The Spanish High Court, Audiencia Nacional, has ruled that the right of patients to access their medical records does not include the right to know the identity of the doctors or other employees who have accessed those records (SAN 223/2022).

Background

The case arose in 2021 when a data subject became concerned about potential unauthorised access to his medical record by individuals not involved in the diagnosis and treatment of his condition.

He lodged a complaint with, among others, a regional Department of Health (“DoH”) and requested access to his personal data found on his medical record, including all of the individuals who accessed his record.

In 2021, the DoH refused to disclose the names of the persons who accessed his health record, based on the long-standing policy position of the Spanish Data Protection Agency (“AEPD”). In particular, the AEPD interprets the right of access under the former Spanish Data Protection Act 15/1999 as only providing details of the processed data, its origin and any potential transfers, but not the identity of the persons who have had access to the information.

The patient was unhappy and therefore filed an additional complaint with the DoH, two criminal complaints with the Provincial Prosecutor’s Office for unlawful access to his medical record and two claims with the Spanish Data Protection Agency (“AEPD”), requesting the identification of the individuals who had accessed his health record.

AEPD rejects the complaint

In 2021, the AEPD rejected both claims on the basis that they did not present “reasonable grounds” for suspecting an infringement of data protection laws. Indeed, under Article 65 of the Spanish Data Protection Act, the AEPD must assess, upon receiving a complaint, admissibility, and dismiss the complaint if it is abusive or does not provide “reasonable grounds” of an infringement.

The complainant disputed this decision on the basis that it ignores his allegations and documentation submitted in the case, including the criminal complaints. These should justify the admission of his complaint and thus require the AEPD to investigate his case. He also argued that the AEPD blanked policy that the right of access does not include the right to identity of third parties who may have accessed the medical records is unmotivated and arbitrary.

Consequently, the patient appealed against the AEPD’s decision in the Spanish High Court (Audiencia Nacional).

Audiencia Nacional ruling

In January 2024, the Audiencia Nacional rejected the appeal lodged by the patient.

First, the Audiencia Nacional upheld the decision of the AEPD to dismiss the claim without further investigation, as this is allowed under Article 65 of the Spanish Data Protection Act.

Second, it confirmed the AEPD’s position on the right of access to the medical records recognised in the Spanish Patient Autonomy and Rights Act 41/2002 (the “Spanish Patient Protection Act”). In particular:

• This right consists of the patient’s right to know, in the context of any healthcare intervention, all the information available concerning his/her health, except for those cases exempted by law (Article 4). This information, which is generally provided by the healthcare provider verbally to the patient and recorded in the medical records, must at least include the purpose and nature of each intervention, its risks and consequences.
• Patients also have the right of access to the relevant documentation of their medical records and to obtain copies of the data recorded therein (Article 18).

However, the Spanish Patient Protection Act does not grant the right to know the identity of the doctors who accessed the medical records and is not intended as a means for the patient to obtain information on the identity of third parties who have accessed such records. Further, this right cannot be conceived as a means for assessing whether such accesses were justified, as this authority lies within the management bodies of the health organisation, which data subjects is able to contact.

Subject access request

The outcome of this decision would be the same under the GDPR based on the fact:

• Article 15 of the GDPR gives individuals the right to access their personal data and to request a copy of the personal data being processed. They are entitled to specific information about details of the purposes of the processing and any retention period.
• However, the right of access is not an absolute right and should be balanced with the rights and freedoms of other data subjects in accordance with the principle of proportionality (Recitals 4 and 63 of the GDPR).
• Moreover, in June 2023, the CJEU published its decision in Case C-579/21 (Pankki) on the question of whether data subjects are entitled to learn who has accessed their personal data. The CJEU confirmed the broad scope of the right of access to information about the processing of personal data, including the dates and purposes of the processing activities, in order to enable the data subject to verify the lawfulness of the processing. Nonetheless, the CJEU concluded that this does not grant a right to obtain the identities of employees who have carried out these consultations, provided that the consultations have been made under the controller’s authority and in accordance with its instructions.

Does this mean that if the data subject needs to know the identity of third parties to exercise his/her right, he/she may be entitled to that information? That’s another question.

Conclusion

The Spanish Audiencia Nacional’s ruling confirms the AEPD’s long-standing position that the right of patients to access their medical records, as provided by the Spanish Patient Protection Act, does not include the disclosure of the identity of doctors who may have accessed such medical records, nor does it allow the data subjects to assess the justification of access to their records.

More generally, and in accordance with the CJEU’s recent ruling in Pankki, the decision suggests that data subjects generally do not have the right to know which employees of the controller have accessed their personal data through the exercise of a subject access request. This will be a welcome relief for many controllers given the difficult issues this would raise – such as the potential implications for the data protection rights of the employees if their personal data were disclosed to the person making the subject access request.