Health data and subject access requests: important changes under the Data Protection Act 2018 – Data Protection


To print this article, all you need to do is be registered or log in to


The Data Protection (Access Amendment) Act 2018 (Health) Regulations 2022 (Rules 2022) began on Tuesday 8 March 2022. The 2022 Regulations repeal and replace the Data Protection (Access Amendment) (Health) Regulations 1989 (1989 Regulations). This new legislation has a significant impact on organizations (acting as data controllers) that process health data about individuals and receive data subject access requests (DSAR(s)) of these persons under Article 15 of the General Data Protection Regulation (GDPR).

Under the 1989 Regulations, it was mandatory for any health data controller who was not a health service provider (e.g. an insurance company) upon receipt of a DSAR, to consult a healthcare practitioner (e.g. a general practitioner) before providing (or arranging) access to such data by the data subject. Under the 2022 Regulations, it is up to the data controller whether or not to consult a medical professional, subject to certain preconditions being met.

Health data & DSAR: Pre-2022 regulations

Data protection laws from 1988 to 2018 (DP acts) and the GDPR establish a number of limited exceptions for controllers when responding to a DSAR where an individual’s right to access their personal data may be restricted. One such exception is Section 60(5)(1)(a)(i) of the DP Acts, which provides that a Minister may apply restrictions to an individual’s right to access their data. personal when the application of this right “could seriously damage the physical or mental health of the person concerned.”

The 1989 Regulations legislated for this practice, so that health data could be withheld from a DSAR response where, in the opinion of the “appropriate healthcare professional” (within the meaning of the Medical Practitioners Act 1978), granting access to health data would likely result in serious harm to an individual’s physical or mental health. The 1989 regulations created a long-standing practice, in DSAR responses, where controllers were required to consult with healthcare practitioners and ensure that individuals had access to their health data through healthcare practitioners. .

Health data & DSAR: 2022 regulations

The 2022 Regulations introduced several key changes for controllers and individuals in the context of DSARs where the “serious harm“The exemption applies. Changes to the title are as follows:

1. The new discretionary power of organizations to rely on “Serious harm” Exoneration

Regulation 7 of the 2022 Regulation introduces a new discretion for controllers who are not healthcare service providers to rely on the “serious harm” exemption in their own capacity without any obligation to consult a GP (or other healthcare professional). He offers:

“When a controller –

(a) is a person other than a health service provider, and

(b) has reasonable grounds to believe that granting the data subject access to the relevant health data would be likely to seriously damage the physical or mental health of the data subject,

the controller may decide not to provide the data subject with the personal data concerned.”

This means that it is no longer mandatory for a data controller to consult a healthcare professional to provide access to an individual’s health data when responding to a DSAR.

2. The consultation with the general practitioner must implement data minimization and pseudonymization

Regulation 8 of the 2022 Regulations provides that a controller may consult a healthcare professional…before making a decision whether or not to provide the data subject with the personal data concerned”. When a data controller consults a healthcare professional, Regulation 8 requires:

  • compliance with the GDPR’s data minimization principle, by requiring a controller to share an individual’s health data only to the extent “necessary” for a healthcare professional to advise on the data object;

  • a data controller to only share health data in pseudonymised form; and

  • a health care practitioner to give any written notice to the relevant data controller where the health care practitioner recommends not to disclose the relevant health data.

3.”Necessary and proportionate

Under Regulation 4 of the 2022 Regulations, any retention of health data in a DSAR response by a controller must only be “to the extent necessary and proportionate” and for as long as “only necessary to protect the health of the data subject”.

4. Keep health data available

Where health data is withheld from a DSAR response, Regulation 9 of the 2022 Regulations requires the controller to notify the individual (if the individual requests it) that the controller will provide access to the data to the medical professional specified by the individual and will keep the data concerned available for these purposes.

Key impact for DSARs

The introduction of the 2022 Regulations will be welcomed by organizations and individuals in the context of DSARs, as it will enable greater speed and transparency in responding to DSARs regarding health data.

For any response to a DSAR, the fact remains that in order to retain health data, data controllers relying on the 2022 Regulation must carefully examine the “serious harmand clearly document the objective analysis applied to ensure compliance with the GDPR, DP Acts and 2022 Regulations.

Contributed by Jordie Sattar and Rachel Hayes

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: Privacy from Ireland

Data protection and employment

Lewis Silkin

The General Data Protection Regulation (GDPR) is European legislation that affects all organizations that hold personal data about living individuals.



While France and Austria have decided on data protection issues in relation to Google Analytics, many other countries have followed suit by making relevant changes to so-called web browser cookies.

Agreement on the new data privacy framework between the EU and the United States

Lus Laboris

The EU and the US government announced that they have agreed on a framework to protect the privacy of personal data transferred from the EEA to the US.


Comments are closed.