S.I. No. 121/2022 - Data Protection Act 2018 (Access Modification) (Health) Regulations 2022
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 15th March, 2022. | ||
I, STEPHEN DONNELLY, Minister for Health, in exercise of the powers conferred on me by section 60 (5)(a) of the Data Protection Act 2018 (No. 7 of 2018), and after consultation with the Minister for Justice, the Minister for Children, Equality, Disability, Integration and Youth and the Data Protection Commission, hereby make the following regulations, with respect to which, pursuant to section 6(5) of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving the draft has been passed by each such House: | ||
1. These Regulations may be cited as the Data Protection Act 2018 (Access Modification) (Health) Regulations 2022. | ||
2. The Data Protection (Access Modification) (Health) Regulations 1989 ( S.I. No. 82 of 1989 ) are revoked. | ||
3. In these Regulations – | ||
“Act of 2014” means the Health Identifiers Act 2014 (No. 15 of 2014); | ||
“care” includes examination, investigation and diagnosis; | ||
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); | ||
“health data” means personal data relating to physical or mental health; | ||
“health practitioner” has the same meaning as it has in section 2 of the Act of 2014; | ||
“health services provider” has the same meaning as it has in section 2 of the Act of 2014. | ||
4. The application of the right of access under Article 15 of the Data Protection Regulation may, in accordance with Regulation 6 or 7, be restricted in relation to health data of the data subject but only – | ||
(a) to the extent that is necessary and proportionate, and | ||
(b) for as long as necessary only to protect the health of the data subject. | ||
5. Nothing in these Regulations shall operate to excuse a controller from granting access to a data subject to so much of the information sought in relation to the health data concerned as may be granted without causing serious harm to the physical or mental health of the data subject. | ||
6. Where a controller – | ||
(a) is a health services provider, and | ||
(b) has reasonable grounds for believing that granting access to the data subject to the health data concerned would be likely to cause serious harm to the physical or mental health of the data subject, | ||
the controller may decide not to provide the data subject with the personal data concerned. | ||
7. Where a controller – | ||
(a) is a person other than a health services provider, and | ||
(b) has reasonable grounds for believing that granting access to the health data concerned would be likely to cause serious harm to the physical or mental health of the data subject, | ||
the controller may decide not to provide the data subject with the personal data concerned. | ||
8. (1) Where a controller referred to in Regulation 7 has the reasonable grounds referred to in subparagraph (b) of that Regulation, he or she may consult with a health practitioner who has experience and qualifications to advise on the subject matter of the data before making a decision on whether or not to provide the data subject with the personal data concerned. | ||
(2) Where a controller consults with a health practitioner under paragraph (1), the controller shall provide to that health practitioner only so much of the data subject’s health data as is necessary for the health practitioner to advise on the subject matter of the data. | ||
(3) For the purposes of the consultation referred to in paragraph (1), the health data to be provided under paragraph (2) shall be provided to the health practitioner in pseudonymised form. | ||
(4) Any advice provided by a health practitioner consulted under paragraph (1) which recommends withholding some or all of the health data concerned shall be provided in writing to the controller concerned. | ||
9. Where, pursuant to Regulation 6 or 7, a controller does not provide health data to the data subject, the controller shall – | ||
(a) advise the data subject that, if the data subject so requests, the controller shall offer access to the data concerned, and keep it available for that purpose, to such health practitioner having experience and qualifications in the subject matter of the data as the data subject may specify, and | ||
(b) offer access to the data concerned to such health practitioner as referred to in subparagraph (a), and keep it available for that purpose. | ||
| ||
GIVEN under my Official Seal, | ||
10 March, 2022. | ||
STEPHEN DONNELLY, | ||
Minister for Health. | ||
EXPLANATORY NOTE | ||
(This note is not part of the Instrument and does not purport to be a legal interpretation) | ||
These Regulations are made under section 60(5) of the Data Protection Act 2018 after consultation with the Data Protection Commission. In accordance with the provision in the Act, the Regulations regulate subject access to health data where the application of that right would be likely to cause serious harm to the physical or mental health of the data subject but only to the extent to which, and only for as long as, such application would be likely to cause such harm. They replace the Regulations made in this area in 1989. | ||
