How private are patients’ dental records?
21 November 2011
This is a case in which Philip Havers QC of 1 Crown Office Row appeared for the General Dental Council; he is not the author of this post.
The General Dental Council v Savery and others  EWHC 3011 (Admin) – Read judgment
Mr Justice Sales in the High Court has ruled that the General Dental Council’s (GDC) use and disclosure of the dental records of fourteen patients of a registered dentist who was the subject of investigation was lawful.
The court also offered general guidance about how the GDC may proceed (particularly by reference to Article 8 of the European Convention on Human Rights, the right to privacy and family life) when it wishes to investigate allegations against a dentist of impairment of fitness to practise by reference to confidential patient records in the absence of consent from the patients in question.
The background to the application was that the GDC had received information from a health insurance company (“HSA”) to the effect that claims for reimbursement of dental expenses had been made against it by patients (and certified by Dr Al-Naher, a registered dentist) which it considered to have been wrongfully made; in particular that certain treatment claimed for had not been provided. There were also general complaints about the quality of the treatment and the nature of the records kept by Dr Al-Naher.
In response, the GDC contacted fourteen of the dentist’s patients, inviting them to consent to the disclosure of their full records to the GDC. The GDC had previously obtained parts of the records from HSA, relying on its power under section 33B of the Dentists Act 1984. Ten of the fourteen patients refused their consent; the remaining four did not respond. The main issue before the court therefore was whether, in circumstances where a patient has not consented to the disclosure of his or her records, it was lawful for the Registrar of the GDC to use those records and disclose them to a wider circle of individuals, in particular the Investigating Committee and (if necessary) a Practice Committee of the GDC.
The court considered the three legal regimes relevant to the use which the GDC proposed to make of the patient records in the Registrar’s hands:
- confidentiality obligations imposed by the common law;
- the Data Protection Act regime; and
- general public law to which the GDC, as a public authority, is subject (in particular, by reference to its obligations under section 6(1) of the Human Rights Act and the Convention rights).
Common law confidentiality
In respect of confidentiality at common law, the court considered that the proposed use of the records would not be in breach to the requirements of this principle. In particular, the court considered that the fact that the members of the relevant Committee of the GDC were themselves subject to common law obligations of confidentiality and that measures were available (including the anonymisation of proceedings) to prevent patient information being put in the public domain, were sufficient safeguards to mean that the common law obligations were not a bar to the limited disclosure proposed. Dealing with the fact that the patients in question had either objected or not consented to such disclosure, the court commented (at paragraph 48):
The fact that the patients in question object to the disclosure, or do not consent to it, does not affect this position. The reason that the GDC is given statutory authority to make use of patient records in this way is because the public interest in investigation of allegations against dentists and other medical practitioners of impairment of fitness to practise has been assessed by Parliament (and by the courts, under the common law) to be so strong as to override private interests of patients in preserving confidentiality, to the extent necessary for the investigation to take place. Where the GDC proposes to make use of patient records in this way, contrary to the wishes of the patients in question, then – so far as the common law regime is concerned – it will usually be a matter of good practice (albeit not a legal obligation) to inform the patients in advance about what the GDC proposes to do with their records, so that they have an opportunity to consider whether to make objections to that course and if need be apply to court to raise such objections…
Data Protection Act
The implications of the DPA regime were dealt with swiftly, the court concluding that processing of the data in question by its disclosure was justified under provisions made in both Schedule 2 and Schedule 3 of the DPA.
Rights of patients to privacy
The court went on to consider at some length the question of whether the rights of the patients under Article 8 of the Convention prevented the proposed course of action. In concluding that they did not, the court considered in particular MS v Sweden (1999) 28 EHRR 313, the leading Strasbourg authority regarding one public authority transmitting confidential patient records to another public authority to enable the second authority to carry out functions in the public interest.
The Strasbourg court had in that case dealt with a claim of breach of Article 8 in a case concerning the disclosure of medical records of an applicant for statutory compensation for industrial injury by a women’s clinic to the Swedish Social Insurance Office. The court rejected the claim despite the fact that neither the clinic nor the Office had requested the applicant’s consent before requesting and receiving the medical records, nor had either body sought the sanction of a court for proceeding in this way. Whilst the Strasbourg court considered (unsurprisingly) that there had been an interference with the applicant’s Article 8 rights, it nonetheless considered such interference to be justified and proportionate to the legitimate aim pursued.
Applying the principles set out in MS to the present case, Sales J found that the proposed disclosure pursued legitimate objectives set out in Article 8(2), as being “in the interests of … public safety”, “for the protection of health and morals” and “for the protection of the rights and freedoms of others.” Particular emphasis is placed in the judgment on the role of the GDC in maintaining public confidence in health services.
Sales J gave some additional (strictly obiter, that is said in passing and not strictly binding) guidance on dealing with the present type of situation. In particular, he expressed the view that “it is arguable that the good practice … that in ordinary circumstances the person whose confidential information is in issue should be informed that it is proposed to disclose that information to a professional or regulatory body … will be required under Article 8.” Whilst judgments including MS had not criticised a failure to follow such practice, Sales J considered that
there may be scope for development of the law in this area and for a greater focus on the safeguards for patients where confidential medical information about them is to be used for other purposes, particularly where such information may be the subject of intensive scrutiny by others as in this sort of case (paragraph 64).
Such a prior notice requirement would enable patients who felt strongly that disclosure ought not to be made to make representations to that effect; it was also likely to be a less costly requirement than that argued for on behalf of the dentist in this case of requiring the GDC to apply to the court for an order permitting such disclosure in every case. Sales J envisaged such a prior notice requirement as being no more than to take reasonable steps to identify and notify the patients concerned, which might be disapplied in cases where it would be impracticable or undesirable for some reason of the public interest.
The judge also appears to imply a condition of proportionality in that he cites GDC v Rimmer  EWHC 1049 (Admin) as an example where notification would not be required on the basis that it was a case in which “the entire computerised records of a medical practice had to be subject to limited electronic interrogation”. However, this was qualified by the caveat that
In situations where it is not possible to follow such a prior notification procedure, particular care may need to be taken to ensure that the other safeguards in place will be effective to ensure that confidential patient information is only disclosed or made use of for proper purposes (paragraph 65).
Sign up to free human rights updates by email, Facebook, Twitter or RSS