Skip to main content
Hafan

Exemptions: can we refuse a SAR if it involves information about other people?

Contents

In more detail

What if a SAR involves information about other people?

Personal information can relate to more than one person. Therefore, responding to a SAR may involve providing information that relates to both the requester and another person.

You do not have to provide information in response to a SAR, to the extent that this would reveal information about another person, unless:

  • the other person has consented to the disclosure; or
  • it is reasonable to disclose the information without their consent.

This is known as the ‘rights of others’ exemption (and sometimes as the ‘third-party data’ exemption). You can also rely on this exemption to issue an NCND response if simply confirming that you hold the information would prejudice the exemption.

In this section, we sometimes refer to the other person as a ‘third party’.

Example

A person makes a request to their local authority for a copy of information about their noise complaint. The file also contains information about their neighbour. This requires the authority to consider both the requester’s right of access and their neighbour’s rights in relation to their own personal information.

If you are dealing with a SAR for information that is also the personal information of a third party, you must consider whether either of these factors applies. If the other person consents to you disclosing the information about them, you will not be able to rely on this exemption to withhold it. If there is no consent (or if they refuse to give it), you must still decide whether to disclose the information anyway.

What approach can we take?

To help you decide whether to disclose information relating to a third party, you should follow the three-step process described below.

Step one — Does the request require disclosing information that identifies another person?

You should consider whether you can comply with the request without revealing information that relates to and identifies another person. You should take into account the requested information and any information you reasonably believe the person making the request may have, or may get access to, that would identify the third party.

Example

Consider the previous example about a person’s request for a copy of their noise complaint about their neighbour. Even if the authority redacts the neighbour’s name, they are likely to still be identifiable based on information already known to the person making the request.

As you are obliged to provide information rather than documents, you could delete names or redact documents if the third party’s information does not form part of the requested information.

If you cannot take out the third party’s information and still comply with the request, you should follow step two below.

Step two — Has the other person provided consent?

You must disclose the information if the third party has provided consent. Therefore, you could ask relevant third parties for their consent to the disclosure of their personal information in response to a SAR.

However, you are not obliged to ask for consent. Indeed, in some circumstances, it may not be appropriate to do so – for instance, where:

  • you don’t have contact details for the third party;
  • it would potentially disclose personal information of the requester to the third party that they were not already aware of;
  • it would be inappropriate for the third party to know that the requester has made a SAR; or
  • the third party cannot give their consent freely because there is an imbalance of power between you and them (for example, if they are your employee).

Step three — Is it reasonable to disclose without consent?

In practice, it may sometimes be difficult to get consent from a third party. If you don’t have consent, you must consider whether it’s reasonable to disclose the information about them anyway.

You must take into account all the relevant circumstances, including:

  • the type of information that you would disclose;
  • any duty of confidentiality owed to the third party;
  • any steps you have taken to try to get the third party’s consent;
  • whether the third party is capable of giving consent; and
  • any stated refusal of consent by the third party.

This is a non-exhaustive list, and ultimately, it’s your decision whether to disclose the information to the requester. You must make the disclosure if it’s reasonable to do so without the third party’s consent.

Are there any other relevant factors?

In addition to the factors listed in the DPA, the following points are likely to be relevant when considering whether it’s reasonable to disclose information about a third party in response to a SAR.

  • Information generally known to the person making the request. It’s more likely to be reasonable for you to disclose the information if:
    • the requester has previously received the third-party information;
    • the requester already knows the information; or
    • the information is generally available to the public.

Third-party information about a member of staff (acting in the course of their duties), whom the person making the request knows well through their previous dealings, is more likely to be disclosed than information relating to an anonymous person.

  • Circumstances relating to the person making the request. The importance of the information to the requester is also a relevant factor. You should balance the need to preserve confidentiality for the third party against the requester’s right to access their personal information. Depending on the significance of the information to the requester, it may be appropriate to disclose it even where the third party withholds consent.
  • Context in which the SAR is made. You should consider the context in which the SAR is made, including the behaviour of the parties and the potential impact of disclosure on those involved. As a controller, you have discretion in deciding on the reasonableness of disclosure in the absence of consent.

What about confidentiality?

Confidentiality is one of the factors you must consider when deciding whether to disclose information about another person without their consent. You have a duty of confidence when a person discloses genuinely confidential information (ie information that is not generally available to the public) to you, with the expectation that it remains confidential. This expectation might result from:

  • the content and context of the third-party information – for example, if it reveals that the third party is the subject of an ongoing disciplinary investigation; or
  • the relationship between the parties. For example, the following relationships would generally carry with them a duty of confidence:
    • medical (doctor and patient),
    • employment (employer and employee),
    • legal (solicitor and client),
    • financial (bank and customer),
    • caring (counsellor and client), and
    • trade unions (trade union representative and member).

However, you cannot always assume confidentiality. Here are some examples of why confidentiality may not apply:

  • A duty of confidence does not arise merely because a letter is marked “Confidential” (although this marking may indicate an expectation of confidence).
  • If the information in such a letter is widely available elsewhere, it may not have the ‘necessary quality of confidence’.
  • There may be other factors, such as the public interest, which mean that an obligation of confidence does not apply.

In most cases where a duty of confidence does exist, it is usually reasonable to withhold third-party information, unless you have the third party’s consent to disclose it.

Does this exemption apply to supplementary information?

Yes — this exemption may apply to any of the information you consider disclosing in response to a SAR, including the supplementary information.

Example

An employee (the requester) is currently subject to disciplinary proceedings based on reports that they are harassing other staff – for example, by using offensive language. The requester makes a SAR for their personal information.

In responding to the SAR, the employer is also required to provide the requester with a copy of the supplementary information. Although this largely corresponds with its privacy information, the employer also needs to provide details about the specific people it has disclosed the employee’s personal information to – including, where appropriate, other members of staff.

As the employer previously sought advice from its legal department about the requester’s behaviour, it has shared this information with a number of lawyers and paralegals. The employer has concerns about disclosing the specific identities of these staff members in case this also exposes them to similar harassment by the requester.

The employer applies the rights of others exemption to withhold details about the specific identities of the staff members. However, the employer must disclose details about the categories of people it has shared the requester’s information with. Therefore, it must inform the requester that it has shared the information with its legal department more generally.

What about health, educational and social work information?

If the person requests information that is also the personal information of a health worker, an education worker or a social worker, it’s reasonable to disclose information about them without their consent, if the disclosure meets the appropriate ‘test’.

For health workers, information meets the ‘health data test’ if:

  • a health record contains the information; and
  • the third party is a health professional who:
    • compiled the record,
    • contributed to the record, or
    • was involved in the requester’s diagnosis, care or treatment.

A ‘health record’:

  • consists of information concerning health; and
  • is made by or on behalf of a health professional (eg a doctor, dentist or nurse) in connection with a person’s diagnosis, care or treatment.

For education workers, information meets the ‘education data test’ if:

  • the other person is:
    • an employee of a local authority that maintains a school in England or Wales,
    • a teacher or other employee at a voluntary aided, foundation or foundation special school, an academy school, an alternate provision academy, an independent school or a non-maintained special school in England or Wales,
    • a teacher at a school in Northern Ireland,
    • an employee of the Education Authority in Northern Ireland, or
    • an employee of the Council for Catholic Maintained Schools in Northern Ireland; or
  • the other person is an employee at an education authority in Scotland (as defined by the Education (Scotland) Act 1980) in connection with their statutory education functions, and:
    • the information relates to the other person in their capacity as an employee, or
    • the other person supplied the information in their capacity as an employee of an education authority.

For social workers, information meets the ‘social work data test’ if:

  • the third party is:
    • a children’s court officer,
    • a person employed by a body in connection with their statutory social work function(s), or
    • a person who provides a similar, non-statutory, social work service (for reward); and
  • the information relates to, or was supplied by, the other person in their official capacity (or in connection with a non-statutory social work service).

Example

A person makes a SAR to their local council for a copy of all the information it holds about them. The information it holds includes several social services reports that contain the personal information of the person, a family member and a social worker.

The council employs the social worker in connection with its statutory social work service, and they wrote the reports in their official capacity as a social worker. As such, it is reasonable for the council to provide the social worker’s personal information to the requester in response to the SAR.

However, the council must either have the consent of the family member or consider whether it is reasonable to disclose their personal information without consent. If the council does not have consent, it is likely that it needs to consider any duty of confidence owed to the family member before responding to the SAR.

Do we need to respond to the request?

Yes. You must respond to the person, whether or not you decide to disclose information about a third party. If the third party gives their consent, or you are satisfied that it’s reasonable to disclose it without consent, you must provide the information in the same way as any other information you provide in response to the SAR.

If you do not have the third party’s consent and you are not satisfied that it’s reasonable to disclose their information, then you should withhold it. However, you must still provide as much of the requested information as you can, without disclosing the third party’s identity. Depending on the circumstances, you may be able to provide some information, after editing or redacting it to remove information that identifies the third party.

You must be able to justify your decision to disclose or withhold information about another person, so you should keep a record of what you decide and why – for example, why you chose not to seek consent or why it was inappropriate to do so in the circumstances.

How do we deal with information that relates to the requester and a deceased person?

The UK GDPR does not apply to a deceased person. Therefore, the rights of others exemption does not apply where the third party is deceased.

The death of a person does not mean that any information about them is freely available to anyone who requests it. Other legal protections may still apply, such as the common law duty of confidentiality. However, in some situations, redacting information about a deceased person may be unnecessary or inappropriate.