Guide to Data Protection Act for Data Controllers



What is exempted?

This exemption applies to personal data the release of which could reasonably cause mental or physical harm to the data subject or any other person. 

What provisions in the DPA does the exemption relate to?

Under this exemption personal data is exempt from the subject information provisions, i.e.:

  • the first data protection principle (but compliance with the conditions in schedules 2 and 3 is required); and
  • section 8 (the access right). 

When does the exemption apply?

Only personal data that can reasonably be expected to cause mental or physical harm to an individual, if disclosed, is covered by this exemption.

That individual can be the data subject or any other individual. 

How does this exemption work?

If you as the data controller are not a health professional, the exemption applies if:

  • at the time of a request for access you consult with the appropriate health professional on the question whether the exemption applies and you obtain a written opinion that the exemption applies to the data; or
  • you consulted with the appropriate health professional beforehand and obtained a written opinion that the exemption applies to the data.

The health professional’s opinion must be no older than six months when the request is made.

Even if the opinion was obtained within the last six months, it may be reasonable considering all circumstances to consult the appropriate health professional again.

The DPA does not define an “appropriate” health professional, but it is assumed this means a health professional who can issue a professional opinion on the mental or physical harm that would likely be done by making the information accessible to the individual. 

The DPA defines a “health professional” as follows:

“health professional” means an individual registered to practice under any of the professions specified in the Health Practice Act (2013 Revision) or any other Act relating to health; 

A “health record” is defined as:  

“health record” means a record that –

 (a) consists of information relating to the physical health, mental health or condition of a data subject; and

(b) has been made by or on behalf of a health professional in connection with the care of that data subject;  

Relevant provisions

Data Protection Act (2021 Revision)

Section 20: Exemption relating to health, education or social work                                                                             

Data Protection Regulations, 2018:

Regulation 7: Exemption relating to health                                                                               

Previous Next