What should we do if we receive a Subject Access Request, but the information sought includes third party personal data?

Under data protection laws within the UK, individuals have long enjoyed an established right to ask organisations what personal information they hold about them, how they are using it, who they are sharing it with and where they have got such data from. This is known as a “Subject Access Request”.

Upon receipt, it is important that organisations promptly deal with and respond to Subject Access Requests, otherwise the Information Commissioner’s Office (ICO) have the power to issue fines. Having received a Subject Access Request, under the Data Protection Act 2018 and the General Data Protection Regulations (GDPR), principally recipients have a duty to disclose to such individual applicant the personal information held about them. However, what should a recipient do if:

• an individual’s request for copies of its personal information would also encompass the personal data of a third party; and
• there is no way of disclosing such personal information without identifying the third party.

This can arise where correspondence such as emails, meeting notes or complaints exist which might concern the applicant, but also include personal data that clearly identifies the third party (for example, their name or contact details).

Under data protection laws, despite the principle duty to disclose, an organisation is not actually obliged to provide personal information to the applicant where there is a necessity to protect the rights of others. On the face of it, an organisation faced with these circumstances could therefore have the right to refuse disclosure. However, this exemption will not apply if either:

• the other individual has consented to the disclosure of the information to such applicant; or
• it is reasonable to disclose the information to the applicant without the consent of such other individual.

Having received a Subject Access Request which would involve disclosing third party personal data, the recipient must therefore carefully consider if such third party has or would consent to the disclosure and also – irrespective of such consent being obtained – if it is still reasonable to disclose the information to the applicant. Depending on the circumstances, before responding to the Subject Access Request, the recipient may want to firstly consider seeking consent from such third party. If consent is however not received or obtainable, the recipient will still need to determine whether it is reasonable to disclose and the GDPR does helpfully set out some matters to consider, including any duties of confidentiality owed to the third party and the type of information to be disclosed.

Of course, the above is not an exhaustive example of the exemptions available or indeed the matters that need to be carefully considered upon receipt of a Subject Access Request. It is however important for a recipient to consider any exemptions, as a failure to act correctly could have repercussions. For example, if a recipient incorrectly discloses a third party’s personal data in order to satisfy a Subject Access Request rather than relying on a valid exemption, such third party could themselves potentially bring a compliant to the ICO following such disclosure.

In the event that you receive a Subject Access Request where third party personal data would be included within any information/documentation sought; we would always recommend that you take professional advice before responding. If you have any queries in relation to the above or any matters involving data protection laws, please do contact DJM’s Corporate Team on 01792 650000.