Series
Blogs
Series
Blogs
The Spanish High Court, Audiencia Nacional, has ruled that the right of patients to access their medical records does not include the right to know the identity of the doctors or other employees who have accessed those records (SAN 223/2022).
The case arose in 2021 when a data subject became concerned about potential unauthorised access to his medical record by individuals not involved in the diagnosis and treatment of his condition.
He lodged a complaint with, among others, a regional Department of Health (“DoH”) and requested access to his personal data found on his medical record, including all of the individuals who accessed his record.
In 2021, the DoH refused to disclose the names of the persons who accessed his health record, based on the long-standing policy position of the Spanish Data Protection Agency (“AEPD”). In particular, the AEPD interprets the right of access under the former Spanish Data Protection Act 15/1999 as only providing details of the processed data, its origin and any potential transfers, but not the identity of the persons who have had access to the information.
The patient was unhappy and therefore filed an additional complaint with the DoH, two criminal complaints with the Provincial Prosecutor’s Office for unlawful access to his medical record and two claims with the Spanish Data Protection Agency (“AEPD”), requesting the identification of the individuals who had accessed his health record.
In 2021, the AEPD rejected both claims on the basis that they did not present “reasonable grounds” for suspecting an infringement of data protection laws. Indeed, under Article 65 of the Spanish Data Protection Act, the AEPD must assess, upon receiving a complaint, admissibility, and dismiss the complaint if it is abusive or does not provide “reasonable grounds” of an infringement.
The complainant disputed this decision on the basis that it ignores his allegations and documentation submitted in the case, including the criminal complaints. These should justify the admission of his complaint and thus require the AEPD to investigate his case. He also argued that the AEPD blanked policy that the right of access does not include the right to identity of third parties who may have accessed the medical records is unmotivated and arbitrary.
Consequently, the patient appealed against the AEPD’s decision in the Spanish High Court (Audiencia Nacional).
In January 2024, the Audiencia Nacional rejected the appeal lodged by the patient.
First, the Audiencia Nacional upheld the decision of the AEPD to dismiss the claim without further investigation, as this is allowed under Article 65 of the Spanish Data Protection Act.
Second, it confirmed the AEPD’s position on the right of access to the medical records recognised in the Spanish Patient Autonomy and Rights Act 41/2002 (the “Spanish Patient Protection Act”). In particular:
However, the Spanish Patient Protection Act does not grant the right to know the identity of the doctors who accessed the medical records and is not intended as a means for the patient to obtain information on the identity of third parties who have accessed such records. Further, this right cannot be conceived as a means for assessing whether such accesses were justified, as this authority lies within the management bodies of the health organisation, which data subjects is able to contact.
The outcome of this decision would be the same under the GDPR based on the fact:
Does this mean that if the data subject needs to know the identity of third parties to exercise his/her right, he/she may be entitled to that information? That’s another question.
The Spanish Audiencia Nacional’s ruling confirms the AEPD’s long-standing position that the right of patients to access their medical records, as provided by the Spanish Patient Protection Act, does not include the disclosure of the identity of doctors who may have accessed such medical records, nor does it allow the data subjects to assess the justification of access to their records.
More generally, and in accordance with the CJEU’s recent ruling in Pankki, the decision suggests that data subjects generally do not have the right to know which employees of the controller have accessed their personal data through the exercise of a subject access request. This will be a welcome relief for many controllers given the difficult issues this would raise – such as the potential implications for the data protection rights of the employees if their personal data were disclosed to the person making the subject access request.