The perils of third-party data in data subject access requests

By Jenai Nissim / 11 Sep 2019

When dealing with data subject access requests, other people’s personal data can cause a headache for many organisations. Jenai and Alison wrote an article for PL&B in May 2019 to offer some clarity and insight on third-party data and how best to approach mixed personal data when responding to a data subject access request. A full version of this article is available in the PL&B UK May 2019 edition.

The right for individuals to access their personal data, commonly known as “the right of access” or “data subject access request” (DSAR), is not a new right. It was one of the most well-known rights under the Data Protection Act 1998 (DP Act 1998). Under the GDPR the right of access remains available to individuals, as does the issue for organisations of how to deal with personal data when complying with the right of access.

Under the GDPR, Article 15 an individual has the right to ask a controller for confirmation of whether or not they are processing their personal data and if they are, access to that personal data together with a plethora of additional information. Whilst the right of access appears to be an “absolute right” when complying with a DSAR, both Article 15 and Recital 68 of GDPR also requires that if, for example, a document contains information which relates to another individual or identifies the source of the personal data, an organisation needs to consider if both sets of personal data should be disclosed. In order to do this, the organisation will need to make a careful assessment of the facts surrounding the collection of personal data and its source before disclosing.

In many cases, it is not easy to separate third party data when responding to a DSAR. Some organisations disclose all personal data without considering the rights of other individuals. Doing so exposes those organisations to issues of non-compliance with the GDPR and claims from other individuals whose personal data is then disclosed unlawfully. It is not an approach we recommend taking, no matter how appealing and time-saving it appears.

What is third-party data?

Third party personal data can take many forms, for example, an opinion can contain personal data not only about the person to whom the opinion relates but also about the individual whose opinion it is. This is typically the case in the context of a disciplinary. Additionally, where an individual provides an account of an event, for example, a medical opinion, whilst the information may be factual in nature, the account of an event or an evaluation of circumstances may contain personal data relating to either party, as was the case in DB v General Medical Council [2018] EWCA Civ 1497 (DB v GMC), now a leading case relating to mixed personal data.

The outcome of DB v GMC confirmed that withholding consent alone is not a valid justification for not providing another individual’s personal data to the requester and that a balancing test must be undertaken, through which all facts should be considered surrounding the collection and disclosure of the personal data. The court also confirmed that the fundamental principles which organisations must consider when disclosing third party data under Section 7 of the repealed DP Act 1998 must be considered. The refusal of consent to disclose does not mean an organisation should not apply all these principles.

How to approach mixed personal data

Redaction or removal of the personal data: in some cases, it will be simple to remove or obscure personal data from a document without identifying the other individual’s personal data or the source of the personal data. Whilst this sounds simple, in practice, it may still be obvious who the individual is or who the source of the personal data is. This may arise because the requester has access to other information or documentation which would enable the other individual to be identified. In these situations, as redaction is not a viable option, organisations need to consider if the personal data should be withheld from disclosure in its entirety.

Consent and balancing test: The case of DB v GMC confirmed that organisations must consider the following factors before deciding to disclose or withhold another individual’s personal data:

  • If the other individual has consented to the disclosure of the information to the data subject; or
  • If it is reasonable to disclose the information to the data subject without the consent of the other individual.

Consent

While there is no obligation to obtain the consent of the other individual prior to the disclosure of personal data. In some instances, obtaining consent prior to disclosure can be costly and not possible. However, if consent is sought and disclosure is refused, then refusal must be taken into account and organisations should not assume because consent is refused that disclosure of the personal data should not take place.

The balancing test

When determining if it is ‘reasonable’ to disclose an individual’s personal data to another individual, an organisation must have regard to all the relevant circumstances, including:

  • The type of information that would be disclosed: The more sensitive the personal data to either party, then the higher the likelihood is for damage and distress to arise as a result of the disclosure, for example, if the personal data is special category data or if the personal data contains opinions which are likely to result in distress for an individual, for example in a disciplinary case,  then disclosure may not be appropriate. Consideration must be given to the impact on both parties, as was the case in DB v GMC.
  • Any duty of confidentiality owed to the other individual: If personal data has been provided in confidence or where an individual would not expect the personal data to be disclosed, the circumstances surrounding the provision of information must be taken into account. Where there is a clear duty of confidentiality, it would be reasonable to withhold the provision of personal data on this basis. However, on each occasion, a careful assessment should be made.
  • Any steps taken by the controller with a view to seeking the consent of the other individual: In some cases, an organisation will seek the consent of the other individual. If this is the case, it would be sensible to inform the individual that the refusal to provide consent alone will not mean that personal data is not disclosed. Equally, if consent is not sought, it may be reasonable to inform the individual that the personal data will be disclosed (unless this is likely to cause issues, for example, if the personal data is required for the prevention or detection of a crime).
  • Whether the other individual is capable of giving consent: There may be instances where the other individual is incapable of providing consent because an organisations cannot locate the other individual. Even if an organisation is unable to locate the other individual, the organisation should still carry out a balancing test to ensure that the disclosure is not likely to cause that individual damage and distress.
  • Any express refusal of consent by the other individual: As we have seen in DB v GMC, if an individual refuses consent, the grounds for refusal should be considered alongside the balancing test to ensure that both the other individual and the individual making the DSAR are not prejudiced. It is not necessary for an organisation to know why an individual requires access to their personal data, therefore this may prove a tricky assessment to make, which is why such decisions should be considered carefully on a case-by-case basis.
  • Other considerations: Outside of the GDPR and the DP Act 2018, the UK Information Commissioner’s Office has issued further guidance on additional factors to be taken into account when dealing with mixed personal data. The ICO suggests also considering:
    • If the personal data or the source of the personal data in question is already known to the individual. If this is the case, then the further disclosure of the personal data may be reasonable.
    • As stated above, if the personal data has been provided in a business or work capacity it is more likely (but not guaranteed) that those individuals would have an expectation that the personal data may be disclosed. Again, a careful assessment should still be made because if the information was provided as part of a disciplinary or in circumstances where the requester could use this to retaliate or cause harm to the other individual, the disclosure would not be appropriate.

Whilst there are guidelines on the factors to consider when such disclosure should or should not be made, organisations will need to carry out an assessment on each occasion to ensure that any decisions have been assessed on a case-by-case basis using the criteria reinforced in the DB v GMC case.

Keeping a record of the decision

Finally, organisations should be able to justify decisions taken when complying with any aspects of the GDPR. Therefore, when an organisation is making any decisions relating to the disclosure of an individuals’ personal data, in order to demonstrate compliance, they should:

  • Document the steps taken to obtain consent or factors surrounding the decision not to seek consent;
  • If consent was refused and the personal data was disclosed or withheld, record why this decision was made; and
  • Explain in writing the circumstances of the balancing test and the rationale for making any decisions relating to the disclosure or withholding of personal data.

Meet HelloDPO’s new team members: Lisa Thorp & Claire Saunders

What does GDPR mean for cookies: Getting to grips with the cookie monster

My law is stronger than your law!