Changes in How Controllers Handle Health Data in Data Subject Access Requests

In March 2022, the Minister for Health gave effect to the Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (the “Regulations”) which revise the legal requirements on controllers handling data subject access requests involving health data (i.e. personal data relating to physical or mental health).  The Regulations repeal and replace the previously applicable Data Protection (Access Modification) (Health) Regulations 1989 (the “Previous Regulations”).

The Previous Regulations

Under Article 15 GDPR, a data subject has a right of access to a copy of their personal data, which can only be restricted in limited circumstances. Under the Previous Regulations, controllers who were not health professionals were not permitted to provide health data to a data subject until that controller had first consulted with an appropriate health professional.  This created significant issues for controllers when dealing with data subject access requests that included health data, particularly when dealing with requests from employees that captured apparently innocuous health data that was stored on the employee file (e.g. sick notes or routine occupational health assessments).

The new Regulations

The Regulations provide that they do not generally excuse controllers from the obligation to grant access to as much of the data subject’s health data as can be disclosed without causing ‘serious harm to the data subject’s physical or mental health’. However, if a controller has ‘reasonable grounds’ to believe that granting access to health data would be likely to cause ‘serious harm’ to the data subject’s physical or mental health, such controller is entitled (but not required) to refuse to provide access to that data.

Consultation with health practitioners

Where the controller is not a health services provider, it is now entitled (but not legally required) to consult with a health practitioner before making a decision on whether or not to provide the data subject with the personal data concerned.  

The Regulations specifically prescribe how such consultation is now to take place.  Under the revised regime, where such a controller chooses to consult with a health practitioner, the controller is required to provide only so much of the data subject’s data as is necessary for the health practitioner to advise on the issue and there is also a requirement that the health data must be pseudonymised before provision.  In addition, where a controller ultimately refuses to grant access to health data, it must inform the data subject that it will, if the data subject requests, provide the relevant health data to a health practitioner nominated by the data subject (and it is also required to keep the relevant data available for this purpose).

Practical consequences

Controllers are naturally cautious when dealing with health data under the GDPR (as it represents special category data under the GDPR). 

However, controllers who are not health services providers will likely welcome the removal of the previous legal obligation to always involve health professionals in their access requests.   Despite the removal of this legal requirement to consult with health professionals where health data is being released, it is likely that controllers will take a cautious approach to the release of health data.  This may especially be the case when the controller is dealing with data subjects who are, for example, known to the controller as being particularly vulnerable or where the controller is simply unsure whether the release of the health data would be likely to cause harm to the data subject’s health or wellbeing.

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.