Responding to SARs: Do You Have to Identify a Third Party?
If you’ve never received a subject access request (SAR), you probably will at some point, but do you know how to respond – particularly where the person is requesting the identity of a third party? Be cautious as it may not be as straightforward as you might expect.
To that end, useful clarification on the duty to respond to an SAR under data protection legislation has been given by the High Court in a case where disclosing individual’s identity was a key issue1.
Individuals have the right to ask an organisation to disclose to them the personal data it holds on them. That does not mean the person making the SAR has the right to demand everything they want. An organisation can refuse to comply where, for instance, the information is exempt, or it is not reasonable or cost effective to comply – but it must give reasons for refusing.
What’s the background?
A medical doctor specialising in the science of asbestos exposure made SARs on a lobbyist for the asbestos industry and the lobbyist’s manufacturing company, but he was dissatisfied with the responses he received. The defendants alleged that the doctor was part of ‘the great asbestos scam’ and argued that most of the data sought under the SARs were exempt from subject access and that the doctor had received all the information to which he was entitled.
The identity of various third parties was a key issue: the doctor’s particulars of claim made it clear that he wanted to know the identities of those responsible for what he said were attempts to discredit him and deter him from acting as an expert witness. And it’s on this issue of disclosure of identity that organisations will find the court’s guidance (and its conclusions on the facts) of practical use.
Court guidance
A good starting point is the ICO's Subject Access Code of Conduct which states: "The right to a description of other organisations or people to whom personal information may be given is a right to this information in general terms; it is not a right to receive the names of those organisations or people."
A key question is whether the identities of those to whom data about an individual are disclosed count as part of the individual's personal data. This depends on the facts. The ICO's Code of Practice suggests there will be cases in which "it is impossible to separate the third-party information from that requested." So on the facts of this case:
· the identity of the other parties the doctor was alleged to have conspired with was part of the expert’s personal data as it was integral to the information held on him, biographically significant and should be disclosed. It was unreasonable to withhold this from him
· the names of recipients of emails sent by the lobbyist which contained his personal data did not have to be disclosed. However, under data protection law and the SAR Code of Practice the doctor did have a right to be given a description of recipients, and
· he was also entitled to be told the actual identity of the persons or bodies that had provided information about him to the lobbyist (though that person’s consent might need to be obtained)
What’s important to emphasis, from this ruling, is that whether or not the identities of others could be lawfully disclosed depends much on the facts of the case.
Lessons for businesses
Businesses need to be familiar with the SAR rules and understand the limits to which they are required to disclose information. When an SAR includes a request for information about the identity of third parties, particular care must be taken so that the person making the SAR receives that information to which they are strictly entitled to, and a third-party individual’s right to privacy is also considered when necessary.
1Rudd v Bridle & Anor (Rev 1) [2019] EWHC 893
If you would like us to cover an issue in the next NGM Tax Law Newsletter, we would be pleased to hear from you