DSAR ruling and other people’s data

June 2024

High Court judgement in Harrison vs Cameron case

A recent high court ruling concerning a Data Subject Access Request reveals some interesting points relating to how organisations comply with people’s right to know the identity of the recipients of their personal data, and how organisations apply the ‘third-party exemption’.

The right of access gives people the right to receive a copy of their own personal data, it doesn’t give them the right to receive personal data relating to others. However, often other people’s details are intertwined as part of the data retrieved.

In this particular case, the focus was on other people the requester’s data had been shared with, and whether the requester had the right to know the identity of these recipients.

The ‘third party exemption’ frequently comes up for debate when handling DSARs and this case sheds light on how this exemption should be applied.

In the ruling the Judge found that it’s necessary to apply a ‘balancing test’ when considering the third-party exemption. It was also acknowledged that the controller is the ‘primary decision maker’ when assessing whether it is reasonable or not to disclose personal data relating to others, and has a ‘wide margin of discretion’ in this decision.

Here’s some background to two of the key points of law in this case:

What’s the third-party exemption?

The third-party exemption is set out in the UK Data Protection Act 2018 and says organisations (controllers) do not have to comply with a DSAR, if in doing so this would mean disclosing information which identifies another individual. Organisations can disclose such information if the third party has given their consent, or if it’s reasonable to disclose without their consent.

What about the recipients of personal data?

Along with the right to receive a copy of their personal data, when an individual submits a DSAR they are also entitled to receive other supplementary information. This includes details of any ‘recipients’ or ‘categories of recipients’ the organisation has, or will, disclose their personal data to.

The Harrison vs Cameron case

Mr Harrison, Chief Executive of a real estate investment company was covertly recorded making threats to Mr Cameron, the owner of a gardening business. Here’s a summary of what happened next:

  • Mr Cameron shared the recording with some of his employees, members of his family and friends.
  • Mr Cameron sent the recording to twelve people in total, and it was then shared on to a further three people.
  • Mr Harrison claimed the recordings had been shared more widely and damaged his business.
  • Mr Harrison submitted a DSAR to Mr Cameron in a personal capacity (I’ll come back to this) and submitted similar requests to others, including employees at the gardening business. He demanded to know the identity of the people who’d received the recording.
  • Mr Cameron and others declined his request, and the case ended up in the High Court.

The Court decided Mr Cameron was not himself a controller of Mr Harrison’s data, and that he’d made the recordings in his capacity as a director of the gardening company. Therefore the company, not Mr Cameron was the controller and responsible for fulfilling the request.

According to the judge, a person’s rights extend to being provided with details of the specific recipients of their personal data, including the names of individuals who’ve received their data. The rationale behind this is to enable the individual to check the lawfulness of how their personal data is being handled. This is a potentially worrying development as organisations may have previously viewed this as an either provide the names of specific recipients, or provide just the categories of recipient. This ruling makes it clear this is the requester’s choice, not the controller’s decision.

However, in this case the judge found the gardening company could rely on the third-party exemption and not disclose the identity of the recipients. Why? None of the fifteen recipients consented to their names being disclosed to Mr Harrison, due in part to concerns this may expose them to abusive and threatening behaviour. Due to these safety concerns the judge ruled it would not be reasonable to disclose people’s names, without their consent.

Ultimately this ruling makes it clear it is the controller’s decision to make; is it reasonable or not to disclose information which identifies other people?

Third-party balancing test

The ICO’s Right of Access guidance provides helpful pointers on how to conduct a balancing test when considering the third-party exemption. There isn’t a blanket rule, a balanced decision is required on whether it’s appropriate in the circumstances to disclose information relating to others, or withhold it.

1. Can you redact or not provide?

Consider if it’s possible to comply with the request without revealing information that relates to, and identifies another individual. For example, can this third-party information be redacted, or can you separate out the requestor’s personal data?

Sometimes, even redacting other people’s names doesn’t render them unidentifiable. There may be situations where you can reasonably assume the requester will be able to work out whose name has been redacted.

2. Can you seek consent?

If you can get the consent of another individual to disclose their details, it’s a problem solved. I’ve been involved in cases where the consent of other employees has been sought in employee related requests and they’ve given it.

However, you’re not obliged to seek consent and it may not be appropriate to do so. You might not have contact details for the third-party, you might not want to share information with them, or let them know a particular individual has submitted a DSAR.

3. Reasonable to disclose without consent?

Where the information about other individuals if fairly innocuous and you can’t identify any negative impact on them, you may choose to disclose the information without consent. In assessing whether this is reasonable to do, you need to take account of:

  • the type of information you intend to disclose
  • whether it was possible to seek consent or not
  • whether consent was declined
  • any duty of confidentiality

Any potential repercussions for the third-party if their data is disclosed (or they are identifiable from what you provide) can be considered.  As this case shows concerns for a person’s safety can be justification for applying the third-party exemption.

I’ve worked on many cases where this has been debated, situations where redaction wouldn’t render the third-party unidentifiable and it wasn’t appropriate to seek consent. The context is crucial, sometimes it has been reasonable to disclose, other times we had justified concerns and chose to withhold.

It’s important to be clear with the requester about what you are giving them in your response to their DSAR. If you rely on the third-party exemption, you should tell them, and explain why. I’d also highly recommend documenting your decision-making just in case it’s challenged.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Subject Access Requests – 10 Quick Tips

September 2022

Handling DSARs efficiently and effectively

DSARs can be challenging to handle and complete on time, especially when you get one from a disgruntled ex-employee with a grievance.

While it’s clearly important for people to be able to request and receive a copy of their personal data, I fully appreciate how tricky they can be to fulfil. Prior to joining the DPN more than seven years ago, I used to handle them myself and now I spend a fair bit of time helping clients with the requests they receive. Without further ado, here are my quick tips.

Ten Quick DSAR Tips

1. Staff Awareness

A request can come into any part of the business. Requests can be made in writing, verbally or even via social media. We’re told however they come in they’re valid. Customer-facing staff and others need to know how to recognise them and what action to take. And not all requests for information will be a DSAR.

2. It’s not a right to documentation!

People have the right to request a copy of their personal data, but they don’t have the right to receive reams of documents which might contain just their name or email address, or in part relate to them. You can extract relevant personal data from documents and emails, as long as the context is made clear.

3. Always acknowledge DSARs

Quickly acknowledge any request. It can also be helpful to explain a little more about what they can expect to receive. This can save issues further down the line if the individual doesn’t get what they expected to. Always be personable and polite, even if they aren’t!

4. Diarise response date

Be sure to set the date for when the DSAR must be fulfilled by. This is one calendar month from the date you received it. You can start the clock after you’ve received any necessary confirmation of their identity . You can pause the clock if you need to seek further clarification.

5. Talk to the requester

Don’t always sit behind the comfort of an email A telephone call may be a novel suggestion, but in my experience actually speaking to the person (if they are happy to take your call) can make a huge difference.

6. Be wary of requests from third-party portals

Increasingly organisations are receiving DSARs and other privacy rights requests via third-party portals which offer to submit the requests on behalf of individuals. Sometimes multiple requests can be received at once. You have a responsibility to check these requests are genuine, be sure the individual is who they say they are and the third-party has the authority to act on their behalf.

I’ve written more about this here: Managing Erasure Requests or DSARs via Third-Party Portals

7. Collaboration

One person, or indeed the data protection team, can’t fulfil these requests on their own. Make sure others who’ll need to support in gathering relevant information understand their responsibilities, and in particular the need to prioritise any actions. The clock keeps ticking and a calendar month can race away.

8. Share the knowledge

What happens if the person who routinely handles requests is off sick? Or the person from the IT team who knows how to gather the data is on holiday? Make sure other people are familiar with the process, and have a clear written procedure others can pick up if necessary.

9. Don’t forget the exemptions

There’s information you can legitimately withhold. The exemptions are there for a reason – to cover information you’ve good reasons for not disclosing. This might be information relating to other individuals, details subject to legal privilege or commercially sensitive information. Sometimes you’ll be obliged to rely on an exemption, other times you may choose to rely on one or not. Be sure to tell people if you’ve used one (or more) and why.

The ICO’s Right of Access Guidance covers the exemptions and links through to relevant sections in the Data Protection Act 2019.

10. Respond securely

The last thing you want is to cause a potential data breach when responding to a DSAR! It can be helpful to liaise with the individual about how you send the data to make sure this will work for them. While secure sending is crucial, you shouldn’t make it difficult for them to access.

Hmm, should I have done more than 10 tips? Be proportionate when asking for proof of id, consider the privacy of others… and I could go on. Check out our DSAR Guide for more information.

Often DSARs are straightforward, but sometimes they’re a minefield. Having a clear procedure can go a long way to making sure things run as smoothly as possible.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Subject Access Request Guide

Being prepared and handing DSARs

Handling Data Subject Access Requests can be complex, costly and time-consuming. How do you make sure you’re on the front foot, with adequate resources, understanding and the technical capability to respond within a tight legal timeframe?

Data subject access request from the data protection consultancy DPN - Data Protection Network

This guide aims to take you through the key steps to consider, such as…

  • Being prepared
  • Retrieving the personal data
  • Balancing complex requests
  • Applying redactions & exemptions
  • How technology can help
Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

SHARE YOUR VIEWS ON AI

Please take a moment to complete our short survey on the use of AI tools in the workplace

 

GO TO SURVEY