Dealing with third party data in a subject access request
An individual has a right to their personal data under section 7 of the Data Protection Act. This request of personal data is made under a subject access request.
An individual's personal data can often contain data in relation to a third party. If a data controller finds that fulfilling a subject access request would result in disclosing information relating to a third party, then it need not comply with the subject access request, unless the third party consents to it. However, the data controller must comply if it is reasonable to comply without consent of the third party.
This presents a difficult balancing exercise of the rights of the individual and the rights of the third party. These rights are also supported by Article 8 of the European Convention on Human Rights which states that everyone has the right to respect for their private and family life, their home and their correspondence.
This issue recently arose in a case that reached the High Court. It was held that a doctor's (third party) fitness to practice should not be disclosed in a former patients (individual) subject access request. The court provided three step guidance for data controllers who find themselves in this balancing exercise:
Consent is a key factor, therefore data controllers should consider contacting any third parties mentioned in the subject access request as soon as possible to ask for their consent to disclose.
The commercial team at Greenaway Scott are more than happy to discuss in more detail the process of subject access requests and how to deal with third party data. Please contact us at firstname.lastname@example.org