Have you tried to deal with whether to disclose a third-party as part of a subject access request response (SAR)? This article explains the complexities that often arise when there are other people mentioned in material that needs to be returned as part of a SAR. Plus, why it is a good idea to get help when it isn’t clear if you should disclose them or not. If you have any questions on this or would like to instruct a GDPR legal specialist to handle this for you, please call me on 029 2000 2339 or email me on [email protected] today
Disclosure of 3rd Parties in a SAR or DSAR
This is often a source of great worry or nervousness for data controllers when it need not be.
The GDPR sets out in Article 15.4, the provision of a copy of the personal information that is being processed ‘shall not adversely affect the rights and freedoms of others.’
Data controllers often mistakenly take this to mean that any personal information about a third party needs to be redacted or that the entire piece of information can be withheld.
You need to consider the word ‘adversely’ very carefully in this clause. You also need to understand what ‘personal information’ actually is:
Article 1(1) of the GDPR gives a definition of personal information or personal data (the two terms are interchangeable):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
It is not as simple as a name or a unique number such as a national insurance or driving licence number. It can be combinations of data brought together under a single entity e.g. hair colour, gender, height, postcode, and car model will almost certainly identify a single person.
When considering a third party in a piece of information that is being prepared for a SAR response, you need to ascertain if the third party has been or could be identified. As you can see from the definition above, it is not simply a matter of them being named.
If you can ascertain that a third party has been identified or is identifiable according to the GDPR, you need to consider whether Article 15.4 applies and should the information about them should be redacted from the document in question.
The Data Protection Act 2018 makes some variations to the GDPR and also provides more guidance on certain areas, which you need to consider. In Schedule 2, Part 3 s16 sets out conditions about third party disclosure. In summary it is allowable to disclose the third party if they have consented or it is reasonable to disclose their identity without their consent. In establishing the reasonableness of unconsented disclosure, consideration should be given to the type of information that would be disclosed. Whether there is a duty or expectation of privacy by the third party and whether consent has been expressly refused by the third party.
Guidance on Interpretation
You can look to previous cases to provide guidance on interpretation. You need to determine what might be an adverse effect on the rights and freedoms of a third party. A recent case gave a clear direction on the matter of the disclosure of third parties. In the case of Rudd v Bridle1, the Court held that a business that had received a SAR must not apply a blanket policy of withholding the identities of other individuals in the response but must instead make an assessment of each individual issue.
It is important to realise that though a data controller can rely on the consent of a third party to release their information, there is no obligation to actually seek their consent. The data controller is afforded a wide margin of discretion to make such a decision. Even in the case of the third-party objecting to disclosure, a data controller is still able to make a decision to disclose based on the reasonableness of such a decision and can ignore the express wishes of the third party. You are able to refer to a case heard in the appeal court of Dr B v General Medical Council2 to support this stance of a reasonable decision made against the wishes of the third party. In this case, the GMC had very clear, documented reasons for releasing the personal details of Dr B who was a third party involved in the personal information of a patient, P. Dr B refused to allow his details to be released with a SAR to P and an initial court hearing supported his position. An appeal from the GMC succeeded and the information was released.
What Factors should a business consider
First and foremost is the relationship of the third party to the requestor of the SAR. Was the third party a supervisor or manager of the data subject? Was the data subject their manager? It would be reasonable to disclose someone’s manager but probably not reasonable to disclose a junior person. If the third party is not another employee, then what is their relationship to either the business or the requestor?
Is there anything in the material you are disclosing that could affect the third party such as embarrassment, detriment in their career or job security? Importantly, if the third party has been a ‘whistle blower’ they are afforded additional protections in law – we advise this should be dealt with by a GDPR legal expert.
You then need establish whether the third party would reasonably expect you to keep their personal data confidential. Privacy may be a contractual obligation or may be implied by the circumstances or relationship.
There is no real ‘default’ decision that you can rely upon. Each time a third party is part of material that you need to disclose, you need to make an assessment and this should be documented.
We can help you and your firm with any aspect of responding to a SAR, GDPR and data protection. Call us today on 029 2000 2339 for a FREE no obligation chat or email us on [email protected] to set up a call.
Andrew Brenton
Data Protection Legal Specialist
- Rudd v Bridle & Anor [2019] EWHC 893 (QB)
- Dr B v General Medical Council [2018] EWCA Civ. 1497