Introduction
The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (2022 Regulations) commenced on Tuesday, 8 March 2022. The 2022 Regulations revoke and replace the Data Protection (Access Modification) (Health) Regulations 1989 (1989 Regulations). This new legislation materially impacts organisations (acting as controllers) that process health data concerning individuals and receive data subject access requests (DSAR(s)) from such individuals under Article 15 of the General Data Protection Regulation (GDPR).
Under the 1989 Regulations, it was a mandatory requirement for any controller processing health data who was not a health service provider (e.g. an insurance company) on receipt of a DSAR, to consult with a health practitioner (e.g. a GP) before providing (or arranging) access to such data by the individual concerned. Under the 2022 Regulations, it is a controller’s discretion whether to consult a health practitioner, subject to certain pre-conditions being satisfied.
Health Data & DSARs: Pre-2022 Regulations
The Data Protection Acts 1988 to 2018 (DP Acts) and the GDPR set out a number of limited exceptions for controllers when responding to a DSAR where an individual’s right to access their personal data can be restricted. One such exception is contained at section 60(5)(1)(a)(i) of the DP Acts, which provides that a Minister may implement restrictions to an individual’s right to access their personal data where the application of that right “would be likely to cause serious harm to the physical or mental health of the data subject.”
The 1989 Regulations legislated for this practice, such that health data could be withheld from a DSAR response where, in the opinion of the “appropriate health professional” (within the meaning of the Medical Practitioners Act 1978), to grant access to the health data would likely cause serious harm to an individual’s physical or mental health. The 1989 Regulations created to a long-standing practice, in DSAR responses, where controllers had to consult with health practitioners and arrange for individuals to get access to their health data via health practitioners.
Health Data & DSARs: 2022 Regulations
The 2022 Regulations introduced several key changes for controllers and individuals in the context of DSARs where the “serious harm” exemption applies. The headline changes are:
1. Organisations’ New Discretion to Rely on “Serious Harm” Exemption
Regulation 7 of the 2022 Regulations introduces a new discretion for controllers who are not health service providers to rely on the “serious harm” exemption in their own capacity without any requirement to consult with a GP (or other health practitioner). It provides:
“Where a controller –
(a) is a person other than a health services provider, and
(b) has reasonable grounds for believing that granting access to the data subject to the health data concerned would be likely to cause serious harm to the physical or mental health of the data subject,
the controller may decide not to provide the data subject with the personal data concerned.”
This means it is no longer a mandatory requirement for a controller to consult with a health practitioner to provide access to an individual’s health data when responding to a DSAR.
2. Consultation With GP Must Implement Data Minimisation & Pseudonymisation
Regulation 8 of the 2022 Regulations provides that a controller “may consult with a health practitioner…. before making a decision on whether or not to provide the data subject with the personal data concerned”. Where a controller does consult with a health practitioner, Regulation 8 requires:
- adherence to the GDPR’s data minimisation principle, by requiring a controller to only share so much of an individual’s health data as is “necessary” for a health practitioner to advise on the subject matter of the data;
- a controller to only share health data in pseudonymised form; and
- a health practitioner to give any advice in writing to the relevant controller where the health practitioner recommends withholding the health data concerned.
3. “Necessary and Proportionate”
Under Regulation 4 of the 2022 Regulations, any withholding of health data in a DSAR response by a controller must only be “to the extent that is necessary and proportionate” and for as long as “necessary only to protect the health of the data subject”.
4. Keep Health Data Available
Where any health data are withheld from a DSAR response, Regulation 9 of the 2022 Regulations requires the controller to advise the individual (if the individual so requests) that the controller will offer access to the data to the individual’s specified health practitioner and will keep the data concerned available for such purposes.
Key Impact for DSARs
The introduction of the 2022 Regulations will be welcomed by organisations and individuals alike in the context of DSARs because they will allow for greater expediency and transparency in responding to DSARs that concern health data.
For any response to a DSAR, it remains the case that to withhold health data, controllers relying on the 2022 Regulations must carefully consider the “serious harm” exemption and clearly document the objective analysis applied to ensure compliance with the GDPR, DP Acts and 2022 Regulations.
Please contact David Kirton, Rachel Hayes or your usual William Fry contact for further updates, advice and insights.
Contributed by Jordie Sattar & Rachel Hayes