# Private by default: reasonable expectations in secondary uses of patient data

**Authors:** Miranda Mourby

PMC · DOI: 10.1093/medlaw/fwaf038 · 2025-10-31

## TL;DR

This paper argues that patient data should be presumed private by default when used for purposes beyond their healthcare.

## Contribution

The paper proposes a legal presumption of privacy for secondary uses of patient data.

## Key findings

- Current legal tests for privacy lack clarity and consistency.
- Existing legal standards give judges too much discretion in evaluating privacy expectations.
- A default presumption of privacy would better protect patient rights.

## Abstract

The ‘reasonable expectations of privacy’ test has become central to English information law. The fact-specificity of this test has obfuscated the scope of patients’ privacy rights. In both R (W, X, Y & Z) v Secretary of State for Health and Prismall v Google, the claimants were found to lack a circumstantially reasonable expectation of privacy when their identifiable information was disclosed outside the healthcare system, obviating the need for justification under Article 8 European Convention on Human Rights (ECHR). In response to these developments, this article argues for a legal presumption of privacy when patients’ data are used for purposes other than their healthcare. This would be a development of the courts’ existing ‘starting point’ of assuming reasonable expectations of privacy in identifiable medical information. The two cases explored in this article suggest that this ‘starting point’ is not enough, and still affords judges broad discretion to evaluate a (non-exhaustive) list of factors in each individual case. For the sake of the clarity and accessibility of patients’ rights, I argue that privacy should be presumed by default when their data are used for purposes other than their healthcare.

## Full-text entities

- **Species:** Homo sapiens (human, species) [taxon 9606]

---
Source: https://tomesphere.com/paper/PMC12576322