Health Data In Subject Access Requests

By Myles Dacres

A few months ago, the consulting team at DPP discussed the new guidance on subject access requests issued by the ICO and in particular data concerning health.  The Outsourced DPO produced a decision tree to help DPP clients and others determine how to treat data concerning health in subject access requests.  We added this to our comprehensive information governance tool kit (IGTK) which was well received by the recipients.  Contact us if you would like a copy.

The Outsourced DPO came across this excellent article by Debbie Heywood and Vinod Bange of Taylor Wessing the other day, which we would recommend you to read  It puts into simple terms the rules surrounding data concerning health when it comes to subject access requests.

To recap, there is a restriction on those of us who are not health professionals on the disclosure of data concerning health requested under a SAR.  This restriction prohibits such a disclosure unless you are satisfied that the individual already has seen or knows about the information or unless you have obtained an opinion within the last 6 months from an appropriate health professional that the serious harm test is not met.

The default position for the majority of us is to not disclosure data concerning health.  Different rules apply to health professionals.  Naturally, you need to document all of the details of how you approach the request for accountability purposes such as who you contacted about the serious harm test and their response, how you may have arrived at the conclusion that the requestor has already seen or knows about the information requested.

In speaking with a number of data protection officers, it would seem that not many people know about this restriction nor how to work with it.  Hence why the Outsourced DPO suggests this is recommended reading.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021