SARs requesting health data – exemptions and restrictions

Privacy issues around health data have come into sharp relief during the COVID-19 pandemic. From test and trace apps, to vaccine trials, to data around infection rates, symptoms, treatments and outcomes, health data and the way it is handled, have never been more important.

Health data is given special protection under the GDPR and the UK's Data Protection Act 2018 (DPA18). This includes exemptions to and restrictions on the right of access – the right, under the GDPR, for individuals to obtain certain information in relation to the data a controller is processing about them.

A brief reminder about SARs

What is the right of access?

The right of access, or more commonly, subject access, is the right of individuals to obtain a copy of the personal data an organisation holds about them, together with associated information including:

• the purposes of processing
• the categories of data being processed
• who the data is being disclosed to, including whether to recipients in third countries or international organisations and related safeguards to protect the transferred data
• how long the data will be stored or, if that's not available, the criteria on which the storage period will be determined
• the existence of related rights including rectification and erasure and to make a complaint
• information about the source of the data if it's not collected directly from the individual
• the existence of any automated decision-making including profiling together with information about the logic involved and the significance and consequences of the processing.

What is a subject access request?

A subject access request (SAR), also known as a Data Subject Access Request (DSAR), is the request made by an individual to exercise the right of access. It doesn't have to be in any prescribed form, and subject to certain requirements, can even be made by a third party on the data subject's behalf.

Responding to a SAR

There are set rules about the time in which you need to respond to a SAR – initially one month which is extendable by two months where the request is complex or you have received a number of requests from the individual. You may also seek clarification about the request where it is genuinely required and you process a large amount of information about the individual.

Exemptions

There are also some limited exemptions from the requirement to comply with a SAR where the request is manifestly unfounded or manifestly excessive. Where responding to a request would involve disclosing personal data which identifies another individual, you don't need to comply unless the individual has consented to the disclosure or it is reasonable to comply with the request without the individual's consent. There are also limited sector-specific exemptions set out in the GDPR and DPA18.

For more on SARs, see here.

What's special about health data?

Health data is, for obvious reasons, particularly sensitive. Its classification as special data under the GDPR means it attracts additional protections across a number of areas and that includes in relation to SARs. The ICO recently published guidance on responding to SARs which goes into more detail about how to handle a SAR involving health data.

Health data is defined in, to all intents and purposes, the same way in the GDPR and the DPA18 as "personal data relating to the physical or mental health of an individual, including the provision of health care services which reveals information about their health status" (DPA18).

The standard exemptions to responding to a SAR relating to health data apply (although information identifying a health professional acting as such should not normally be withheld even though they are a third party). There are, however, further exemptions which may apply, which are set out largely in Schedule 3, Part 2 of the DPA18.

Health data processed by a court

Under Paragraph 3, Part 2 of Schedule 3 DPA18, there's an exemption from the right of access for health data where it's:

• processed by a court
• supplied in a report or given to the court as evidence in the course of proceedings, and
• certain specific rules apply to those proceedings that allow the withholding of the data from the individual it relates to.

Disclosure would go against individual's wishes

If a SAR relating to health data is made by someone with parental responsibility for an individual under 18 (or 16 in Scotland) or by someone appointed by the court to manage the affairs of an individual incapable of managing them themselves, there is a limited exemption. It applies only to the extent that complying with the SAR would disclose information that:

• the individual provided in the expectation it would not be disclosed to the requester (unless they have expressly indicated since that they no longer have that expectation)
• was obtained as part of an examination or investigation to which the individual consented in the expectation that the information would not be disclosed in this way (unless they have since indicated they no longer have that expectation), or
• the individual has expressly indicated the information should not be disclosed in this way.

Disclosure could cause serious harm

If you're a health professional, you're exempt from complying with a SAR relating to health data to the extent that to do so would be likely to cause serious harm to the physical or mental health of any individual (not just the individual to whom the data relates). Health professionals include registered medical practitioners, dentists and nurses. A full list is set out in s204 DPA18.

You may also rely on this exemption if you aren't a health professional but, within the last six months, you've obtained an opinion from the appropriate health professional (the one most recently responsible for diagnosis, care or treatment of the individual), that the serious harm test for health data is met. This will only apply where it is reasonable in all the circumstances not to re-consult the health professional.

You are not a health professional

If you aren't a health professional, you mustn't disclose health data in response to a SAR unless:

• you've obtained an opinion from the appropriate health professional within the last six months which confirms that the serious harm test isn't met and it's not reasonable in all the circumstances to re-consult the professional, or
• you're satisfied that the individual to whom the data relates has already seen or knows about the data (for example, because they have provided it to you or it is obvious they know about it).

The ICO includes the example of a GP's note recommending a medical absence which the individual passes to their employer. That would come within the remit of a SAR asking for "all information you hold about my absences from work" because the individual is already aware of the note's contents.

If you are required to re-consult a health professional, you may consider the SAR to be complex and extend the reply period although you may not be able to tell the individual why you are extending it or why you are withholding information. Any decisions taken should be documented.

SARs made by third parties

Third parties can make SARs provided they are entitled to act on the relevant data subject's behalf, for example, a solicitor may make a SAR on behalf of a client.

However, care should be taken when considering third party SARs. If you're concerned that a third party request is excessive, or for example, you have a question over the robustness of the authority given by the data subject to the third party, then you should contact the individual data subject first if possible and send the information to them in order for them to pass it on to the requester if they choose. If you can't contact the individual, you should respond to the SAR as long as you are satisfied the third party is authorised to act on behalf of the individual.

Valid SARs cannot be made by third parties whose interests may conflict with the individual's, for example, an insurance company needing to access health data to assess a claim. They can only be made in relation to the personal data of a living individual.

Remember to be transparent and to document compliance

Remember that it's not just Article 15 GDPR and the relevant sections of the DPA18 which apply when dealing with SARs. It's particularly important to apply the data protection principles of transparency and to be able to demonstrate your decision making process. This will involve having detailed policies in place about how to respond to SARs and how to assess when and whether exemptions apply.

Practice makes perfect!

Keep in mind that SARs can be quite broad in terms of the information they request and can stray well beyond the simplistic and often convenient organisational structure of the data you hold. They often go beyond requiring you to search easily accessible 'records held in a file' and can become complex when the data requested is held in opinions and emails.

Don't underestimate the time and resource required for the 'search and sort' aspect of the more complex SAR; it's not unusual for an email search to involve outputs of thousands of emails. SARs compliance should, in practice, include road-testing exercises to see how well (or not!) your organisation can retrieve data, apply exemptions and provide a copy within the required time frames. A test exercise should lean on the record of processing activity to make sure the test is as rigorous as possible in order to best prepare the organisation.

Lack of SARs readiness can make handling a broad yet perfectly legitimate request much more complex. It can also lead to an inaccurate assessment that the request is excessive, when, in fact, the apparent complexity may be due to lack of readiness to provide an efficient search and response. Lack of transparency (as mentioned above) or lacking the ability to robustly explain decisions for the output can also create risk that could be avoided or certainly minimised with preparation.