16 June 2020

3 Major Considerations for Disclosing 3rd parties in a subject access request

Have you tried to deal with whether to disclose a third-party as part of a subject access request response (SAR)? This article explains the complexities that often arise when there are other people mentioned in material that needs to be returned as part of a SAR.  Plus, why it is a good idea to get help when it isn’t clear if you should disclose them or not.  If you have any questions on this or would like to instruct a GDPR legal specialist to handle this for you, please call me on 029 2000 2339 or email me on andrew@iolis-legal.com today

Disclosure of 3rd Parties in a SAR or DSAR

This is often a source of great worry or nervousness for data controllers when it need not be.

The GDPR sets out in Article 15.4, the provision of a copy of the personal information that is being processed ‘shall not adversely affect the rights and freedoms of others.’

Data controllers often mistakenly take this to mean that any personal information about a third party needs to be redacted or that the entire piece of information can be withheld.

You need to consider the word ‘adversely’ very carefully in this clause. You also need to understand what ‘personal information’ actually is:

Article 1(1) of the GDPR gives a definition of personal information or personal data (the two terms are interchangeable):

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

It is not as simple as a name or a unique number such as a national insurance or driving licence number. It can be combinations of data brought together under a single entity e.g. hair colour, gender, height, postcode, and car model will almost certainly identify a single person.

When considering a third party in a piece of information that is being prepared for a SAR response, you need to ascertain if the third party has been or could be identified.  As you can see from the definition above, it is not simply a matter of them being named.

If you can ascertain that a third party has been identified or is identifiable according to the GDPR, you need to consider whether Article 15.4 applies and should the information about them should be redacted from the document in question.

The Data Protection Act 2018 makes some variations to the GDPR and also provides more guidance on certain areas, which you need to consider. In Schedule 2, Part 3 s16 sets out conditions about third party disclosure. In summary it is allowable to disclose the third party if they have consented or it is reasonable to disclose their identity without their consent. In establishing the reasonableness of unconsented disclosure, consideration should be given to the type of information that would be disclosed.  Whether there is a duty or expectation of privacy by the third party and whether consent has been expressly refused by the third party.

Guidance on Interpretation

You can look to previous cases to provide guidance on interpretation. You need to determine what might be an adverse effect on the rights and freedoms of a third party. A recent case gave a clear direction on the matter of the disclosure of third parties. In the case of Rudd v Bridle1, the Court held that a business that had received a SAR must not apply a blanket policy of withholding the identities of other individuals in the response but must instead make an assessment of each individual issue.

It is important to realise that though a data controller can rely on the consent of a third party to release their information, there is no obligation to actually seek their consent. The data controller is afforded a wide margin of discretion to make such a decision. Even in the case of the third-party objecting to disclosure, a data controller is still able to make a decision to disclose based on the reasonableness of such a decision and can ignore the express wishes of the third party. You are able to refer to a case heard in the appeal court of Dr B v General Medical Council2 to support this stance of a reasonable decision made against the wishes of the third party. In this case, the GMC had very clear, documented reasons for releasing the personal details of Dr B who was a third party involved in the personal information of a patient, P. Dr B refused to allow his details to be released with a SAR to P and an initial court hearing supported his position. An appeal from the GMC succeeded and the information was released.

What Factors should a business consider

First and foremost is the relationship of the third party to the requestor of the SAR. Was the third party a supervisor or manager of the data subject? Was the data subject their manager? It would be reasonable to disclose someone’s manager but probably not reasonable to disclose a junior person. If the third party is not another employee, then what is their relationship to either the business or the requestor?

Is there anything in the material you are disclosing that could affect the third party such as embarrassment, detriment in their career or job security? Importantly, if the third party has been a ‘whistle blower’ they are afforded additional protections in law – we advise this should be dealt with by a GDPR legal expert.

You then need establish whether the third party would reasonably expect you to keep their personal data confidential. Privacy may be a contractual obligation or may be implied by the circumstances or relationship.

There is no real ‘default’ decision that you can rely upon. Each time a third party is part of material that you need to disclose, you need to make an assessment and this should be documented.

We can help you and your firm with any aspect of responding to a SAR, GDPR and data protection.  Call us today on 029 2000 2339 for a FREE no obligation chat or email us on contact@iolis-legal.com to set up a call.

Andrew Brenton
Data Protection Legal Specialist

  1. Rudd v Bridle & Anor [2019] EWHC 893 (QB)
  2. Dr B v General Medical Council [2018] EWCA Civ. 1497

Does your UK business need a mediator or support with data protection and GDPR? Tell us how we can help you.

Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Contact us
3 August 2020
How should your organisation handle a leak to the media?
Finding out that the media has confidential information about your organisation from a leak can feel devastating. The fall-out can include significant reputational damage and serious legal problems, as one professional sport governing body has recently discovered.…
Read More
20 July 2020
Mediation could be a quicker, less costly solution than an employment tribunal.
As the UK opens up again after the COVID-19 lockdown, many public services will face dealing with substantial backlogs. For the already under pressure employment tribunal system, it’s yet another major problem. The system has been under significant strain since…
Read More
17 June 2020
Should you use thermal scans to check your employees or customers for COVID-19?
Millions of workers are heading back to offices, factories, and shops as Britain slowly emerges from lockdown. Now, companies and organisations are facing a dilemma: should they use body temperature cameras to attempt to screen staff and customers who might have…
Read More
16 June 2020
3 Major Considerations for Disclosing 3rd parties in a subject access request
Have you tried to deal with whether to disclose a third-party as part of a subject access request response (SAR)? This article explains the complexities that often arise when there are other people mentioned in material that needs to be returned as part of a SAR. …
Read More
9 June 2020
Performance data in professional sport
Great advances have been made in the way elite athlete performance data is collected and analysed. But when using this data there are many legal factors to consider to ensure that the rights of the athlete are protected.  The area of data protection law in sport…
Read More
5 June 2020
3 Ways to Build a Marketing List Under GDPR
Are you no longer collecting email addresses on your website becuase of GDPR? Let us show you how you can still build your list and stay on the right side of the law!  Are you confused about collecting email addresses on your website? Are you unsure about the rules…
Read More
© 2020 IOLIS Ltd. Reg. in England & Wales Num.11968202 For reg. address see contact details | Website designed, hosted, and maintained by Jötnar Systems