Access to Medical Reports and the Data Protection Act

June 18, 2010

The Access to Personal Files and Medical Reports (NI) Order 1991 (“the Order”)

The Order provides individuals with a right of access to medical reports provided by medical practitioners in connection with employment or insurance purposes.

The terms “medical report” and “medical practitioner” are defined in the Order. The need for the medical practitioner to be or have been responsible for the clinical care of the individual implies an ongoing relationship, consisting of more than a one-off examination. While a medical report requested from an individual’s general practitioner (GP) or consultant will almost certainly be covered by the Order, a one-off medical report prepared by a company doctor, occupational health consultant or independent specialist will not, in most cases, be covered. However, the following should be noted:-

• When a company doctor has previously seen an individual (in connection with a different illness or injury or in respect of an ongoing condition), that doctor could be deemed to be responsible for the individual’s “care” for the purposes of the Order.

• Where an in-house doctor or specialist engaged by an employer wants, as part of his assessment, to review a medical report from an employee’s GP or consultant, the statutory procedure should be followed as the Order will apply due to the GP or consultant’s report.

• Where the company doctor wishes to seek medical records only from a GP or consultant, the Order will not apply, provided no report has been written by the GP or consultant. However, it the employer must obtain the employee’s explicit consent (under the Data Protection Act 1998).

• Even in the case of a one-off report from a company doctor etc outside the scope of the Order, it is recommended that doctors should be prepared to discuss the contents of their reports with patients. It is also considered best practice for employers to provide copies of reports (not covered by the requirements of the Order) to employees, so that the parties can consider the assessment and discuss any recommendations suggested.

Possible difficulties might arise where the employee, having been examined by a company doctor, claims that the doctor/patient confidentiality duty should override the terms of retainer between doctor and company. However, in the English case of Kapadia v London Borough of Lambeth [2000], Lord Justice Pill suggested that by consenting to being examined on behalf of the employers, Mr Kapadia was also implicitly consenting to the disclosure to the employers of a report resulting from that examination. Therefore, the company doctor should have supplied the report to the employer. As this is an English case and as the judge’s comments did not form part of the Court of Appeal’s decision, this is not binding on the Courts in this jurisdiction (although it is likely to be of some persuasive authority). This problem should not arise if the employer ensures that the consent form signed by the employee covers both the examination and the provision of a report to the employer.

If an individual’s contract contains an express right for their employer to require them to undergo a medical examination (with it being expressly stated that any subsequent report will be disclosed to the employer), they will be in breach of contract if they refuse to do so and the employer should consider whether disciplinary action would be appropriate. Any contractual provision will exist in addition to the statutory scheme set out under the Order. A contractual term agreeing to submit to a medical examination and consent to the disclosure of the report is unlikely to be construed as consent for the purposes of the Order because the Order requires specific consent in respect of a particular report. This also emphasises the need for an employer to exercise care when drafting the consent form.

Data protection

Information about an individual’s health is considered to be sensitive personal data under the Data Protection Act 1998 (DPA) and obtaining a medical report either under the statutory procedure or under a contractual term will amount to processing.

Under the DPA, sensitive personal data shall not be processed unless one condition from both Schedule 2 and Schedule 3 of the DPA is satisfied. The employer should consider, in light of the facts of each case, which conditions are satisfied. Typically, the relevant Schedule 2 condition will be that the employee has given their specific written consent. The relevant Schedule 3 condition might be that the employer is exercising or performing a right or obligation which is conferred or imposed by law on it in connection with employment.

If it is necessary to seek an employee’s specific consent to the disclosure of a medical report under the DPA as well as under the Order, employers should include appropriate wording to cover both scenarios in any correspondence and forms.

This note considers in brief the relationship between the Access to Personal Files and Medical Reports (NI) Order 1991 and the Data Protection Act 1998 should an employer need to obtain a
medical report on employees or workers from someone other than an individual’s GP or consultant. This note does not purport to give legal advice which should be sought as appropriate.

Please note: The content of this article is for information purposes only and further advice should be sought from a professional advisor before any action is taken.

Cleaver Fulton Rankin, 50 Bedford Street, Belfast, BT2 7FW
T: 028 9024 3141, Fax: 028 9024 9096,
A legal alliance Matheson Ormsby Prentice, Dublin & Cleaver Fulton Rankin, Belfast