The duty to protect third parties: is your DSAR response compliant?

Responding to a data subject access request (DSAR) may feel like a daunting process. It requires a solid understanding of the data subject’s rights, and of the meaning of personal data. The recent case of Harrison v Cameron and another [2024] EWHC 1377 (KB) highlights another point to consider: third party rights. This article discusses what you need to know following Harrison, as an organisation responding to a DSAR.

What is a DSAR?

A DSAR is a request submitted by an individual (known as a ‘data subject’), to access any personal data that an organisation (the ‘data controller’) holds on the individual. As well as copies of their personal data, the data subject has a right to know how their personal data is being used, including if it is being used lawfully.

What does the process of responding to a DSAR involve?

Organisations will undertake a reasonable search in line with the request (which usually includes a search for the data subject’s name across its records) and will subsequently review all the documents flagged, for any personal data relating to the data subject. Audio and visual data must also be searched. Once personal data has been identified, it must be disclosed to the data subject unless any exemptions apply.

What are the exemptions for disclosing personal data?

The Data Protection Act 2018 provides exemptions when responding to a DSAR. One of these relates to third party rights and essentially says that a DSAR does not need to be complied with if doing so means disclosing information which identifies another individual, except where:

• the other individual has consented to the disclosure; or
• it is reasonable to comply with the request without that individual’s consent.

When looking at what is reasonable, the ICO suggest that a data controller is expected to consider all the relevant circumstances including the type of information involved, any duty of confidentiality owed to the third party, and any stated refusal of consent by the third party.

It should also be noted that data controllers will be expected to consider whether they are able to comply with the DSAR to any extent, for example by separating out the third party data from the data subject’s or applying redactions to protect the third party rather than refusing to comply entirely.

What happened in the case of Harrison?

The defendants (a director and his gardening company) conducted work on the claimant’s property, and a dispute arose, leading to phone conversations between the claimant and the defendants, which the director recorded. The recordings, in which the director alleged that the claimant threatened him, were shared with a number of individuals, including employees, family members and friends. The claimant claimed that these recordings, shared with his professional peers and competitors, caused significant financial losses for his own company, and he submitted DSARs to identify all the recipients of the recordings. The defendants argued that the UK GDPR was not relevant here as it does not cover purely personal or household activity, which is what they alleged this was.

In dismissing the claim, the court addressed three main issues:

1. Scope of the UK GDPR: the court ruled that the director’s actions in processing the data (i.e. recording the phone conversation) were not purely personal or household activities as the recordings were made in a business context and in his capacity as director for that business, therefore, the processing fell within the scope of the UK GDPR.
2. Data controller status: the court determined that the director, acting as a director of his company, was not a data controller in his personal capacity. The company was the data controller, responsible for determining the purposes and means of processing the personal data.
3. Recipients’ identities and rights: while the claimant had the right to know the recipients of his personal data under Article 15 of the UK GDPR, the court found that the company’s actions in withholding the identities were justified under the third party exemption referred to above. In this case, none of the recipients of the recordings had consented to their names being disclosed and it would not have been reasonable to disclose them in any event given concerns that the recipients would be exposed to similar threatening treatment as was captured in the recordings.

This case illustrates critical considerations regarding the UK GDPR when responding to a DSAR, in particular the tensions between a data subject’s right to access personal data and the need to protect third parties’ rights.

As seen in Harrison, personal data can relate to more than one person and responding to a DSAR may involve reviewing and considering information that relates to both the data subject making the DSAR, and someone else. There is a careful balancing exercise to be undertaken here and it is important organisations get this right to ensure they comply with their DSAR obligations towards the data subject without inadvertently infringing the rights of others.

Is your organisation facing a DSAR? Speak to our Data Protection team today for legal advice and assistance.