The Outsourced DPO produced a decision tree to help DPP clients and others determine how to treat data concerning health in subject access requests. We added this to our comprehensive information governance tool kit (IGTK) which was well received by the recipients. Contact us if you would like a copy.
The Outsourced DPO came across this excellent article by Debbie Heywood and Vinod Bange of Taylor Wessing the other day, which we would recommend you to read https://bit.ly/2VnOgur. It puts into simple terms the rules surrounding data concerning health when it comes to subject access requests.
To recap, there is a restriction on those of us who are not health professionals on the disclosure of data concerning health requested under a SAR. This restriction prohibits such a disclosure unless you are satisfied that the individual already has seen or knows about the information or unless you have obtained an opinion within the last 6 months from an appropriate health professional that the serious harm test is not met.
The default position for the majority of us is to not disclosure data concerning health. Different rules apply to health professionals. Naturally, you need to document all of the details of how you approach the request for accountability purposes such as who you contacted about the serious harm test and their response, how you may have arrived at the conclusion that the requestor has already seen or knows about the information requested.
In speaking with a number of data protection officers, it would seem that not many people know about this restriction nor how to work with it. Hence why the Outsourced DPO suggests this is recommended reading.