020 7183 8950 | info@brettwilson.co.uk


Medical Privacy Solicitors

It can be highly distressing to find out that information relating to your health has been leaked.  This type of information is inherently private and confidential.  Most of us would not want it shared beyond our healthcare professionals and perhaps a few trusted loved ones.

It is unlikely that your paper medical records will make their way into the public domain.  However, data leaks are often more straightforward.  For example, the simple dissemination of the fact that you suffer from a particular medical condition.

There are wide-ranging scenarios where private or confidential medical information might make its way into the public domain or to third parties without the consent of the person concerned.  This can often happen as a result of negligence or a leak can sometimes be malicious, for instance where there is a breakdown in a personal or professional relationship and one person discloses private information, motivated by anger or seeking revenge. An example of this is the case of Cooper v Turrell [2011] EWHC 3269 which concerned the intentional posting on the internet of information relating to the health of the claimant by a former employee (which in this case happened to be inaccurate).   

 Any prospective claim is usually actioned under one or more of the following heads of claim:-

(a)  Misuse of Private Information;

(b)  Breach of Confidence; and/or

(c)  Breach of the Data Protection Act 1998

Misuse of Private Information

This is now recognised as a distinct tort.  Liability is assessed on whether:-

(a)  The information was private - this will be based on whether the person to whom the information relates had a ‘reasonable expectation’ of privacy in relation to the information.  Consideration of a person’s ECHR Article 8 right to respect for private and family life will determine whether there is such an expectation.  This will often be easy to determine when the material leaked concerns medical information.

(b)  Whether there has been an infringement of the person’s reasonable expectation of privacy.  This will be fact specific and, in many cases, it will be clear whether there was an infringement or not.  Where the disclosure is arguably in the public interest then it is likely that there will need to be a more rigorous assessment of the merits of the claim and this will include a balancing exercise with the ECHR Article 10 right to freedom of expression.  A defendant may be able to defend an action if the information is already in the public domain.

The remedies available are an injunction to prohibit the dissemination and damages.  Damages are principally intended to compensate a claimant for the distress that the unauthorised disclosure has caused to the person concerned.     

Breach of Confidence

This is an equitable cause of action that was traditionally associated with the unauthorised leak of trade secrets.  The case of Coco v AN Clark Engineers Ltd [1969] RPC 41 sets out the three essential requirements that must be fulfilled to bring a claim under this cause of action:-

(a)  The information in respect of which relief is sought must have the necessary quality of confidence about it.  In other words, the information would not already be common knowledge or within the public domain;

(b)  The information must have been imparted in circumstances imparting an obligation of confidence.  The law in this area has developed to allow such an obligation to be inferred in a wide variety of situations (including personal confidences), where a contractual relationship does not exist. An obligation of confidence will, therefore, usually arise whenever a person receives information that he knows or ought to know is confidential. 

(c)  There must be an unauthorised use/disclosure of that information. 

If a claim for breach of confidence succeeds, the remedies which can be awarded include damages, an account of profits and/or an injunction. 

Breach of the Data Protection Act 1998 (‘DPA 1998’)

Generally, companies and persons who process personal data will be ‘data controllers’ under the DPA 1998.  The DPA 1998 imparts certain obligations on these controllers and they will need to register with the Information Commissioner’s Office (ICO).  The obligations include implementing proper procedures for the protection of personal data and to process that data in accordance with the Data Principles set out in the DPA 1998.  If there has been a leak of medical information then this will often mean that there has been a breach of the DPA 1998 (medical information nearly always being personal data and, indeed, ‘sensitive personal data’).  A claim can be defended on the basis that the defendant took such care as was reasonably required in the circumstances to comply with the DPA 1998.  This will be fact-specific. 

If a breach is continuing under section 10 of the DPA 1998 a Court can order that the data controller cease processing personal data in the manner complained of.  Under section 13 of the DPA 1998, a data subject may claim compensation if they suffer ‘damage’ as a result of a failure to comply with the Act.  Until recently it was understood that it was necessary to show some financial loss, although in the case of Judith Vidal-Hall & Ors v Google Inc [2014] EWHC 13 (a decision on an interim point) the Court questioned this principle and this is likely to be ruled upon in the future. 

A complaint can also be made to the ICO, which has the power to fine controllers for breaches of the DPA 1988.

Truth, False Privacy and Libel

Unlike libel, in privacy claims the question of whether the information is true or false it is not normally relevant to the issue of liability.  The critical issue will generally be whether there has been an unjustified interference with your ECHR Article 8 rights.  Where the information is false there may also be a concurrent claim for libel if the publication of it is likely to cause others to think less of you or shun you (and you have suffered serious reputational harm).

How can our medical privacy solicitors help?

Where medical information has been leaked the priority is containment. In some circumstances it may be necessary to seek injunctive relief from the court to prevent further dissemination. 

Where dissemination has already occurred we can pursue claims for damages.

We have extensive experience in bringing actions against companies, individual and state organisations including NHS Trusts and local authorities.

If you believe that your confidential or private medical information has been leaked or misused without your consent then simply send us an emailcomplete our online enquiry form or call us on 020 7183 8950 to find out how we can help you.