Personal data can relate to more than one person. Therefore, responding to a SAR may involve providing information that relates to both the requester and another individual.
Example
An employee makes a request to her employer for a copy of her human resources file. The file contains information identifying managers and colleagues who have contributed to (or are discussed in) that file. This will require you to reconcile the requesting employee’s right of access with the third parties’ rights in respect of their own personal data.
There is an exemption in the DPA 2018 that says you do not have to comply with a SAR, if doing so means disclosing information which identifies another individual, except where:
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision involves balancing the data subject’s right of access against the other individual’s rights relating to their own personal data. If the other person consents to you disclosing the information about them, it is unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.
To help you decide whether to disclose information relating to a third party, follow the three-step process described below. You may also find it helpful to read our guidance on ‘Access to information held in complaint files’. Whilst it is FOI and EIR guidance, it also covers SARs.
You should consider whether it is possible to comply with the request without revealing information that relates to and identifies another individual. You should take into account the information you are disclosing and any information you reasonably believe the person making the request may have, or may get hold of, that would identify the third party.
Example
In the previous example about a request for an employee’s human resources file, even if a particular manager is only referred to by their job title, they are likely to still be identifiable based on information already known to the employee making the request.
As your obligation is to provide information rather than documents, you may delete names or edit documents if the third-party information does not form part of the requested information.
However, if it is impossible to take out the third-party information and still comply with the request, you need to take account of the following considerations.
In practice, the clearest basis for justifying the disclosure of third-party information in response to a SAR is that the third party has given their consent. It is therefore good practice, where possible, to ask relevant third parties for their consent to the disclosure of their personal data in response to a SAR.
However, you are not obliged to ask for consent. Indeed, in some circumstances, it may not be appropriate to do so, for instance where:
In practice, it may sometimes be difficult to get third-party consent; for example, the third party might refuse or be difficult to find. If so, you must consider whether it is reasonable to disclose the information about the other individual anyway.
The DPA 2018 says that you must take into account all the relevant circumstances, including:
This is a non-exhaustive list, and ultimately it is for you to make this decision, taking these factors into account, along with the context of the information.
Confidentiality is one of the factors you must take into account when deciding whether to disclose information about a third party without their consent. A duty of confidence arises where an individual discloses genuinely ‘confidential’ information (ie information that is not generally available to the public) to you, with the expectation that it remains confidential. This expectation might result from:
However, you should not always assume confidentiality. For example, a duty of confidence does not arise merely because a letter is marked 'confidential' (although this marking may indicate an expectation of confidence). It may be that the information in such a letter is widely available elsewhere (and so does not have the 'necessary quality of confidence'), or there may be other factors, such as the public interest, which mean that an obligation of confidence does not apply.
In most cases where a duty of confidence does exist, it is usually reasonable to withhold third-party information, unless you have the third party’s consent to disclose it.
If the data subject requests information that is also the personal data of a health worker, an education worker or a social worker, it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate ‘test’.
For health workers, it meets the ‘health data test’ if:
A ‘health record’:
For education workers, it meets the ‘education data test’ if:
For social workers, it meets the ‘social work data test’ if:
Example
An individual makes a subject access request to their local council for a copy of all the information it holds on them. The information held includes several social services reports. The reports contain the personal data of the individual, a family member and a social worker. The council employs the social worker in connection with its statutory social work service, and they wrote the reports in their official capacity as a social worker. As such, it is reasonable for the council to provide the social worker’s personal data to the requester in response to the subject access request. However, the council must either have the consent of the family member, or consider whether it is reasonable to disclose their personal data without consent. If the council does not have consent, it is likely that it needs to reconcile the individual’s right of access in respect of any duty of confidence owed to the family member.
In addition to the factors listed in the DPA 2018, the following points are likely to be relevant to a decision about whether it is reasonable to disclose information about a third party in response to a SAR.
It follows that third-party information relating to a member of staff (acting in the course of their duties), who the individual making the request knows well through their previous dealings, is more likely to be disclosed than information relating to an otherwise anonymous private individual.
Yes. You need to respond to the requester whether or not you decide to disclose information about a third party. If the third party gives their consent, or if you are satisfied that it is reasonable to disclose it without consent, you should provide the information in the same way as any other information you provide in response to the SAR.
If you do not have the third party’s consent and you are not satisfied that it is reasonable to disclose the third-party information, then you should withhold it. However, you are still obliged to communicate as much of the requested information as you can, without disclosing the third-party’s identity. Depending on the circumstances, it may be possible to provide some information, having edited or ‘redacted’ it to remove information that identifies the third-party individual.
You must be able to justify your decision to disclose or withhold information about a third party, so you should keep a record of what you decide and why. For example, it would be sensible to note why you chose not to seek consent or why it was inappropriate to do so in the circumstances.