SARS Involving Another Person

Last week we had a question from one of our followers on Linkedin who asked us a question related to Subject Access Request. We wanted to reply directly on LinkedIn but it seemed like the perfect opportunity to create a blog post.

Question: How would you deal with Subject Access Requestinvolving other people’s information?

Example: An employee makes a request to her employer for a copy of her human resources file. The file contains information identifying managers and colleagues who have contributed to (or are discussed in) that file. This will require you to reconcile the requesting employee’s right of access with the third party’s rights in respect of their own personal data.

The Data Protection Act says you do not have to comply with a SAR if to do so would mean disclosing information about another individual who can be identified from that information, except where:

◉ the other individual has consented to the disclosure; or
◉ it is reasonable in all the circumstances to comply with the request without that individual’s consent.

So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case.

This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to you disclosing the information about them, it would be unreasonable not to do so.

However, if there is no such consent, you must decide whether to disclose the information anyway.

Answer: I think there are a few key points from the DPA18 and regulatory guidance to consider when looking at this type of scenario.

The complication in situations like these arises from the fact that in the context of employment and HR the same information can constitute personal data to multiple people. i.e. a complaint will relate to the complainant and the subject of the complaint.

Firstly, it is worth noting that Para.16 Sch2 DPA18 states that:

GDPR Article 15 does not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information. However you may not rely on this exemption if the other person has consented to the disclosure of information about them or if it is reasonable to disclose the information to the data subject without the consent of the other individual.

You need to take into account the context of the request and the other peoples’ personal data.

Additionally, we need to remember that the right of access is a right to data, not documents. This is often a point of confusion for the layman but regulatory guidance is clear on the fact that controllers need not necessarily disclose original documents. This means that data held can, potentially, be re-transcribed or presented in different formats, this can again be a useful tool in protecting third-party data.

As you point out, the exemption protecting third-party data is not absolute, and there is a reasonableness test to support the balancing of rights. While the circumstances listed against the reasonableness test are quite narrow (confidentiality, consent to disclose, etc.) regulatory guidance tells us that we need to consider the broader context of the data and request to make an informed decision. For instance, if the request pertains to emails which the data subject has previously received or sent it would surely be reasonable to disclose these and the personal data of others contained within them. ICO guidance is not specific on this point but recent CNIL guidance does provide this exact example.

The reasonableness test is expanded in Para 3 of section 16 where the DPA states “the controller must have regard for all relevant circumstances” and includes a list of considerations which should be included when determining the reasonableness of disclosing third-party information.

On these points, it is also crucial to remember that the Para.16 exemption is further qualified at sub.-para. (4) to state that “information relating to another individual” also includes any information which would identify the source of said information. i.e. we can rely on para.16 in instances where, even with all identifiers removed, the requestor would be able to identify the source of the information. This might be relevant where it pertains to specific allegations or even something as trivial as a unique email sign-off only one person in the business uses. This is a bit of a double-edged sword because it allows controllers far greater discretion in protecting third-party rights but also requires far more scrutiny from the said controller when reviewing the information to be disclosed. It also means that the person or team reviewing the data has to have a strong understanding of the context associated with the DSAR.

In the employment context, some of the exemptions under Part 4 of Schedule 2 of the DPA may also be relevant. For instance:

Para.19 exempts information which is either the subject of legal advice or is being prepared in view of legal proceedings. This could be relevant in the context of employment tribunals.
Para.22 provides an exemption for instance where the fulfilment of the SAR might prejudice management forecasting or planning. If some of the information in question relates to planned redundancies this could apply.
Para.23 exempts information which could prejudice negotiations with the data subject, the controller would have to demonstrate potential prejudice but it could apply.
Para.24 exempts confidential references. The controller would have to demonstrate that any references in question were actually treated with confidentiality and not merely stamped as such but this may be relevant.

Essentially, there is no straight answer to how to handle DSARs in the context of third-party data and HR files or broader employment as a case-by-case approach and a rich understanding of application context is paramount. However, the law does provide us with plenty of tools to protect the rights and freedoms of third parties; and I have not even touched on broader rights and freedoms outside of confidentiality, like intellectual property rights, but the latest CNIL guidance on this topic is a useful resource.

For us, the key is to apply that case-by-case approach and ensure all relevant context is applied when considering whether it is reasonable to withhold information. Hope this helps!

We love receiving questions from our community, if you have a question you would like to know the answer to, please reach out to one of our team or send your question to [email protected] we have the SAR Bureaue to help you with any challenge you might face related to Subject Access Request. If you would like to learn more visit our SAR Service page or contact us here.

Cyber Security Services

PCI DSS

ISO 27001

Cyber Security Consultancy

Cyber Security Support

Pentesting

Data Protection Services

SAR Support

Data Protection Support

Outsourced DPO

Data Protection Consultancy

Information Management Software

GDPR Training

GDPR Audits

GDPR Representative

GDPR Documentation

Information Governance Framework

Information Rights Request

24/7 Support whenever you need it

SARS Involving Another Person

SARS Involving Another Person