I propose to take Questions Nos. 571 and 583 together.
Under subject access provisions in the General Data Protection Regulation (2016/679) and the Data Protection Act 2018, a data subject, who is defined as an identifiable or identified natural (living) person, can make a request for personal data, including medical files and medical history to the relevant data controller, for example, the hospital concerned or the HSE.
Information on how to make a request is available on the hospital or the HSE’s website. The information requested should be provided within one month and there is no fee. In limited circumstances the response period may be extended to two months, where requests are complex or comprise a number of requests.
Access to medical records may be restricted if the data controller believes that access is likely to cause serious harm to the physical or mental health of the data subject.
In the case of records of deceased persons there is specific provision under Freedom of Information legislation to facilitate access of next of kin to a deceased person’s records. An application should be made under the Freedom of Information Act 2014 to the relevant public body, for example the voluntary hospital concerned or the HSE. The Freedom of Information Act does not apply to private hospitals.