Skip to content

You are reading 1 of 2 free-access articles allowed for 30 days

Identity of data controller – a matter of fact, not contract

The Irish High Court has recently declined an application1 by the liquidators of a private hospital to declare that the liquidators, or the insolvent entity, could assign its obligations as a data controller to another entity through a contract.

As part of the winding-up process of Mount Carmel Medical Group (South Dublin) Limited (the company behind the private maternity hospital in Dublin), the liquidators proposed to enter into a contract with St James’s Hospital, Dublin, to facilitate the transfer of medical records. The records, which dated as far back as 1946, comprised approximately 280,000 records relating to around 118,000 patients and an x-ray server machine, which held approximately 1.7 million digital images.

In December 2014, the Court granted liberty to the liquidators to enter into an identified Record Transfer and Management Agreement with St James’s Hospital.

It also directed the liquidators to transfer the medical records held by Mount Carmel to St James’s Hospital. The liquidators sought declarations that, following the transfer of the records, St James’s Hospital would assume the statutory role of the ‘data controller’ of the records for the purposes of the Data Protection Acts 1988 and 2003, but that the liquidators could retain limited rights of access to this information following the transfer, should they require it for the purposes of the liquidation.

The Court initially reserved its decision in relation to the declaration sought, pending further legal submissions. On 18 February 2015, the Court ordered that the Data Protection Commissioner be joined as a notice party to the proceedings and, on 7 July 2015, it delivered its judgment.

The judgment

The proposed contract between the parties provided that St James’s Hospital would become the data controller in respect of the records. A ‘data controller’ is defined by the Acts as “a person who, either alone or with others, controls the contents and use of personal data”.

The Court had difficulty with the concept that while St James’s Hospital would be the proposed sole data controller of the information, in reality the liquidators would still need to retain some residual rights of control or access.

In light of this, the Court held that “very limited weight can be given to the provisions of inter-company agreements concerning who is to be designated “data controller” or to assume sole and exclusive responsibility” if the position in fact does not reflect those terms.

In other words, the real identity of the data controller for the purposes of the Acts must be a matter of fact, not contract, and of substance, not form.

The liquidators proposed to enter into a contract with St James’s Hospital, Dublin, to facilitate the transfer of medical records. The records, which dated as far back as 1946, comprised approximately 280,000 records relating to around 118,000 patients and an x-ray server machine, which held approximately 1.7 million digital images

Ultimately, the Court did not believe that it would be either right or proper for it to exercise its discretion to make the declarations sought, even in circumstances where the Data Protection Commissioner was supportive of such declaration. The Court also acknowledged the rights of the patients in respect of their personal data and was conscious of the dangers of limiting data subjects (in this case, the patients) from taking future legal actions against the appropriate person. It stated that “the Court has no discretion either to artificially delimit the number of persons against whom those rights can be asserted or to nominate only certain persons within that definition for that purpose”.

In light of the Court’s decision if the liquidatiors wish to hold residual rights of control or access to the records after transfer, they will have to retain copies of the records for their own use and will also be considered a data controller of the records with St James’s Hospital.

Wider implications

While embedded in the context of company liquidation, these findings may apply more generally in the health industry, such as when a sole practitioner ceases to practise or where there is a change of ownership of a medical practice.

Ceasing practise

Where a sole practice GP ceases practise, eg, due to retirement (and no GP is due to take over), the retiring GP should promptly inform existing patients to allow them reasonable time to transfer their medical records to another doctor.

If the patient cannot be contacted or does not respond within a reasonable time, it is recommended that the GP securely maintain the records for a minimum period of eight years and then safely destroy them.2  Records relating to minors should be retained for longer, eg, until the minor has reached the age of 25, or 26 if the patient was 17 at the conclusion of treatment, or eight years after the patient’s death.3

In the case of a retirement within a partnership or group medical practice, patients should be promptly informed and advised that their records will be held within the practice for their continued care, unless otherwise requested by the patient.

The Medical Council’s ethical guidelines provide that:

“If you are thinking of retiring or reducing your patient list, you should put transfer arrangements in place and let your patients know before these arrangements take effect.”4

The Mount Carmel case confirms that even where transfer arrangements are in place, that may not necessarily absolve a retiring practitioner from his/her data controller obligations.

Transfer of practice

Where an existing practice changes ownership, or is taken over by a new practitioner, the first consideration should always be to notify existing patients and request their consent to the transfer of their information. Existing patients must be clearly informed how the transfer of files will be handled, who will be solely responsible for the handling and protection of the information moving forward, and any changes to the existing mechanisms for requests to access.5

Patients should be notified of any changes of ownership of a practice as soon as possible after the sale is agreed, and before the change of ownership, so that patients have the opportunity to move to another doctor if they wish. In such circumstances, the existing practice should maintain a copy of the patient record accumulated at that time for an adequate period consistent with meeting legal, medico-legal and other professional responsibilities.

For example, those patient records will be very important in the future if there is a complaint or claim made against that doctor, which can be made years after a consultation or treatment. If the records relating to that consultation or treatment have been disposed of, it may make it difficult to defend doctor’s practise and decisions about patient care in a legal or professional context.

This was one of the primary concerns for the liquidators in the Mount Carmel case. As Mount Carmel was a maternity hospital, they would require access to the patient records for a period of 18-to-20 years to allow children born at the hospital to turn 18 and be afforded the statutory time period of two years to bring proceedings. The reasoning of the Court is also applicable for GP practices. Whether the records have been legitimately transferred to another GP or not, it is the person/entity that exercises control over the records who will be deemed to be the data controller and be laden with the obligations.

Conclusion

The Mount Carmel case is a useful reminder that the identity of the data controller is a matter of fact and not the terms of any contractual agreement. The Data Protection Act’s definition of ‘data controller’ allows for multiple data controllers to exert joint control over personal data. The Court in the Mount Carmel case decided against exercising its judicial discretion to clarify where the legal responsibilities and obligations of the data controller would lie. Notwithstanding that, this case confirms the position that a contract or agreement to transfer the obligations of a data controller may not necessarily transfer those legal obligations in the eyes of the law.

Healthcare practitioners should be cognisant of this and their ongoing data protection obligations, even where they have ceased to practise or transferred their practice to another practitioner.

References

  1. In the Matter for Mount Carmel Medical Group (South Dublin) Ltd (In Liquidation) (2015) IEHC 450.
  2. The Irish College of General Practitioners, A Guide to Data Protection Legislation for Irish General Practice, April 2011.
  3. National Hospital’s Office, Code of Practice for Healthcare Records Management, April 2007.
  4. Medical Council, Guide to Professional Conduct and Ethics for Registered Medical Practitioners, 7th Edition, 2009.
  5. The Irish College of General Practitioners, A Guide to Data Protection Legislation for Irish General Practice, April 2011.

Leave a Comment

You must be logged in to post a comment.

Scroll To Top