Recent court judgments have some important conclusions relating to subject access requests (SARs) and, in particular, personal data relating to third party individuals. The relevant law for these cases is the Data Protection Act 1998. Similar principles will apply to equivalent rules under the GDPR and Data Protection Act 2018, though I have also raised some important differences below.
So what is the issue with third party data in the context of SARs? The issue arises where, as is often the case, records or documents containing personal data of a requestor under a SAR also contain personal data of another individual.
Sometimes, the data relating to the other individual is separate from the data relating to the requesting data subject. In these circumstances it is not relevant to the SAR and can simply be removed or redacted from the document.
However, in other cases, the information relates to both the requesting individual and another individual (sometimes referred to as ‘mixed’ data), and it is not possible to disclose to the data subject their own personal data without also disclosing data relating to another identifiable individual. This may arise, for example, where there is a description of events or actions involving two individuals, or where one individual gives an opinion of someone else, which reveals information about both parties. In these circumstances, unless the other individual has given their consent to disclosure, the controller needs to balance the rights of the two individuals in deciding whether or not to disclose such data.
On 28 June 20181, the Court of Appeal considered the balancing test between the rights of a SAR requestor and the rights of another individual when the data of the requestor includes third party data.
In this case, a patient had made a subject access request and the GMC had withheld a report containing personal data of both a doctor and the patient. A key factor was that it appeared that the primary motive behind the SAR was to use the data in litigation against the doctor. The High Court has originally ruled that this was a weighty factor and that the full report containing personal data of the doctor should not be disclosed, in order to protect the doctor’s rights. However, the Court of Appeal disagreed and considered that the interests of the patient overrode the interests of the doctor regardless of the patient’s motivation (in the facts of the case).
The judgment contains some useful points to consider when applying the balancing test for third party information.
On 10 April 2019, the High Court considered the extent to which the identity (and other personal data) of another individual (or organisation) involved in a matter constituted the personal data of the requesting individual under a SAR; in other words whether the identity of a third party ‘relates to’ the requesting individual. If it does not, then such identity can be excluded from the response; if it does, then the third party data balancing test would kick in.
It was another medical-related case. Dr. Rudd was a medical expert in asbestos exposure. Mr. Bridle had been involved in the manufacture and use of asbestos in cement products for 50 years, and advised and campaigned on asbestos medical issues. Records held by Mr. Bridle (and his associated company) included information about:
The Court ruled that the identities of such people were Dr. Rudd’s personal data; the information was focused on him and biographically significant. For those people who were individuals, the third party data balancing test was then necessary. This was not necessary where they were organisations (such as GMC).
However, the identities of third party recipients to whom Dr. Rudd’s personal data was communicated (such as by email) were not, in themselves, Dr. Rudd’s personal data. The information needed to relate to Dr. Rudd in order to be his personal data. The Court stated that it was "…easy to understand what is being written about Dr Rudd in the extracts provided, without knowing to whom it is being written."
Note that in coming to this conclusion the Court referred to the interpretation of the term ‘personal data’ in the leading case of Durant v Financial Services Authority ([2003] EWCA Civ 1746). Under the GDPR, the definition of personal data, whilst similar to previous law, needs to be re-examined and interpreted consistently with its interpretation across the EU. The ICO has produced new guidance on the meaning of these terms under the GDPR. In particular, the EU and UK guidance on interpretation of ‘relating to’ within the definition of ‘personal data’ captures a potentially wider scope of information than is apparent from a strict application of the ‘biographically significant’ test.
Some other interesting SAR points arising from Rudd v Bridle:
The Court in Rudd v Bridle referred to the right, as part of a subject access request, to be provided with "a description of…the recipients or classes of recipients to whom [personal data] are or may be disclosed". The Court confirmed that this did not require the identity of a recipient to be disclosed (and this is consistent with the ICO’s previous SAR Code of Practice, which indicated that names of recipients were not required). So, as raised above, it was instead necessary to consider whether the identity of the recipients constituted the personal data of the requesting individual (which was not the case unless they formed part of information relating to that individual).
Note, however, that under the GDPR, the wording of the equivalent requirement is slightly different and individuals are entitled to know, under Article 15, "the recipients or categories of recipient to whom the personal data have been or will be disclosed". The EU Article 29 Working Party (now the European Data Protection Board or EDPB) Guidelines on Transparency (WP260 rev.01) comment on the interpretation of the term ‘recipients or categories of recipients’ as follows2.
"The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subject. In practice, this will generally be the named recipients, so that the data subjects know exactly who has their data. If the controllers opt to provide the categories of recipients, the information should be as specific as possible…"
To summarise, under current law, in many cases naming specific recipients will assist to ensure fairness and transparency in relation to the disclosure (and in my view that was also the case under previous law even if the specific reference to recipients in the legislation was less prescriptive). Recipients who are controllers will also have their own obligations of transparency under data protection laws, which requires their identity to be given to data subjects.
The Court in Rudd v Bridle referred to the right, as part of a subject access request, to be provided with "any information available to the data controller as to the source of those data". This is worded differently to the requirement relating to recipients of data referred to above, and does not require just a description, but "any information available". So information held by the controller about sources of data needs to be disclosed in response to a SAR, although note that:
Under Article 15 of the GDPR, there is a similar SAR requirement to provide "any available information" as to the source of personal data.
The Court in Rudd v Bridle discussed the application (or not) of exemptions to subject access relating to legal professional privilege, journalism and regulatory activity.
In relation to the latter (section 31 of the Data Protection Act 1998), the Court considered whether the processing of personal data by an informant or whistleblower who reports an individual to a regulator can fall within this exemption. The Court commented that the wording "personal data processed for the purpose of discharging functions…" in section 31 indicates that only the processing by the regulatory body itself is covered. However, it did not make a formal judgment on this point (as it did not need to in the context).
Schedule 2 of the Data Protection Act 2018 contains a similar exemption relating to "Functions designed to protect the public".
See also Article number 10 in my series in relation to Dawson-Damer and the legal professional privilege exemption to SARs.
Olivia Whitcroft, principal of OBEP, 6 June 2019
1
Okay, this was before my maternity leave, but it is an important update nonetheless!
2
Though the comment is in the context of Article 13 information to be provided, it uses the same terminology as Article 15.
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details