Access Granted: DSAR changes for data controllers granting access to health data
The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (2022 Regulations) commenced on Tuesday, 8 March 2022. The 2022 Regulations revoke and replace the Data Protection (Access Modification) (Health) Regulations 1989 (1989 Regulations).
The 1989 Regulations
The 1989 Regulations required the data controller to consult with an "appropriate health professional" (within the meaning of the Medical Practitioners Act 1978) before granting access to health data.
Regulation 5(1) of the 1989 Regulations prohibited a data controller who is not a health professional from supplying "information constituting health data" in response to a DSAR unless it has "first consulted the person who appears to him to be the appropriate health professional."
The purpose of this practice was to ensure that releasing the personal data would not cause serious harm to an individual's physical or mental health as per Regulation 4(1):
"Information constituting health data shall not be supplied by or on behalf of a data controller to the data subject concerned in response to a request under Article 15 of the General Data Protection Regulation if it would be likely to cause serious harm to the physical or mental health of the data subject."
The 1989 Regulations created a practice for health data access to be granted only when referred to a health practitioner first.
The 2022 Regulations
The 2022 Regulations introduced several key changes for controllers and individuals regarding DSARs. Regulation 5 provides that "nothing in these regulations shall operate to excuse a controller from granting access to a data subject to so much of the information sought in relation to the health data concerned as may be granted without causing serious harm to the physical or mental health of the data subject."
It introduces a new discretion to controllers, who are not health professionals, in granting DSARs to individuals. Regulation 7 provides:
"Where a controller –
(a) is a person other than a health services provider, and
(b) has reasonable grounds for believing that granting access to the health data concerned would be likely to cause serious harm to the physical or mental health of the data subject,
the controller may decide not to provide the data subject with the personal data concerned."
Under Regulation 8 of the 2022 Regulations data minimisation and pseudonymisation must be implemented when a controller consults with a health practitioner. It provides that:
- Where a controller referred to in Regulation 7 has the reasonable grounds referred to in subparagraph (b) of that Regulation, he or she may consult with a health practitioner who has experience and qualifications to advise on the subject matter of the data before making a decision on whether or not to provide the data subject with the personal data concerned.
- Where a controller consults with a health practitioner under paragraph (1), the controller shall provide to that health practitioner only so much of the data subject’s health data as is necessary for the health practitioner to advise on the subject matter of the data.
Part (3) and (4) of Regulation 8 require the health data supplied to the health practitioner to be in "pseudonymised form" and in "writing to the controller concerned."
Under Regulation 4 of the 2022 Regulations, the application of the right of access under Article 15 of the GDPR may be restricted in relation to health data only "to the extent that is necessary and proportionate" and "for as long as necessary only to protect the health of the data subject." This means that the withholding of data must pass a necessity and proportionality test to be compliant with GDPR.
United Kingdom's Approach
The Data Protection (Subject Access Modification) (Health) Order 2000 is the current legislation governing this area in the United Kingdom ("UK").
Section 6 of the Order requires a data controller, who is not a health professional, to consult with a person who appears to the data controller "to be the appropriate health professional" before communicating information to the data subject.
Section 5 of the Order provides that a data controller "who is not a health professional" will not withhold information on the ground that it would be "likely to cause serious harm to the physical or mental health" of the data subject unless the controller has "first consulted the person who appears…to be the appropriate health professional."
The divergence in approach between Ireland and the UK is a salutary lesson for multinational data controllers to seek local law advice on these issues since different approaches to the same issues might apply.
It is no longer a requirement for a controller (who is not a health services provider) to consult with a health practitioner to grant access to an individual's health data. In making a decision, a data controller will have to consider the "serious harm" exemption and when withholding data, ensure it is a "necessary" and "proportionate" response. Overall, this means there will often be greater expediency and transparency in responding to DSARs.
Article provided by INPLP member: Leo Moore (William Fry, Ireland)
Dr. Tobias Höllwarth (Managing Director INPLP)