Understanding Subject Access Requests – Part 3: Third Parties and Complaints Data

Understanding Subject Access Requests (SARs)

Welcome to the third and final part of our series on understanding Subject Access requests. In Part 1 of the series, we focused on the fundamentals of SARs. In Part 2, we focused on the situations in which organisations can refuse to comply with a SAR and highlighted some of the exemptions available under the Data Protection Act 2018 (“DPA 2018”). In this blog, we provide guidance on how to process SARs in situations where the proposed response to a SAR includes the personal data of third parties and data held in complaint files.

Third Parties

As mentioned in part 2 of this series, documents containing the personal data of one individual will often contain the personal data of another person as well. For example, if an employee makes a SAR, they will be entitled to a copy of all the personal data relating to them, including that which is contained within their personnel file but this file is likely to also contain the personal data of their manager and anyone else who has contributed to their file during the course of their employment, such as when conducting appraisals and dealing with training requirements, sick leave, disciplinaries, grievances and so on.

As the individual making the SAR is only entitled to their own personal data and not the personal data of others, this means that strictly speaking, third-party data should be removed or redacted before being disclosed to the data subject. That said, in some circumstances, it may not be unfair or unlawful to disclose third-party data under a SAR.

Consequently, before any data is released under a SAR, it needs to be carefully considered in order to ascertain whether or not any of it needs to be withheld.

Section 16 of part 3 of Schedule 2 to the DPA 2018 is relevant here. This seeks to protect the rights of others and provides that organisations should not disclose information under a SAR if doing so would involve disclosing information relating to someone else. Therefore, organisations can withhold information in reliance on this provision, where appropriate to do so. However, this section of the DPA 2018 goes on to say that third-party data CAN be disclosed if the third party has consented or it is reasonable in all the circumstances to disclose the information without their consent.

With the above in mind, the ICO suggests a three-stage process when deciding whether to disclose third-party personal data in response to a SAR, namely:

1. Does the proposed SAR response include third-party personal data?
2. Has the third party consented to the disclosure of their personal data?
3. Is it reasonable to disclose third-party personal data without consent?

You can read more here about third-party cyber security and our guide to third-party risk management.

Including third-party personal data

Once all the information required for responding to the SAR has been collected, it will need to be reviewed to ascertain whether it contains any third-party personal data. As explained in part 1 of this series, personal data is any information from which an individual can be identified. This means that the name of a third party may not be needed if it is possible to identify them from other identifiers or information that the data subject already has or can reasonably obtain. In the example above of an employee making a SAR to their employer, the employee’s personnel file may contain references to their manager by job title and, as such, it will be easy to identify who is being referred to by using this information, even if the manager’s name is redacted. In another example, the record may refer to the ‘employee of the month for November 2022’ and although the data subject may not know who this is, they may easily be able to obtain this information by referring to the staff newsletter. Therefore, in such circumstances, it may be appropriate to remove reference to all identifiers.

However, if the personal data about third parties is so entangled with the personal data of the individual that made the SAR such that it is impossible to separate them, steps two and three below, should be carefully considered.

Obtaining consent

In terms of obtaining consent from the third party, this is likely to be a straightforward step in many scenarios but in some cases, it may be impossible, such as when the contact details of the third party are unknown. However, even if it is possible to contact the third party to seek consent, it may not be reasonable or appropriate to do so. For example, it may not be appropriate to ask the third party for consent, if this would result in information about the requester being shared with the third party that they were not already aware of. In some cases, the third party will need to know exactly what information the organisation proposes to disclose to enable them to make a decision on whether or not to grant consent, and, as a result, the organisation may need to provide the third party with information that would have otherwise been kept confidential. This extra sharing may need to be avoided.

Further, it would not be appropriate to seek consent if this would mean informing the third party that the requester has made a SAR, if it is not reasonable to share such detail, given all the circumstances of the case. It would also not be appropriate to seek consent in cases where it is clear, perhaps because of poor relations between the parties, that consent is likely to be refused.

Consequently, whilst seeking the consent of the third party is an option (providing contact details is known), it is not always the most suitable approach.

Disclosure without consent

If the consent of the third party has not been obtained, it may still be lawful to release their personal data in response to a SAR, if it is reasonable to do so, taking into account all the circumstances of the case. As briefly outlined in part 2 of this series, in deciding what is reasonable in any given situation, the following should be considered:

The type of information that would be disclosed

The more private the information the more caution should be applied. For example, it is less likely to be reasonable to disclose financial data, special category data or data relating to criminal convictions or offences compared to personal data that is publicly available, such as the name of a director of a limited company.

Any duty of confidentiality owed to the other individual

In certain situations, confidentiality is expected, such as between a doctor and their patient or between a solicitor and their client. In certain circumstances, for example, where there is a grievance, employees will verbally share information in meetings (where notes are made) and there will be an expectation that such information will be confidential due to the nature of the information they are sharing. There are numerous other scenarios in which a duty of confidentiality arises and, generally speaking, if there is a reasonable expectation that information will be kept confidential, it would not be appropriate to disclose it without consent.

That said, simply because a document is marked as ‘confidential’ does not automatically mean it is protected as such. On occasions, documents may be labelled in this way but, in reality, the contents are not protected by a duty of confidentiality because for example, the information is publicly available or it is in the public interest to disclose it.

Any steps taken to obtain consent of the other individual

The less effort that is made to obtain consent, when it is appropriate to do so, the less likely it is that it would be considered reasonable to disclose third-party personal data without consent.

Whether the other individual is capable of giving consent

If the third party does not have the capacity to give consent, then it is not appropriate to ask for it and even if it was given, it would not be valid consent. For example, someone who has advanced dementia or other such mental impairment would not be considered to have the capacity to provide consent.

Any express refusal of the consent of the other individual

If the third party has been asked for consent but has refused, it would not be appropriate to share their personal data.

Therefore, if the type of third-party personal data is particularly private, the third party had an expectation that it would be kept confidential, little or no attempt has been made to contact the third party to obtain consent or the third party does not have capacity to give consent or has refused consent, it is unlikely to be considered reasonable to disclose that data under the SAR.

That said, if the data subject has already seen the third-party personal data or is already aware of it, then it would not be unlawful to disclose it. For example, emails exchanged between the data subject and the organisation to which the SAR has been submitted may contain third-party data. As the data subject has already seen these emails, it would not be unfair or unlawful to disclose them in their entirety to the data subject.

Further information is available from the ICO website:

What should we do if the request involves information about other individuals?

Complaints Data

It is not uncommon for individuals who have made complaints or have been the subject of a complaint, to submit a SAR, as they wish to obtain as full a picture as possible about the incident(s) in question. However, confusion often arises in relation to the extent of the information they are entitled to when making their SAR. Indeed, there appears to be a common misconception that the entire complaint file will be provided. However, the rules relating to SARs are the same, whether they relate to a complaint file or not. This means that the starting point is that the individual exercising their right of access is only entitled to their own personal data and not the data of anybody else and the organisation processing the SAR will need to redact or remove third-party data, if appropriate, and apply exemptions to justify withholding data, where necessary.

Typically, a complaint file will consist of the following types of data:

• the complainant’s personal data
• third-party personal data
• a mix of the complaint’s personal data and third-party personal data that is so entwined that it cannot be separated
• ordinary data (i.e data that contains no personal data)

Many organisations wish to be as helpful as possible when processing a SAR and tend to provide ordinary data, such as policies and procedures, that are contained within the complaint file, as well as the personal data the individual is entitled. This may help to provide a level of context for the individual.

However, when considering the remaining data within the complaint file each document will need to be carefully considered to assess:

• Whether it is the personal data of the data subject and if so,
  • whether it should be disclosed or
  • if an exemption applies to justify redacting or removing it.

• Whether it is the personal data relating to a third party and if so,
  • whether consent should be obtained to disclose it or
  • whether it is reasonable to disclose it without consent or
  • whether it should be redacted or removed.

Robust records management will assist in locating all the information that it is necessary to consider but, nonetheless, it is advisable to consider each piece of information within the complaint file separately. In particular, it is common for complaint files to contain the different opinions of individuals and, as opinions also constitute personal data, these are often the areas in which the personal data of more than one person can become so entangled that they are impossible to separate. In such circumstances, these sections may need to be redacted or removed to ensure compliance with the data protection law.

Further information can be found in the ICO’s guidance, “Access to information held in complaint files”.