personal data does not apply to personal data:

"(f) consisting of an estimate of, or kept for the purpose of estimating, the amount of liability of the data controller concerned on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of the section would be likely to prejudice the interests of the data controller in relation to the claim."

I considered that medical reports commissioned by a life assurance company are for the purpose of assessing a claim.  I found that the exemption in section 5(1)(f) permits a data controller, who puts on file an estimate of the amount of money that may be needed to meet a claim for compensation, to plead an exemption if the release of that estimate would be prejudicial.  The contents of the medical reports at issue in this case did not relate to estimating liability per se.  Rather, they related to whether or not there is a disability and opinions about capacity to work.  It was therefore my view that this exemption cannot be claimed in respect of medical reports.

The company also proposed to withhold other reports on the basis of legal privilege as provided in section 5(1)(g), as they believed that they would 'seriously prejudice (their) defence in any action'.  Section 5(1)(g) provides that the right of access to personal data does not apply in respect of data :

"(g) in respect of which a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers."

In assessing whether privilege could be claimed, it is necessary to look at the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice.  My staff outlined to the Company that it is important  when a life assurance company commissions a report that the claimant fully understands the purpose of the examination e.g. the purpose being for the company to assess and to come to a decision on a claim.  Whether the reports were commissioned in anticipation or furtherance of litigation and thus attract privilege, falls to be determined on a case by case basis.

It was understood that the decision in this case might ultimately be challenged in court and the Company indicated that in their opinion there was a high likelihood of this. The exemption refers to a potential situation where 'a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers'.  In this case, my staff considered that it was conceivable that such a claim could be maintained in a court.  Therefore, it was held that certain medical reports specified by the company may be withheld pursuant to section 5(1)(g) pending any court proceedings.

This case shows how the balance between a data subject's right of access to personal data must be balanced with the legitimate interests of a data controller – in this case one who may possibly be facing litigation. In the event of litigation not taking place, the data controller would be required to review its decision.