Society as a whole is becoming more aware of their rights. In the UK alone fines for data breaches topped £3m in 2016 (Independent) and with the General Data Protection Regulations (GDPR) being mandated from May 2018, this looks set to rise from the current cap of £500k up to a whopping €20m. Access to your own personal data is permitted through Subject Access Requests, a right that is currently given by virtue of the Section 7 of the Data Protection Act 1998 (DPA 1998) and soon to be the GDPR. This runs alongside the common law duty of confidence which has developed in the courts through case law. This common law duty arises where information is disclosed in confidence and means that this information is protected and cannot normally be disclosed without the information provider’s consent.
It is of note that DPA 1998 only applies to living people (s.1) as does the GDPR, however, the duty of confidence with regards to personal data extends beyond death. As can be seen in the recent judgement in the Berlin court of appeal, where the court ruled that parents of a 15 year old girl who committed suicide could not have access to her Facebook chat history (Guardian). The law takes confidentiality seriously, and with deceased people it is inherently a sensitive topic.
This protection of data extends to health records – an area which is still covered by the Access to Health Records Act 1990. Under the Act, when a patient has died, access to the records may be granted to the patient’s personal representative i.e. executor of the will and someone who has a claim resulting from the death. There are also a number of exemptions detailed such as national security or crime prevention reasons. It is important to note that this is restricted to information that is relevant to the request. It may seem like Data Protection gone too far. After all, if a person is deceased – who does it harm?
From a health records perspective, it could harm the patient themselves whilst they are still alive. The very nature of healthcare is highly personal and sensitive especially in certain specialties of care such as gynecology and sexual health. If people thought that their records could be accessed, this might discourage full and frank disclosure during their care and potentially mean that they were not receiving adequate care because of these concerns. Surely patients should be able to rely on this duty of confidence extending beyond death?
One of the key misconceptions is about the access rights of next of kin. Being next of kin does not necessarily entitle you to see health records of the deceased. As heart breaking as it is, if an adult dies, you are not automatically permitted access to the health record regardless of your relationship with the patient. That is not to say that requests will always be refused – Department of Health guidance says that requests should be considered on a case-by-case basis and it should be determined whether a disclosure is appropriate and lawful. In the case of Pauline Bluck, a mother sought disclosure of her deceased daughter’s medical records from the hospital who had previously admitted negligent treatment. The claim settled and compensation was paid to her widower. The request for disclosure was refused as the woman’s widower did not consent. This important case reiterated the standpoint that a duty of confidence will continue after death, the judgement extending even further to indicate that inappropriate disclosure may give rise to legal action after death. Some people would argue that after they are gone, they don’t care who sees their records– however it needs to be considered how it could affect other people close to them, especially those who are entitled to have access.
Although the restrictions placed on access to data for a deceased person can cause distress, it only seems reasonable that the duty of confidence and the protection it affords is. As summed up in the case of Coco v Clark “The equitable jurisdiction in cases of breach of confidence is ancient; confidence is the cousin of trust”