Court refuses to grant declaration as to identity of the data controller
The High Court, in In the Matter for Mount Carmel Medical Group (South Dublin) Ltd (In Liquidation) [2015] IEHC 450 considered the issue of who is a data controller under data protection law in respect of data held by a company in liquidation.
The Court refused to grant the declarations sought by the liquidators of Mount Carmel Hospital, that the statutory role of data controller was transferred to St. James Hospital (SJH) along with transfer of the patient's records to SJH, and that the liquidators could have access to the patient data insofar as necessary for the purposes of the liquidation.
Keane J. held that there was "a clear danger of overlapping and unworkable jurisdictions" if he granted the declarations sought, as it would deprive data subjects of any meaningful right in the future to complain to the Data Protection Commissioner (the DPC) about any data processing activities carried out by Mount Carmel Hospital.
The decision shows that in the event of a dispute arising as to who is the data controller of records under a contract, the courts will give limited weight to any contractual provisions designating a particular party as data controller, and will instead focus on who, in fact, exercises control over the personal data concerned.
Background
In order to address the costs record storage and complying with data protection obligations, the liquidators of Mount Carmel Hospital agreed to transfer the patient records to SJH, pursuant to a contract. Under the terms of the proposed contract, SJH would act as sole data controller in respect of the records in place of Mount Carmel Hospital. The liquidators would be allowed access to, and to take copies of, any records which they might reasonably require. In addition, SJH would indemnify Mount Carmel Hospital and the liquidators against any costs or damages arising from breach of the agreement or the Data Protection Acts 1988 & 2003 (the DPAs).
The liquidators of Mount Carmel Hospital sought: (1) a declaration that SJH would become the data controller of the records with effect from the transfer of the records (thereby absolving Mount Carmel Hospital, and the liquidators, from any further obligations as data controller), and (2) a declaration that in the event they need access to the records for the purpose of the liquidation, they will be entitled to them. The Court ordered that the Data Protection Commissioner be joined as a notice party to the proceedings.
The Court noted that if the liquidators were to obtain a declaration to the effect that SJH was the sole data controller of the personal data contained in the records or that Mount Carmel Hospital was not the data controller of that data, that would create difficulties under the DPAs in respect of the release of that personal data by SJH to Mount Carmel Hospital, in that, having escaped all obligations of a data controller, the hospital would also have lost all of the entitlements of one. For that reason, the liquidators also sought a further declaration that in the event of the liquidators requiring access to the records for the purposes of the liquidation, they would be entitled to same. They liquidators submitted that the incorporation of a declaration in those terms would bring the release by SJH of the relevant data within s. 8(e) of the DPAs, which provides that any restrictions on the processing pf personal data do not apply if the processing is required by a Court Order.
The DPC concurred that Court Order requiring SJH to disclose data to Mount Carmel would 'legitimise' the release of that data back to Mount Carmel, and that Mount Carmel and SJH would thereafter be subject to regulation by the DPC in respect of their data processing activities.
The Court considered the recent UK decision in Re Southern Pacific Personal Loans Limited [2013] EWHC 2485 (Ch) which considered whether the liquidators of a company should be viewed as data controllers of certain data either jointly or in common with the company in liquidation. In that case, the liquidators were held not to be data controllers since they merely acted as agents of the insolvent company, rather than exercising control of the data on their own behalf. Keane J., however, did not find it necessary to decide whether the position would be different in this case, where the liquidators had been advised that the medical records containing the wind-down period personal data formed part of the liquidators books for the purposes of s. 57 of the Company Law Enforcement Act 2001, and the liquidators had to retain those records to comply with that provision.
Decision
Keane J. refused to grant both the declarations sought by the liquidators. He held that under the Data Protection Directive 95/46/EC, data could be held by a single person or jointly with others, and that "very limited weight can be given to the provisions of inter-company agreements concerning who is to be designated "data controller"…it is the position in fact that must prevail over any such contractual designation or characterisation".
He held that the power to grant a declaration should be exercised sparingly and with due care and caution, and that since SJH had already shown its willingness to enter into the proposed contract, no useful purpose would be served by granting declarations that would affect the rights and liabilities of several people in the future.
Keane J. held that whilst the jurisdiction conferred on the DPC by the Oireachtas to determine certain issues is not an exclusive one, there was a "danger of overlapping and unworkable jurisdictions" if he were to make the declarations now sought, as they would have the effect of adversely predetermining any claim in tort that might later be brought by any data subject against Mount Carmel Hospital, as data controller, for breach of the duty of care recognised by section 7 of the DPAs. Keane J. refused to deprive data subjects of their right to complain to the DPC in the future about Mount Carmel's processing of their personal data, and to have that complaint investigated by the DPC.
This article was originally published on our Ireland IP & Technology Law Blog on 17 August 2015.
If you require any further information on this, please contact Davinia Brennen at dbrennan@algoodbody.com.