The duty to protect third parties: is your DSAR response compliant?
- 15 July 2024
- Privacy and Data Protection
Responding to a data subject access request (DSAR) may feel like a daunting process. It requires a solid understanding of the data subject’s rights, and of the meaning of personal data. The recent case of Harrison v Cameron and another [2024] EWHC 1377 (KB) highlights another point to consider: third party rights. This article discusses what you need to know following Harrison, as an organisation responding to a DSAR.
A DSAR is a request submitted by an individual (known as a ‘data subject’), to access any personal data that an organisation (the ‘data controller’) holds on the individual. As well as copies of their personal data, the data subject has a right to know how their personal data is being used, including if it is being used lawfully.
Organisations will undertake a reasonable search in line with the request (which usually includes a search for the data subject’s name across its records) and will subsequently review all the documents flagged, for any personal data relating to the data subject. Audio and visual data must also be searched. Once personal data has been identified, it must be disclosed to the data subject unless any exemptions apply.
The Data Protection Act 2018 provides exemptions when responding to a DSAR. One of these relates to third party rights and essentially says that a DSAR does not need to be complied with if doing so means disclosing information which identifies another individual, except where:
When looking at what is reasonable, the ICO suggest that a data controller is expected to consider all the relevant circumstances including the type of information involved, any duty of confidentiality owed to the third party, and any stated refusal of consent by the third party.
It should also be noted that data controllers will be expected to consider whether they are able to comply with the DSAR to any extent, for example by separating out the third party data from the data subject’s or applying redactions to protect the third party rather than refusing to comply entirely.
The Data Protection Act 2018 provides exemptions when responding to a DSAR.
The defendants (a director and his gardening company) conducted work on the claimant’s property, and a dispute arose, leading to phone conversations between the claimant and the defendants, which the director recorded. The recordings, in which the director alleged that the claimant threatened him, were shared with a number of individuals, including employees, family members and friends. The claimant claimed that these recordings, shared with his professional peers and competitors, caused significant financial losses for his own company, and he submitted DSARs to identify all the recipients of the recordings. The defendants argued that the UK GDPR was not relevant here as it does not cover purely personal or household activity, which is what they alleged this was.
In dismissing the claim, the court addressed three main issues:
This case illustrates critical considerations regarding the UK GDPR when responding to a DSAR, in particular the tensions between a data subject’s right to access personal data and the need to protect third parties’ rights.
As seen in Harrison, personal data can relate to more than one person and responding to a DSAR may involve reviewing and considering information that relates to both the data subject making the DSAR, and someone else. There is a careful balancing exercise to be undertaken here and it is important organisations get this right to ensure they comply with their DSAR obligations towards the data subject without inadvertently infringing the rights of others.
Is your organisation facing a DSAR? Speak to our Data Protection team today for legal advice and assistance.
Keep up to date with the latest tips, analysis and upcoming events by our legal experts, direct to your inbox.
Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.