The DPA 2018 defines ‘data concerning health’ as personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.
Can I charge a fee for providing access to health data?
No. There are no special rules which allow you to charge fees if you are complying with a SAR for health data. For more information about when you can charge a fee please see ‘Can we charge a fee?’.
Is health data ever exempt from the right of access?
The exemptions and restrictions that apply to other types of personal data also apply to personal data concerning health. So, for example, if health data contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing it to the requester. However, you should not normally withhold information that identifies a health professional, such as a doctor, dentist or nurse, carrying out their duties for this reason. See ‘What should we do if the request involves information about other individuals?’ for more information.
There are also further exemptions and restrictions that apply to health data in particular. These are explained in the next sections.
Is health data exempt if a court processes it?
There is an exemption from the right of access for health data if the data is:
processed by a court;
supplied in a report or given to the court as evidence in the course of proceedings; and
certain specific statutory rules apply to those proceedings that allow the withholding of the data from the individual it relates to.
If you think this exemption might apply to your processing of personal data, see paragraph 3(2) of Schedule 3, Part 2 of the DPA 2018 for full details of the statutory rules.
Is health data exempt if disclosure goes against an individual’s expectations and wishes?
Yes. There is an exemption from the right of access if you receive a request (in exercise of a power conferred by an enactment or rule of law) for health data from someone:
with parental responsibility for an individual aged under 18 (or 16 in Scotland); or
appointed by the court to manage the affairs of an individual who is incapable of managing their own affairs.
But the exemption only applies to the extent that complying with the request would disclose information that:
the individual had provided to you in the expectation that it would not be disclosed to the requester, unless the individual has since expressly indicated that they no longer have that expectation;
was obtained as part of an examination or investigation to which the individual consented in the expectation that the information would not be disclosed in this way, unless the individual has since expressly indicated that they no longer have that expectation; or
the individual has expressly indicated should not be disclosed in this way.
Is health data exempt if disclosure could cause serious harm?
Yes. You are exempt from complying with a SAR for health data to the extent that complying with the right of access would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’ for health data.
You can only rely on this exemption to withhold health data if:
you are a health professional; or
within the last six months you have obtained an opinion from the appropriate health professional that the serious harm test for health data is met. Even if you have done this, you still cannot rely on the exemption if it would be reasonable in all the circumstances to re-consult the appropriate health professional.
This means that if you are not a health professional, you cannot rely on this exemption and refuse to provide the health data in response to a SAR, unless you have obtained an opinion that the serious harm test for health data is met. Bear in mind that you may also need to obtain an opinion even if you do not intend to rely on this exemption (see What are the restrictions on disclosing health data?).
The appropriate health professional is the health professional most recently responsible for the diagnosis, care or treatment of the individual. You can appoint a health professional with the necessary experience and expertise, if the most recent health professional no longer practices.
If you think this exemption might apply to a SAR you have received, see paragraph 2(1) of Schedule 3, Part 2 of the DPA 2018 for full details of who is considered the appropriate health professional.
What are the restrictions on disclosing health data?
If you are not a health professional, you must not disclose health data in response to a SAR, unless:
within the last six months you have obtained an opinion from the appropriate health professional that the serious harm test for health data is not met. Even if you have done this, you must re-consult the appropriate health professional if it would be reasonable in all the circumstances; or
you are satisfied that the individual it is about has already seen, or knows about, the health data.
The individual is likely to be aware of the health data if they have provided the information to you, or it is obvious that they know about the information.
An individual obtains a note from their GP about their absence from work for a number of weeks. The individual then provides this information to their employer.
A number of years later, the individual makes a SAR to their employer for ‘all the information you hold about my absences from work.’ The GP’s note is therefore within scope of the SAR. Since the individual is already aware of this information, the employer does not need to obtain an opinion from the GP who prepared the note about whether or not the serious harm test is met.
‘Health professionals’ include registered medical practitioners, dentists and nurses. The DPA provides a full list of the types of professional that fall within the definition (see section 204 of the DPA 2018).
When you receive the SAR, you should make all reasonable efforts to obtain an opinion from the appropriate health professional as soon as possible. However, if you are unable to obtain an opinion within the time limit for responding to the request, you should withhold the health data.
You should document all the efforts you make to consult with the appropriate health professional. You must be able to provide evidence of your efforts to the ICO, if asked to. In particular you should be able to demonstrate you have made all reasonable steps to contact the health professional.
You should note that because of the nature of this exemption (and the potential nature of the data in question) you may not be able to tell the individual why you have extended the time limit to respond or why you have withheld the information. However, this will depend on the circumstances and in general you should be as transparent as you possibly can. Please see ‘What should we do if we refuse to comply with a request?’.
What about requests for health data from a third party?
A third party can make a SAR on behalf of an individual, provided that the third party is entitled to act on the individual’s behalf. Therefore, a solicitor may make a SAR on behalf of a client. It is the solicitor’s responsibility to provide evidence that they are entitled to make a SAR on their client’s behalf. Please see ‘Can a request be made on behalf of someone?’ for more information.
If you have a genuine concern that a solicitor (or other third party) has requested excessive information, you should contact the individual first to make them aware of your concerns. If the individual agrees, you may send the response directly to the individual rather than to the third party.
The individual may then choose to share the information with the third party after reviewing it. If you cannot contact the individual, you should provide the requested information to the third party (as long as you are satisfied that they are authorised to act on the individual’s behalf).
A SAR is not appropriate in situations where the third party’s interests are not aligned with the individual’s, for example an insurance company needing to access health data to assess a claim. In such circumstances, with an individual’s consent, an insurer can apply to an individual’s GP who may produce a tailored medical report, providing only the information the insurer needs, under the provisions of the Access to Medical Reports Act 1988 (AMRA). AMRA does not lie within the regulatory responsibilities of the ICO, but we refer to it here for completeness.
Remember that the definition of personal data only relates to living individuals, so individuals cannot use a SAR to obtain information about a deceased individual. However, a third party may be able to access this information under the Access to Health Records Act 1990 or the Access to Health Records (Northern Ireland) Order 1993.