In detail
- What is the basic rule?
- What approach should we take?
- What about confidentiality?
- Does categorising people impact what information we can provide them with?
- How should we deal with requests from people who fall within multiple categories?
What is the basic rule?
Personal information can relate to more than one person. Therefore, responding to a SAR may involve providing information that relates to both the requester and another person (“third party information”).
Example
A prisoner makes a request for all their personal information. They have recently assaulted another inmate. The prison authority’s records contain personal information about the victim, witnesses, and a number of other people, including family members of the prisoner.
The prison authority needs to consider the rights of the third parties when responding to the prisoner’s SAR.
In such circumstances, you could apply the restriction set out in section 45(4)(e) of the DPA 2018. This allows you to restrict access where it is necessary and proportionate to protect the rights and freedoms of others.
In order to consider whether to apply the restriction, you should follow the three-step process set out below.
What approach should we take?
Step one – Does the request require disclosing information that identifies someone else?
You should consider whether it is possible to respond to the request without revealing information about a third party. You should take into account the requested information and any information you reasonably believe the person making the request may have, or may get hold of that would identify the third party.
Depending on the circumstances, you may be able to redact the third party information, so that the other people are no longer identifiable. However, people may be identifiable from the context or circumstances, even if you redact their name or other personal details. For example, if you disclose a witness statement to a suspect, the suspect might be able to identify the witness from the general content and context of the statement.
Example
A person is arrested for assault. A witness who lives nearby has made a statement describing the attack. The person who was arrested makes a SAR for their personal information. If the witness statement is released, it is reasonably likely that the person will be able to identify the witness from the date, time, description of the incident, context and circumstances.
You should consider the risk to other people broadly. If you redact personal details, you should carefully consider whether the third party may be identifiable by jigsaw identification.
Example
A person is charged with possession of cannabis with intent to supply, after a fifteen-year-old child who lives in the area noticed the person behaving suspiciously one evening while out walking their dog. They reported the incident to police and later provided a statement.
The person makes a SAR to the police for their personal information. If the police redact the child’s name and personal details, they are not obviously identifiable from the statement, or the transcript of the telephone recording when they reported the incident. However, if the police disclose any of this information, the person may be able to identify the child through jigsaw identification. For example, the child walks their dog in a specific location at the same time each day. There is also a risk that the suspect’s acquaintances may have noticed the child in the area that evening.
In deciding whether to apply the restriction, the police should take into account any relevant factors. This includes the fact that the statement is likely to be disclosed in the course of criminal proceedings anyway, but under the jurisdiction of the court. The police then need to balance the rights of the person making the SAR with the rights of the child who provided the statement.
Step two – Do we need to apply the restriction?
It may be impossible to simply remove the third party information and still comply with the request. In these circumstances, you should consider whether it is reasonable to apply the restriction for third party information.
Step three – Is the balance for or against disclosure?
You must carefully consider the rights, freedoms and legitimate interests of both the requester and the third party, when you decide whether the restriction is necessary and proportionate. You should consider all relevant circumstances, and in particular:
- the type of information that you would disclose;
- how you have categorised both the person making the request and the third party;
- the impact of restricting access on the fundamental rights, freedoms and legitimate interests of the person who made the SAR;
- the impact of disclosure on the fundamental rights and freedoms of the third party;
- any duty of confidentiality owed to the third party; and
- whether it may be appropriate, in the circumstances, to obtain consent from the third party.
This is an non-exhaustive list, and ultimately you should make this decision taking these factors into account, along with the context of the information.
Due to the sensitivities of law enforcement processing, it may not always be appropriate to ask a third party whether or not they consent to the disclosure of their information to the requester. You should take into account the specific circumstances of the request when making your decision.
Example
The police receive a number of reports about various incidents of domestic violence occurring within a household. These reports have been made by the complainant. The suspect has a number of previous convictions, and the police hold a large amount of personal information about them.
The suspect makes a SAR for all the personal information the police hold about them. The police apply a restriction to some of the information as disclosure may prejudice an ongoing investigation.
The police have completed their investigations into the domestic violence allegations made by the complainant. The prosecution service has decided there is insufficient evidence to pursue a prosecution at this stage. However, the police are keeping the information on record in case the complainant makes further allegations or the situation escalates. The police understand that the suspect may not be aware of the allegations their partner has made about them.
The police balance the suspect’s right to access the reports of domestic violence made about them, against the need to protect the complainant. They have concerns that disclosing the information may risk the life and safety of the complainant. Therefore, they restrict access to this information.
However, they are able to disclose some of the information they hold about the suspect. This information does not relate to the domestic violence allegations and therefore does not present a risk to the complainant or prejudice the ongoing investigations.
What about confidentiality?
Confidentiality is one of the factors you must take into account when deciding whether to disclose information about a third party without their consent. A duty of confidence arises when someone discloses genuinely confidential information to you (ie information that is not generally available to the public), with the expectation that it remains confidential. This expectation might result from any statutory or common law obligations to keep certain information confidential. For example, statutory prohibitions, court orders (eg witness protection measures) or anonymity orders.
In most cases where a duty of confidence does exist, you should usually withhold information about a third party, unless you have the person’s consent to disclose their personal information.
Does categorising people impact what information we can provide them with?
Under Part 3, organisations are required to make a distinction between personal information you use about different categories of people. This includes:
- those suspected of having committed, or being about to commit, an offence;
- those convicted of a criminal offence;
- victims and complainants; and
- witnesses or those with information about offences.
You may also hold information about contacts or associates of suspects and convicted offenders.
How you have categorised someone could be useful for you in deciding how to respond to a SAR. In particular, it may be relevant when you are thinking about whether to apply a restriction, in considering risk and proportionality, and balancing people’s rights.
Example
The key witness and victim in a criminal investigation both make a SAR to the police for their personal information. Some of the information held is about both people. The police need to separately consider whether they can disclose this information to each person.
In responding to the SAR made by the key witness, the police consider whether to withhold the information. While there are a number of reasons why they think the key witness has a right to the information, the police ultimately decide against disclosing it.
In responding to the SAR made by the victim, the police consider whether to withhold the information. In this instance, they decide that any impact to the key witness is minimal and disclose the information to the victim.
In different circumstances, the police might decide that they should disclose the information to the key witness but not the victim. For example, if the key witness needs the information to obtain legal advice.
However, you should consider the particular circumstances of the request, regardless of how you have categorised people.
Example
The police hold information on their records about two next-door neighbours, Person A and Person B. There is an ongoing dispute between them about works Person A is carrying out to their property. The matter escalated one afternoon when Person B broke all the windows to Person’s A’s new house extension with a crowbar. Person A retaliated by physically assaulting Person B, which resulted in them needing hospital treatment. Both people were arrested.
Each person makes a SAR to the police. Some of the information being processed is about both people. In responding to each SAR, it’s important that the police consider the requests separately, and weigh up the rights of each person, when they decide whether to comply.
In particular, given the nature of the incident, the police should consider whether there is a risk to either person, if they disclose their information to the other.
The police might decide to disclose the information to both people. Alternatively, they may decide that the balance weighs in favour of disclosing the information to one person, but not the other. They may instead decide not to disclose the information at all. However, the police should record the reasons for their decision.
How should we deal with requests from people who fall within multiple categories?
There may be instances when someone falls under more than one of the categories described in the above section. You may process a person’s personal information in different contexts, or hold it within different files across your systems.
Example
The police process a person’s personal information to investigate crime. The person is a suspect in a burglary, but is also a prosecution witness in a murder case. They are the complainant in an assault case, and the key witness in a dangerous driving case.
If someone falls into more than one category, you must be able to clearly identify and distinguish between these different categories for each piece of information you hold about them. If they make a SAR, you must identify what information their request relates to, and whether any of the restrictions are relevant to that specific information.
You can consider risk broadly. In many circumstances, disclosing personal information that relates to one case, may risk prejudicing another case. For example, it may be reasonable to restrict a person’s right of access if disclosure would prejudice a separate or linked investigation. However, you must be able to justify why you have restricted someone’s right of access in these circumstances, and you should ensure that any restriction is necessary and proportionate.
If you receive a SAR from someone who falls within multiple categories, you could ask them to explain what information they are looking for.