top of page
Search

Managing Subject Access Requests in Health and Care

  • 5 hours ago
  • 4 min read

Applying the 'serious harm - health' exemption


It is important to remember that the harm exemption is time limited.
It is important to remember that the harm exemption is time limited.

This article relates only to subject access requests (SARs) made under UK GDPR and the Data Protection Act 2018. It does not cover disclosures made under court orders, police investigations, safeguarding processes, litigation, insurance requests, statutory powers, or any other legal basis for sharing information. A SAR is a request by an individual, or someone legally authorised to act on their behalf, for access to the personal data an organisation already holds about them.

The Serious Harm Exemption


What is the serious harm exemption?

People generally have the right to access their own health records through a subject access request (SAR). However, there are limited circumstances where some or all of the information may be withheld and one of those is the serious harm exemption.


For health records, information does not have to be disclosed if doing so would be likely to cause serious harm to the physical or mental health of the requester or another individual.


This is actually a high threshold to make this a lawful withholding of personal data.


What does "serious harm" actually mean?

The ICO makes it clear that the exemption is intended for exceptional circumstances.


It is not enough that disclosure might:

  • upset someone;

  • cause embarrassment;

  • damage a relationship;

  • make someone angry;

  • reveal innapropriate or tone deaf notes in the record;

  • result in a complaint.


Instead, there should be a genuine likelihood of serious physical or psychological harm.


Examples where the exemption may apply

Example

Likely approach

Why

Psychiatrist believes reading the notes is likely to trigger a psychotic relapse.

Consider withholding relevant information.

Serious deterioration in mental health.

Patient is experiencing an acute suicidal crisis and disclosure would significantly increase immediate risk.

Consider withholding relevant information.

Serious physical harm.

Disclosure would reveal the location of a victim of domestic abuse to an abusive partner.

Consider withholding relevant information.

Serious risk to another individual.

Safeguarding records identify information that would place a child at immediate risk if disclosed.

Consider withholding relevant information.

Serious harm to another person.


Examples where the exemption is unlikely to apply

Example

Likely approach

Why

The patient will be upset by the information.

Usually disclose.

Distress alone is not serious harm.

The patient disagrees with the clinician's opinion.

Disclose.

The right of access still applies.

The patient may make a complaint after reading the records.

Disclose.

Complaints are not serious harm.

The patient may be embarrassed by what they previously disclosed.

Usually disclose.

Embarrassment does not meet the threshold.

We are unsure if they know the information (like adoption or childhood abuse)

Usually disclose unless another exemption applies

Being unaware does not meet the threshold.



Who decides?

The decision should normally be based on clinical judgement.

If a GP practice believes the exemption may apply, it is good practice for an appropriate clinician to review the records and explain why disclosure would be likely to cause serious harm.

The decision should be documented so the organisation can demonstrate how it reached its conclusion if challenged.


We know that the SAR process is normally managed by administrative teams - to help your work, make sure that the clinician gives you a documented reason for;


  1. Why the harm is considered likely and not just possible

  2. Why the harm is considered serious and not just upsetting


Common mistakes

  • Assuming that distress is enough.

  • Withholding an entire record when only one paragraph presents a risk.

  • Applying the exemption because the requester is likely to complain.

  • Failing to document the reasons for the decision.

  • Assuming historical psychiatric diagnoses automatically justify withholding records.



The exemption isn't permanent.

It is important to remember that the harm exemption is time limited.


For example: A patient is experiencing an acute psychotic episode and disclosure today is likely to cause serious harm.


Six months later, following treatment and recovery, that same information may no longer meet the exemption. Organisations should assess the risk at the time of the request rather than assuming information can be withheld indefinitely.


 

Automatic redaction software

Many organisations use software to identify potential third-party information. These systems can save considerable time, particularly when reviewing large records.


However, they should be viewed as decision-support tools, not decision-makers.


Most systems identify names, dates of birth, addresses, NHS numbers and other identifiers. They cannot apply the legal balancing exercise required by UK GDPR.


As a result, some systems redact every reference to another individual, even where there is no legal reason to do so.


This can lead to unnecessary redaction of:

  • healthcare professionals acting in their professional capacity;

  • teachers or social workers carrying out their official duties;

  • parents providing information during consultations;

  • information that provides important context to the requester's own personal data.


Over-redaction may result in the requester receiving less information than they are entitled to by law, reduce transparency and increase complaints.


Our customers can find a Redaction Decision Tree to support their work on the myKafico platform.


In our experience, working through these questions produces far more proportionate SAR responses than relying on blanket redaction rules or automated software alone.



💡 Have a Data Protection Question?

Ask the experts through our low cost advice hub


🖱️ Interested in myKafico

One month free trial of our DPO Compliance platform



Emma Cooper, Primary Care Data Protection Nerd
Emma Cooper, Primary Care Data Protection Nerd



 
 
 

Comments


00011-2939233035.png

DID YOU FIND THIS USEFUL?

Join our mailing list to get practical insights on ISO 27001, AI, and data protection; No fluff, just useful stuff.

You can unsubscribe at any time. You are welcome to read our Privacy Policy

bottom of page