The High Court has handed down judgment in an important case dealing with the data protection obligations of NHS Trusts in respect of the collection and retention of patient medical records.
The Claimant (anonymised as ‘YSL’ to protect privacy) brought a wide-ranging claim against the Defendant Foundation NHS Trust, seeking damages and erasure orders in respect of his medical records. The medical records in question related to his use of mental health services under CAMHS and adult services.
The Claimant argued that some of his records were unlawfully obtained from other agencies such as the police, some were inaccurate, and that in any event his entire records should be deleted on the basis their continued retention by the NHS Trust caused him distress and infringed his privacy rights under the Data Protection Acts 1998 and 2018, UK GDPR, and Article 8 ECHR.
In giving judgment for the NHS Trust and dismissing all claims, Julian Knowles J addressed issues relating to the retention of medical records with wider implications for NHS Trusts generally.
In particular, Julian Knowles J held:
i. The NHS Trust had a lawful basis for the processing of the Claimant’s records under Article 5 UK GDPR, namely Article 5(1)(e), as processing was necessary for the performance of a task carried out in the public interest. The NHS Trust had a lawful basis for the processing of the Claimant’s records under Article 9(1)(h) and (i) UK GDPR, and the condition in Article 9(3) was satisfied by amongst other things the common law duty imposed on medical professions and the NHS’s Confidentiality Policy. The conditions in Sections 10 and 11 and Part 1 of Schedule 1 to the Data Protection Act 2018 were also satisfied [paragraphs 141-159]
ii. ‘Adult at risk’ risk assessments received by the NHS Trust from the Police were processed lawfully , and the right to be informed under Article 13 UK GDPR did not mean “every individual has to be specifically informed every time a data controller organisation receives personal data about them, before or at the time it is received” [paragraphs 160-172]
iii. The Claimant had no right to erasure of his records under Article 17 UK GDPR as the NHS Trust had established a lawful basis for not ceasing to process the medial records [paragraphs 172-182]
iv. The 20 year retention period for mental health records set by NHSX was lawful, and the NHSX Code was plainly the result of detailed consideration by those expert in what was needed by way of retention of NHS data. The 20 year retention period does not render the otherwise lawful retention of the Claimant’s medical records disproportionate and in breach of Article 5 UK GDPR. Article 8 ECHR may be engaged by the mere retention of medical records, but any infringement in this case was modest, and proportionate to a legitimate aim in respect of the protection of health [paragraphs 183-227]
v. Clinical diagnoses (in this case a potential diagnosis of autistic spectrum disorder) are a matter of medical opinion which fell outside the data protection accuracy principle in Article 5(1)(d) UK GDPR [paragraphs 228-239].
In a post-script to the judgment, Julian Knowles J refused the Claimant’s application to have the judgment kept private. He held there was (i) no justification for a derogation from the bedrock principle of open justice (ii) the Claimant’s identity was protected by the anonymity order and (iii) the Claimant chose to bring the litigation, with the trial heard in open court, and the Defendant NHS Trust was entitled to a public judgment demonstrating that it did not act unlawfully [paragraphs 242-254].
Jason Bleasdale, Sarah Mills and Michelle Golden of Clyde & Co LLP represented the Defendant NHS Trust on instructions from NHS Resolution throughout the Trust’s defence of the claim.
Jack McCracken and Thomas Herbert of Ropewalk Chambers were instructed in respect of the trial and Defence respectively.
To read the judgment, please click here.