Skip to main content
Hafan

Health information

Contents

In more detail

What is health information?

The DPA defines information concerning health as personal information about the physical or mental health of a person, including the provision of health care services, which reveals information about their health status.

Can we charge a fee for providing access to health information?

In general, you cannot charge a fee to comply with a SAR for health information. However, if a request is manifestly unfounded or excessive, you may charge a fee to respond. For more information about when you can charge a fee, see Can we charge a fee?

Is health information ever exempt from the right of access?

The exemptions and restrictions that apply to other types of personal information also apply to personal information concerning health. For example, if health information contains personal information about someone other than the requester (such as a family member), you must consider the rules about third-party information before disclosing it to the requester.

It’s normally reasonable to disclose information that identifies a health professional (eg a doctor, dentist or nurse) carrying out their duties if the information meets the appropriate test. See Exemptions: can we refuse a SAR if it involves information about other people? for more information.

Some further exemptions and restrictions also apply to health information. In particular, there is a restriction that prevents you from disclosing information that may cause serious harm.

These exemptions and restrictions are explained in detail in the following sections.

Is there an exemption for health information processed by the courts?

Yes. There is an exemption from the right of access for health information if:

  • it is processed by a court;
  • it is supplied in a report or given to the court as evidence in the course of proceedings where specific court rules apply; and
  • in accordance with these specific court rules, the court may withhold the person’s information in whole or in part.

The specific court rules which may apply are:

  • the Magistrates’ Courts (Children and Young Persons) Rules (Northern Ireland) 1969;
  • the Magistrates’ Courts (Children and Young Persons) Rules 1992;
  • the Family Proceedings Rules (Northern Ireland) 1996;
  • the Magistrates’ Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996;
  • the Act of Sederunt (Child Care and Maintenance) Rules 1997;
  • the Sheriff Court Adoption Rules 2009;
  • the Family Procedure Rules 2010; or
  • the Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in Children’s Hearings) Rules 2013.

Is health information exempt if disclosure goes against a person's expectations and wishes?

Yes. There is an exemption from the right of access if you receive a request (in exercise of a power conferred by an enactment or rule of law) for health information from someone who:

  • has parental responsibility for a person aged under 18 (or 16 in Scotland); or
  • is appointed by the court to manage the affairs of a person who is incapable of managing their own affairs.

But the exemption only applies to the extent that complying with the request would disclose information that the person:

  • provided to you in the expectation that it would not be disclosed to the requester (unless they have since expressly indicated that they no longer have that expectation);
  • consented to provide as part of an examination or investigation in the expectation that the information would not be disclosed in this way (unless they have since expressly indicated that they no longer have that expectation); or
  • has expressly indicated cannot be disclosed in this way.

Is health information exempt if disclosure may cause serious harm?

Yes. You are exempt from complying with a SAR for health information to the extent that complying with the right of access would likely cause serious harm to the physical or mental health of any person. This is known as the ‘serious harm test’ for health information.

You can only rely on this exemption to withhold health information if:

  • you are a health professional; or
  • you are not a health professional but, within the last six months, you have obtained an opinion from the appropriate health professional that the serious harm test applies (even if you have done this, you still cannot rely on the exemption if it would be reasonable to reconsult the appropriate health professional).

The appropriate health professional is the health professional currently or most recently responsible for the diagnosis, care or treatment of the person in connection with the matter in question. If there is more than one responsible health professional, it means the one who is most suitable to provide an opinion on the matter. If there is no such health professional available, you can appoint a health professional with the necessary experience and qualifications.

See paragraph 2(1) of schedule 3 of the DPA for full details of who is considered the appropriate health professional.

If you are not a health professional, you can only disclose health information in specific circumstances. See the next section, What are the restrictions on disclosing health information?, if you intend to disclose health information.

What are the restrictions on disclosing health information?

If you are not a health professional, you must not disclose health information in response to a SAR unless:

  • you are satisfied that the person it is about has already seen, or knows about, the health information; or
  • within the last six months you have obtained an opinion from the appropriate health professional that the serious harm test for health information is not met. Even if you have done this, you must reconsult the appropriate health professional if it would be reasonable to do so.

Example

A person obtains a note from their GP about their absence from work for a number of weeks. The person then provides this information to their employer.

Some years later, the person makes a SAR to their employer for “all the information you hold about my absences from work”. The GP’s note is therefore within the scope of the SAR. Since the person is already aware of this information, the employer does not need to obtain an opinion from the GP who prepared the note about whether the serious harm test is met.

Health professionals include, for example, registered medical practitioners, dentists and nurses. Section 204 of the DPA gives a full list of the types of professionals that fall within the definition.

If you need to consult with an appropriate health professional in this context, you could consider the request to be complex. If so, you can extend the time limit to respond by a further two months. See When is a request complex? and Can we extend the time limit for a response? for further information.

When you receive a SAR that relates to health information, you should make all reasonable efforts to obtain an opinion from the appropriate health professional as soon as possible. If you are unable to obtain an opinion within the time limit for responding to the request, you must withhold the health information.

You should document all the efforts you make to consult with the appropriate health professional. You should be able to provide evidence of your efforts to the ICO, if asked to. In particular, you should be able to show that you have made all reasonable steps to contact the health professional.

Because of the nature of this exemption (and the potential nature of the information in question), you may not be able to tell the person why you have extended the time limit to respond or why you have withheld the information. This will depend on the circumstances and the nature of the requested information. In general, you should be as transparent as possible. See What do we need to do if we refuse to comply with a request?

What about requests for health information from a third party?

A third party can make a SAR on behalf of a person, as long as they are entitled to act on the person’s behalf. For example, a solicitor may make a SAR on behalf of a client. The third party is responsible for providing you with evidence of this. See Can a request be made on behalf of someone else? for more information.

If you have a genuine concern that the third party has requested excessive information, or you have reasonable grounds to believe that the person whom the information is about does not understand how much information will be disclosed to the third party, you could contact the person first to make them aware of your concerns. If the person agrees, you could send the response directly to the person rather than to the third party. The person may then choose to share the information with the third party after reviewing it.

If you are unable to contact the person, you should provide the requested information to the third party (if you are satisfied that they are authorised to act on the person’s behalf). If the person has specifically asked that you do not contact them directly, then you should only correspond with the third party authorised to act on their behalf.

A SAR is not appropriate in situations where the third party’s interests are not aligned with the person the information is about — for example, an insurance company needing to access health information to assess a claim. In such circumstances, if a person consents, an insurer can apply to the person’s GP, who may produce a tailored medical report, providing only the information the insurer needs, under the provisions of the Access to Medical Reports Act 1988 (AMRA). The AMRA does not lie within our remit, but we refer to it here for completeness.

Remember that the definition of personal information only relates to a living person, so a SAR cannot be used to obtain information about a deceased person. In certain circumstances, a third party may be able to access this information under the Access to Health Records Act 1990 or the Access to Health Records (Northern Ireland) Order 1993.