Hospital employee acquitted of using wife's sensitive patient information

An employee of Gozo General Hospital has been acquitted of offences under the Data Protection Act after allegedly pulling strings to get his estranged wife’s medical records exhibited in annulment proceedings.

The male employee, whose name has been withheld by the court, was charged after his wife lodged a complaint through her legal counsel, wherein she alleged that the Gozo General Hospital (‘GGH’) breached her data protection rights when copies of her medical file revealing clinical notes made by the mental health medical professional who was dealing with her case, were presented by her husband before the Ecclesiastical Tribunal during the annulment proceedings.

Magistrate Joe Mifsud, presiding the court of magistrates in Gozo, ruled that the woman had suffered a breach of her right to privacy, despite the man’s argument that the case fell within the parameters of a legal exception for the use of sensitive personal data.

The court disagreed with this argument, noting that they had also been tabled as secret acts which would have had even higher restriction of access than the normal files.

A witness had testified to the man offering her money to give him the information he sought, but that she had refused on “professional, ethical and moral grounds.”

“Had he believed that he should find legal means to get his hands on these documents and certainly had he sought the advice of his lawyer, a morally and ethically correct way for this information to end up before the Ecclesiastic Tribunal would have been found,” observed the court.

However, despite the fact that the law had clearly been broken, the court could not establish with certainty who had broken it.  A representative of the Commissioner for Data Protection had testified to say that his department had concluded that the hospital had breached the Data Protection Act, but that they could not take criminal action themselves and had to involve the police. Neither could they pinpoint the individual who had stolen the data or revealed the information.

“In the opinion of the court,” said the magistrate, “the prosecution and the parte civile are accusing an individual of a crime that can only be committed by the data controller, which the individual in question is not.”

The man was acquitted.