The Data Protection (Access Amendment) Act 2018 (Health) Regulations 2022 (Rules 2022) began on Tuesday 8 March 2022. The 2022 Regulations repeal and replace the Data Protection (Access Amendment) (Health) Regulations 1989 (1989 Regulations). This new legislation has a significant impact on organizations (acting as data controllers) that process health data about individuals and receive data subject access requests (DSAR(s)) of these persons under Article 15 of the General Data Protection Regulation (GDPR).
Under the 1989 Regulations, it was mandatory for any health data controller who was not a health service provider (e.g. an insurance company) upon receipt of a DSAR, to consult a healthcare practitioner (e.g. a general practitioner) before providing (or arranging) access to such data by the data subject. Under the 2022 Regulations, it is up to the data controller whether or not to consult a medical professional, subject to certain preconditions being met.
Health data & DSAR: Pre-2022 regulations
Data protection laws from 1988 to 2018 (DP acts) and the GDPR establish a number of limited exceptions for controllers when responding to a DSAR where an individual’s right to access their personal data may be restricted. One such exception is Section 60(5)(1)(a)(i) of the DP Acts, which provides that a Minister may apply restrictions to an individual’s right to access their data. personal when the application of this right “could seriously damage the physical or mental health of the person concerned.”
The 1989 Regulations legislated for this practice, so that health data could be withheld from a DSAR response where, in the opinion of the “appropriate healthcare professional” (within the meaning of the Medical Practitioners Act 1978), granting access to health data would likely result in serious harm to an individual’s physical or mental health. The 1989 regulations created a long-standing practice, in DSAR responses, where controllers were required to consult with healthcare practitioners and ensure that individuals had access to their health data through healthcare practitioners. .
Health data & DSAR: 2022 regulations
The 2022 Regulations introduced several key changes for controllers and individuals in the context of DSARs where the “serious harm“The exemption applies. Changes to the title are as follows:
1. The new discretionary power of organizations to rely on “Serious harm” Exoneration
Regulation 7 of the 2022 Regulation introduces a new discretion for controllers who are not healthcare service providers to rely on the “serious harm” exemption in their own capacity without any obligation to consult a GP (or other healthcare professional). He offers:
“When a controller –
(a) is a person other than a healthcare service provider, and (b) has reasonable grounds to believe that granting the data subject access to the relevant health data would be likely to cause serious harm to the physical or mental health of the material data,
the controller may decide not to provide the data subject with the personal data concerned.”
This means that it is no longer mandatory for a data controller to consult a healthcare professional to provide access to an individual’s health data when responding to a DSAR.
2. The consultation with the general practitioner must implement data minimization and pseudonymization
Regulation 8 of the 2022 Regulations provides that a controller “may consult a health professional…. before taking the decision whether or not to provide the data subject with the personal data concerned”. When a data controller consults a healthcare professional, Regulation 8 requires:
- compliance with the GDPR’s data minimization principle, by requiring a controller to share an individual’s health data only to the extent “necessary” for a healthcare professional to advise on the data object;
- a data controller to only share health data in a pseudonymised form; and
- a health care practitioner to give any written notice to the relevant data controller where the health care practitioner recommends not to disclose the relevant health data.
3.”Necessary and proportionate”
Under Regulation 4 of the 2022 Regulations, any retention of health data in a DSAR response by a controller must only be “to the extent necessary and proportionate” and for as long as “only necessary to protect the health of the data subject”.
4. Keep health data available
Where health data is withheld from a DSAR response, Regulation 9 of the 2022 Regulations requires the controller to notify the individual (if the individual requests it) that the controller will provide access to the data to the medical professional specified by the individual and will keep the data concerned available for these purposes.
Key impact for DSARs
The introduction of the 2022 Regulations will be welcomed by organizations and individuals in the context of DSARs, as it will enable greater speed and transparency in responding to DSARs regarding health data.
For any response to a DSAR, the fact remains that in order to retain health data, data controllers relying on the 2022 Regulation must carefully examine the “serious harmand clearly document the objective analysis applied to ensure compliance with the GDPR, DP Acts and 2022 Regulations.