The ICO’s recent fine for a data breach at a GP surgery in Hertfordshire was the direct result of a subject access request (“SAR”) that had gone wrong.
The surgery revealed confidential details about a patient to an estranged ex-partner because there were insufficient systems in place for staff to deal with SARs.
Subject access is a fundamental right of individuals under the Data Protection Act, enabling individuals to find out what personal data you hold about them, why you hold it and who you share it with is fundamental to good information-handling practice. This right, commonly known as subject access, is set out in section 7 of the DPA. Individuals may exercise the right by making a written subject access request, or SAR.
Aside from a £40,000 fine this case caused huge damage to the organisation’s reputation. Such a significant and high profile data breach could have been avoided had suitable internal measures been put in place. No matter the size of the organisation, if you hold personal data, most organisations will have to respond to a SAR at some point.
Dealing with SARs involving third party data
As evidenced by the GP surgery, responding to a SAR may involve providing information that relates both to the requester and another individual. Under the DPA you will not have to comply with the SAR if to do so would mean disclosing information about another individual who can be identified from that information except where:
- the other individual has consented to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without that individual’s consent.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights in respect of their own personal data. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway. You should make decisions about disclosing third-party information on a case-by-case basis. It is not advisable to apply a blanket policy of withholding it.
For the avoidance of doubt, you cannot refuse to provide subject access to personal data about an individual simply because you obtained that data from a third party. The rules about third party data apply only to personal data which includes both information about the individual who is the subject of the request and information about someone else.
ICO figures show that 46% of all complaints made to the ICO last year were about SARs and the difficulties people face when trying to get hold of their personal information. This is a substantial figure and highlights that – however inconvenient – SARs should not be taken lightly by companies.
It is important to make sure staff are equipped to deal with SARs. The ICO has provided some helpful guidance as to best practice with dealing with SARs, alternatively for more information on this subject feel free to contact a member of the Fox Williams idatalaw team.
Daniel Geller is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org