Ireland: Employers can now process Data Subject Access Requests without advice of health service providers

On 8 March 2022, The Data Protection Act 2018 (Access Modification) (Health) Regulations 2022 (“the 2022 Regulations”) came into force, revoking and replacing the Data Protection (Access Modification) (Health) Regulations 1989 (the “1989 Regulations”). The new 2022 Regulations will have an impact on organisations that process health data (i.e. physical and mental health data) and receive data subject access requests (“DSARs”) from individuals invoking their data protection rights under Article 15 GDPR. Where health data are requested pursuant to a data subject access request (“DSAR”), non-health care providers will now be able to process the DSAR without the added requirement to seek advice and consult with a health practitioner in each instance.

The 2022 Regulations place certain restrictions on an individual’s right to access personal data, but only:

(a)           to the extent that is necessary and proportionate, and

(b)           for as long as necessary only to protect the health of the individual.

Summary of Key Changes

  • Controllers now have discretion to determine whether providing health data may result in serious harm
    • Under the now replaced rules, and in keeping with the Data Protection Act 2018, there was an exception to the right of access to personal data where the application of that right “would be likely to cause serious harm to the physical or mental health of the data subject”. This meant that health data could be withheld in such cases where such access would likely lead to serious harm to mental or physical health of the individual recipient, where that was the opinion of a health professional (as defined in the Medical Practitioners Act 1978). Regulation 6 & 7 of the 2022 Regulations removes the requirement to consult a health professional to determine whether serious harm might be caused, leaving this to the discretion of the individual controller.
    • Under the new rules, regardless of whether the controller is a health service provider or not, where the controller “has reasonable grounds for believing that granting access to the health data concerned would be likely to cause serious harm to the physical or mental health of the data subject”, the controller may decide not to provide the data to the individual (Regulations 6 & 7 of the 2022 Regulations).
    • From an employment law perspective, where an employee has made a request to access their personal data, under the new rules, the employer can take the decision themselves, without the obligation to consult with an appropriate medical practitioner, not to disclose certain health data where the employer reasonably believes such disclosure would likely cause serious harm to the employee. The new rules do not, of course, prevent an employer from getting an appropriate medical opinion prior to such disclosure and, in some instances, this would still be the recommended approach.
    • Importantly, the 2022 Regulations make it clear that these new rules shall not “operate to excuse a controller from granting access to a data subject” to the extent health data may be provided without causing serious harm to the mental or physical health of the individual (Regulation 5 of the 2022 Regulations).
  • Controllers may still consult health professionals in the context of DSARs
    • Although the new regulations introduce a level of autonomy for controllers, there is still the option to consult with a health practitioner “who has experience and qualifications to advise on the subject matter of the data before making a decision on whether or not to provide the data subject with the personal data concerned“. (Regulation 8 of the 2022 Regulations). When doing so, however, Regulation 8 sets out requirements around data minimisation and data security. When consulting a health practitioner:
      • the controller must share the minimum health data to allow the health practitioner to advise on the subject matter of the data, i.e. necessary data only;
      • health data must be pseudonymised when sharing; and
      • where the advice is to withhold health data, this must be provided to the controller in writing.
    • Controllers must comply with obligations where health data are withheld
      • Where any health data are withheld from a DSAR response, the controller must:
        • inform the individual that they can request that their health data is made available to an appropriate medical practitioner; and
        • the health data can be kept available for this purpose (Regulation 9 of the 2022 Regulations).

The key takeaway from the new regulations is that non-health care providers will be able to deal with DSARs more easily, without the added requirement to seek advice and consult with a health practitioner in each instance where health data are requested pursuant to a DSAR.

Given this new, wider discretion of the controller, it remains important to record and document considerations, particularly the analysis of the “serious harm” exemption, and the rationale for concluding that health data should be withheld, placing a limitation on the right of access under data protection laws. This is particularly important for employers, especially where the employee DSAR has been submitted as part of, or as a pre-curser to, employment related litigation.

For further information and advice, please get in touch with dataprivacy@dlapiper.com or your usual DLA Piper contact.

#GlobalPracticalPrivacy