Why DSARs are Challenging in the Healthcare Sector

Data Subject Access Requests (DSARs) arrive more frequently than many healthcare organisations expect, from both patients and employees. On the surface, a DSAR sounds straightforward. An individual asks for a copy of their personal data that you hold about them, and you respond within the statutory time frame.

However, in healthcare it is rarely that simple. Healthcare organisations process some of the most sensitive personal data there is, and often, these are located across multiple different systems. Therefore, when a DSAR lands, you must locate it all, assess it carefully, and disclose it lawfully.

When handled well, a DSAR builds trust and demonstrates professionalism, however, when handled poorly, it can damage relationships, trigger complaints to the Information Commissioners Office (ICO) and expose serious governance weaknesses.

Why are Healthcare DSARs More Complex?

Healthcare HR teams often find that DSARs involve far more than basic employment records. They often include:

• Medical records
• Occupational health records
• Safeguarding concerns
• Clinical incident reports
• Disciplinary or grievance documentation
• Email correspondence discussing the individual
• Patient complaints involving staff members
• Third party data about colleagues or patients

Harry Ware, Head of Data Protection at Bruce & Butler, comments:

“This is highly sensitive personal data. In many cases, it includes special category data under UK GDPR. It may also contain information about other individuals which makes careful redaction an essential part of the process.” 

Healthcare employers remain fully accountable for how that information is reviewed, redacted, and disclosed, and even where data is stored within outsourced HR platforms or clinical systems.

Patient and Employee DSARs

In healthcare settings, you often manage two distinct, but equally sensitive categories of request: Patient DSARs and Employee DSARs.

Patient DSARs can involve extensive clinical records, handwritten notes, diagnostic reports, and correspondence between professionals. Decisions may be required about whether disclosure could cause serious harm to the physical and mental health of the patient, or another individual.

Employee DSARs frequently arise during grievances, disciplinary processes, restructures, or following resignation. These requests can be wide in scope and may include years of email correspondence. These often sit alongside employment disputes, which increases both legal and reputational risk.

For HR teams, these DSARs create pressure. You must balance transparency with confidentiality, and meet statutory deadlines whilst protecting third party data. This must all be done without disruption day to day patient care, making it a very complex process. 

What Healthcare Businesses Need to Have in Place

A DSAR should not create chaos, it should trigger a clear, controlled process. Healthcare organisations need structure and accountability, and this includes:

• A documented DSAR procedure that HR and senior managers understand
• Clear guidance on data retention and secure storage
• A process for identifying all relevant systems quickly
• Consistent redaction standards
• Defined decision makers for complex or high risk disclosures
• An audit trail that records how and why decisions were made

Accuracy, confidentiality and timeliness all matter in the DSAR process, and in healthcare, with the amount of data there is to process, the margin for error is small.

Why Many Healthcare Providers Choose to Outsource DSAR Management

Even with good internal processes, DSARs place a real strain on HR times. They are time intensive, they require legal judgement, and they often tend to arrive at the worst possible moments such as during a grievance, a disciplinary process, or a patient complaint.

Outsourcing your DSAR handling to a specialist team removes that pressure. It allows your HR professionals to focus on workforce management and patient care, rather than spending hours reviewing emails and redacting clinical notes.

An external adviser brings:

• Independent oversight, particularly helpful where disputes are involved
• Leading technology and redaction tools
• Technical expertise in applying exemptions and redactions correctly
• Confidence that deadlines will be met
• Clear documentation that stands up to ICO scrutiny
• Reduced internal conflict in sensitive employee cases
• Reduces risk of missing deadlines or making mistakes

A poorly handled DSAR can damage trust, reputation, and expose your organisation to regulatory action and financial penalties. 

If your organisation is seeing an increase in patient or employee DSARs, and want experienced support to help manage these complex requests properly, Bruce & Butler are here to help.

The Bruce & Butler team works alongside healthcare HR departments to deliver structured, compliant, and defensible DSAR responses efficiently. Visit their website: www.bruceandbutler.com or contact them directly on 0800 999 5550.

Related content