Subject access requests and health records
The right of patients to access their personal data is not new. The GDPR made some potentially significant changes to that right including abolishing fees (in most cases) and shortening the timescale for data controllers to respond to subject access requests (SARs).
The introduction of the Data Protection Act 2018 (DPA 2018), and the associated repeals of older statutes, may also have disoriented those who were familiar with the old regime. The schedules to the DPA 2018 are not for the faint-hearted. However, the consequences of getting the response to a SAR wrong can be significant. Sometimes the problem is disclosing too much, rather than not disclosing enough. Controllers’ procedures for dealing with SARs must take account of some of the sector specific implications of the DPA 2018.
Controllers will need to be confident that the personal data are disclosed to the person to whom they relate. Where a controller has ‘reasonable doubts’ concerning the identity of the requestor the GDPR permits them to require further information. Common sense dictates that those requests should be made to confirm the requestor’s identity and avoid inappropriate disclosure.
In many cases an SAR is the means through which a patient seeks to obtain a copy of their clinical records. Those records consistent mostly, if not entirely, of special category personal data. The processing (including disclosure) of such data is prohibited by Article 9(1) save where one of the exemptions in Article 9(2) is available. The SAR is evidence of the patient’s explicit consent, although there may be circumstances which give rise to real doubts as to whether the consent was freely given (see below). Meeting an exemption in Article 9(2) is not sufficient to mandate processing, it is merely permissive. The obligation to comply with the SAR arises from Article 15. However, the obligation is subject to important qualifications.
Health records frequently contain mixed personal data. Whilst the data of the patient will predominate there will also be personal data of the clinicians who have contributed to the patient’s care. Many records will include personal data of relatives or carers. In certain specialties patients’ records may be richly biographical, psychiatry for example. This may include details of other people’s ill-health or offending. It may include biographical information relating to the patient or others, obtained from third parties, of which the patient is unaware.
Where the personal data of third parties is involved their rights must be considered before determining the scope of the disclosure. One data subject’s access rights must yield to the rights of the other data subject if the latter’s rights would be adversely affected by disclosure. Where the third party in question is a clinician who contributed to the record the controller’s task is made easier by the DPA 2018 which provides an assumption of reasonableness in relation to disclosure.
In respect of other third parties the DPA 2018 requires the controller to consider whether disclosure is reasonable. In doing so the controller is required to have regard to all the relevant circumstances, including:
- the type of information that would be disclosed,
- any duty of confidentiality owed to the other individual,
- any steps taken by the controller with a view to seeking the consent of the other individual,
- whether the other individual is capable of giving consent, and
- any express refusal of consent by the other individual.
These considerations apply where the disclosure would identify the third party as the source of information.
The ‘Serious Harm’ Test
The controller should consider whether the data has already been seen or is within the knowledge of the data subject; Where they are not satisfied that is the case they must consider whether the disclosure to the data subject ‘would be likely to cause serious harm to the physical or mental health of the data subject or another individual’. Where the data controller is not a registered healthcare professional they must obtain the opinion of an appropriate health professional that the Serious Harm Test is not met before any disclosure is made. In order to satisfy the requirements of the DPA 2018 the clinician whose opinion is obtained will usually be the principle treating clinician.
Where the Serious Harm Test is met in respect of any aspect of the data it cannot be disclosed. This is not a license for lazy paternalism. In order to determine that the serious harm test is met the appropriate healthcare professional must be able to clearly articulate their reasoning.
Disclosure does not automatically follow a decision that the Serious Harm Test is not met. The controller must still take account of the other qualifications on the right to access.
The data subject’s expectations
In the majority of SARs the data subject’s expectations with respect to the disclosure will be clear. However, where the SAR is made by a person with parental responsibility in respect of a person under 18 years old, or by a person appointed by a court to manage the affairs of a data subject who is incapable of managing their own affairs, the data subject’s previously expressed wishes with respect to disclosure, whether expressed, or implied from the circumstances in which the data was collected, will need to be considered by the controller. There should be no disclosure to the requestor if that would be contrary to the data subject’s express or implied expectations.
‘Enforced’ subject access requests
Controllers should be alert for circumstances which ought to put them on notice of a potential abuse of the data subjects’ rights. A particularly relevant example in the healthcare sector is where insurance companies present subject access requests, authorised by the patient, to a GP practice requesting that a copy of the patient’s records be provided to the insurer. For insurers this may be seen as a means of obtaining relevant information whilst avoiding paying a fee to the practice for an insurance report. The patient may not understand that the information provided in response to an SAR may be more extensive than that which would be set out in an insurance report.
For example, a long-standing concordat and moratorium between the ABI and the UK Government protects patients from disclosure of predictive genetic test results and negative sexual health screening. The practice of insurance companies submitting SARs in this way was strongly deprecated by the ICO in 2015. It is a practice which is contrary to existing agreements between the ABI and BMA. However, the ICO has seen the need to revisit the issue with the insurance industry in recent months. The BMA’s updated guidance is that practitioners should make the requested disclosure to the patient directly.
The Access to Medical Records Act 1988 sets out a mechanism for the provision of medical reports for insurance and employment purposes with safeguards for the data subject.
In a troubling development Pulse has published a report in respect of the use of SARs to establish whether patients are ‘medically safe’ to hold a firearms licence.
Other DPA 2018 exemptions
The Data Protection Act 2018 provides a range of other exemptions for controllers which may occasionally be of relevance. For example, where disclosure would result in self-incrimination the controller ‘need not comply’ with the subject access request. As the compliance requirement falls on the controller it is the controller’s right against self-incrimination, rather than that of say an employee’s. If a controller were to rely on this exemption they would need to carefully consider how any response to the data subject is framed.
Responding to SARs should never be a case of simply ‘print and send’. Unsurprisingly, there are particular complexities in the context of SARs in healthcare. Controllers in the healthcare sector must ensure that the complex nature of the decision making which may be involved is reflected in their internal procedures and that sign off prior to disclosure rests with a suitably trained member of staff. The specific provisions relating to health records may also be relevant for non-health sector controllers who happen to process health records e.g a controller in the insurance or claims sector.
 GDPR Article 12(6)
 Which meet the definition of ‘Health Record’ in s.206 of DPA 2018
 Exercising legal rights.
 GDPR Article 15(4). This requires an exercise of judgment on the part of the controller
 That assumption must be treated with some caution.
 Schedule 3 Part 2 Para 2(2)
 As defined in Schedule 3 Part 2 paragraph 2
 Schedule 2 Part 4 paragraph 20
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.