The ICO exists to empower you through information.

In more detail

What is the basic rule?

Personal data can relate to more than one person. Therefore, responding to a SAR may involve providing information that relates to both the requester and another individual.

Example

An employee makes a request to her employer for a copy of her human resources file. The file contains information identifying managers and colleagues who have contributed to (or are discussed in) that file. This will require you to reconcile the requesting employee’s right of access with the third parties’ rights in respect of their own personal data.

There is an exemption in the DPA 2018 that says you do not have to comply with a SAR, if doing so means disclosing information which identifies another individual, except where:

  • the other individual has consented to the disclosure; or
  • it is reasonable to comply with the request without that individual’s consent.

So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision involves balancing the data subject’s right of access against the other individual’s rights relating to their own personal data. If the other person consents to you disclosing the information about them, it is unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.

What approach should we take?

To help you decide whether to disclose information relating to a third party, follow the three-step process described below. You may also find it helpful to read our guidance on ‘Access to information held in complaint files’. Whilst it is FOI and EIR guidance, it also covers SARs.

Step one – Does the request require disclosing information that identifies another individual?

You should consider whether it is possible to comply with the request without revealing information that relates to and identifies another individual. You should take into account the information you are disclosing and any information you reasonably believe the person making the request may have, or may get hold of, that would identify the third party.

Example

In the previous example about a request for an employee’s human resources file, even if a particular manager is only referred to by their job title, they are likely to still be identifiable based on information already known to the employee making the request.

As your obligation is to provide information rather than documents, you may delete names or edit documents if the third-party information does not form part of the requested information.

However, if it is impossible to take out the third-party information and still comply with the request, you need to take account of the following considerations.

Step two – Has the other individual provided consent?

In practice, the clearest basis for justifying the disclosure of third-party information in response to a SAR is that the third party has given their consent. It is therefore good practice, where possible, to ask relevant third parties for their consent to the disclosure of their personal data in response to a SAR.

However, you are not obliged to ask for consent. Indeed, in some circumstances, it may not be appropriate to do so, for instance where:

  • you don't have contact details for the third party;
  • it would potentially disclose personal data of the requester to the third party that they were not already aware of; or
  • it would be inappropriate for the third party to know that the requester has made a SAR.

Step three – Is it reasonable to disclose without consent?

In practice, it may sometimes be difficult to get third-party consent; for example, the third party might refuse or be difficult to find. If so, you must consider whether it is reasonable to disclose the information about the other individual anyway.

The DPA 2018 says that you must take into account all the relevant circumstances, including:

  • the type of information that you would disclose;
  • any duty of confidentiality owed to the third party;
  • any steps taken by you to try to get the third party’s consent;
  • whether the third-party individual is capable of giving consent; and
  • any stated refusal of consent by the third-party individual.

This is a non-exhaustive list, and ultimately it is for you to make this decision, taking these factors into account, along with the context of the information.

What about confidentiality?

Confidentiality is one of the factors you must take into account when deciding whether to disclose information about a third party without their consent. A duty of confidence arises where an individual discloses genuinely ‘confidential’ information (ie information that is not generally available to the public) to you, with the expectation that it remains confidential. This expectation might result from:

  • the content and context of the third-party data. For example, if it reveals that the third party is the subject of an ongoing disciplinary investigation; or
  • from the relationship between the parties. For example, the following relationships would generally carry with them a duty of confidence:
    • Medical (doctor and patient).
    • Employment (employer and employee).
    • Legal (solicitor and client).
    • Financial (bank and customer).
    • Caring (counsellor and client).
    • Trade Unions (trade union representative and member).

However, you should not always assume confidentiality. For example, a duty of confidence does not arise merely because a letter is marked 'confidential' (although this marking may indicate an expectation of confidence). It may be that the information in such a letter is widely available elsewhere (and so does not have the 'necessary quality of confidence'), or there may be other factors, such as the public interest, which mean that an obligation of confidence does not apply.

In most cases where a duty of confidence does exist, it is usually reasonable to withhold third-party information, unless you have the third party’s consent to disclose it.

What about health, educational and social work data?

If the data subject requests information that is also the personal data of a health worker, an education worker or a social worker, it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate ‘test’.

For health workers, it meets the ‘health data test’ if:

  • a health record contains the information; and
  • the third-party individual is a health professional who:
    • compiled the record;
    • contributed to the record; or
    • was involved in the requester’s diagnosis, care or treatment.

A ‘health record’:

  • consists of data concerning health; and
  • is made by or on behalf of a health professional (eg a doctor, dentist or nurse) in connection with an individual’s diagnosis, care or treatment.

For education workers, it meets the ‘education data test’ if:

  • the other individual is:
    • an employee of a local authority that maintains a school in England or Wales;
    • a teacher or other employee at a voluntary aided, foundation or foundation special school, an Academy school, an alternate provision Academy, an independent school or a non-maintained special school in England or Wales;
    • a teacher at a school in Northern Ireland;
    • an employee of the Education Authority in Northern Ireland; or
    • an employee of the Council for Catholic Maintained Schools in Northern Ireland, or
  • the other individual is an employee at an education authority in Scotland (as defined by the Education (Scotland) Act 1980) in connection with their statutory education functions, and the information relates to, or was supplied by the other individual in their capacity as an employee of an education authority.

For social workers, it meets the ‘social work data test’ if:

  • the third-party individual is:
    • a children’s court officer;
    • a person employed by a body in connection with their statutory social work function(s); or
    • a person that provides a similar, non-statutory, social work service (for reward), and
  • the information relates to, or was supplied by, the other individual in their official capacity (or in connection with a non-statutory social work service).

Example

An individual makes a subject access request to their local council for a copy of all the information it holds on them. The information held includes several social services reports. The reports contain the personal data of the individual, a family member and a social worker. The council employs the social worker in connection with its statutory social work service, and they wrote the reports in their official capacity as a social worker. As such, it is reasonable for the council to provide the social worker’s personal data to the requester in response to the subject access request. However, the council must either have the consent of the family member, or consider whether it is reasonable to disclose their personal data without consent. If the council does not have consent, it is likely that it needs to reconcile the individual’s right of access in respect of any duty of confidence owed to the family member.

Are there any other relevant factors?

In addition to the factors listed in the DPA 2018, the following points are likely to be relevant to a decision about whether it is reasonable to disclose information about a third party in response to a SAR.

  • Information generally known to the individual making the request. It is more likely to be reasonable for you to disclose the information if:
    • the individual making the request has previously received the third-party information;
    • the requester already knows the information; or
    • the information is generally available to the public.

It follows that third-party information relating to a member of staff (acting in the course of their duties), who the individual making the request knows well through their previous dealings, is more likely to be disclosed than information relating to an otherwise anonymous private individual.

  • Circumstances relating to the individual making the request. The importance of the information to the requester is also a relevant factor. You need to weigh the need to preserve confidentiality for a third party against the requester's right to access information about their life. Therefore, depending on the significance of the information to the requester, it may be appropriate to disclose it even where the third party withholds consent.

Do we need to respond to the request?

Yes. You need to respond to the requester whether or not you decide to disclose information about a third party. If the third party gives their consent, or if you are satisfied that it is reasonable to disclose it without consent, you should provide the information in the same way as any other information you provide in response to the SAR.

If you do not have the third party’s consent and you are not satisfied that it is reasonable to disclose the third-party information, then you should withhold it. However, you are still obliged to communicate as much of the requested information as you can, without disclosing the third-party’s identity. Depending on the circumstances, it may be possible to provide some information, having edited or ‘redacted’ it to remove information that identifies the third-party individual.

You must be able to justify your decision to disclose or withhold information about a third party, so you should keep a record of what you decide and why. For example, it would be sensible to note why you chose not to seek consent or why it was inappropriate to do so in the circumstances.