Data access request for medical records - the hospital requested an initial processing fee which was paid - a final processing fee was demanded after expiry of the 40 days from receipt of the DAR - requested documents were eventually supplied some 60 days from receipt of the DAR - breach of section 19(1).
The Complaint
The complainant made a data access request ("DAR") to a hospital in respect of her medical records on the 13th November 2003. The hospital acknowledged the DAR on the 24th November 2003 and requested the complainant to pay an initial processing fee and clarify the type of data she requested. Three days later, the complainant paid the fee and clarified her request. As the complainant received no reply from the hospital on the 40th day after the DAR, she lodged a complaint with the Privacy Commissioner.
On 2nd January 2004, the hospital informed the complainant of the amount of the required fee to comply with her DAR. The complainant paid the fee on 7th January 2004 and received some medical notes and X-ray films on 15th January 2004.
Findings of the Privacy Commissioner
A preliminary enquiry was conducted and the hospital was found tohave complied with the DAR by sending the complainant the required medical records within a reasonable time after receipt of the DAR compliance fee from the complainant. The Privacy Commissioner was of the view that there was no evidence of contravention of section 19 of the Ordinance and informed the complainant that no investigation would be carried out. Despite the fact that she had obtained the personal data requested, the complainant sought to argue that the hospital was in breach of the relevant provisions of the Ordinance. She appealed to the AAB against the Privacy Commissioner's findings.
The Appeal
The complainant argued that in order to comply with the requirements of section 19(1) of the Ordinance, the hospital should have sent the requested data to her, and not simply demanded payment of an initial processing fee, within the prescribed 40-day period.
The AAB ruled that "..."to comply with the request" must mean to supply the requested data in the DAR...An acknowledgement of receipt of the DAR or the issue of a notice of demand for a fee, without more, is insufficient to discharge that obligation...After all, the purpose of prescribing the 40 day period is to enable the requested data to be supplied to the requestor without delay."
The AAB however acknowledged that it served no useful purpose to order an investigation of the matter given that the complainant had already obtained her medical reports and X-ray films requested in her DAR. The Privacy Commissioner was asked by the AAB to consider giving advice to the hospital concerned as to its future handling of DARs.
The AAB's Decision
The appeal was allowed.
(N.B. In view of the decision taken by AAB, the Privacy Commissioner subsequently wrote to the hospital concerned regarding the deliberations of the AAB and explained the statutory requirement to comply with a DAR as laid down in section 19 of the Ordinance.)