In part 1 of this blog series, we asked how employers facing a Data Subject Access Request (DSAR) should be dealing with ‘mixed data’ cases, i.e. when a third party’s personal data is intertwined with that of the requester?
Mixed data comes in many forms; for example, an email from John to a colleague saying what he really thinks about Mary’s performance would contain both John’s personal data (his opinion) and the personal data of Mary (information is no less data for its being opinion rather than (necessarily) fact). Another example of mixed data is found in the recent case of Dr B v General Medical Council (GMC), where an investigation report contained the personal data relating to both a Doctor and that of his patient (more on that case below).
Under the Data Protection Act 2018, a data controller (employer for the purposes of this piece) does not have to comply with a request under a DSAR to the extent that it would mean disclosing information about another individual who can be identified from that information, except where the other individual has (i) consented to the disclosure; or (ii) where consent is not requested or is actively refused, it is reasonable to comply with the request without it.
So, in our hypothetical example, do you need to provide John’s email to Mary? If John consents, you must provide the email. However, if he does not consent (and there is no specific obligation on the employer to seek the third party’s consent) attention turns to whether it is ‘reasonable’ to comply with the request, balancing Mary’s right of access against John’s right of privacy.
The DPA18 (echoing its predecessor) states that when assessing reasonableness and carrying out this balancing test, you should consider (i) what information would be disclosed (is this Mary’s ‘smoking gun’ in her bullying complaint against John); (ii) any duty of confidentiality owed to John (did he send this email in confidence and was it headed as such?); and (iii) did John consent to the disclosure.
Although not expressly set out in the DPA18 or GDPR, other factors that employers may want to consider include:
- the third party’s seniority – is John a junior member of Mary’s team and if so, maybe it is not reasonable to disclose, or is he a higher ranking employee?;
- the likelihood of recriminations against the third party – linking back to the point above, if John is junior, could he face retaliation for making those comments? Note that this is different to where disclosing the data would reveal evidence of an offence committed by John as this latter example would likely come within the ‘self-incrimination’ exemptions set out in the DPA18 and so no balancing test would be required before deciding to withhold;
- the realistic harm (as opposed to mere embarrassment) which may be done to the rights of either party if disclosure is or is not made.
The GMC case above provides further guidance on how to carry out this test, albeit this case concerned the old pre-GDPR DSAR regime. Mr P, a patient of Dr B, claimed that the doctor had negligently failed to diagnose his cancer. The GMC appointed an expert to complete an investigation report. That report concluded that P’s complaints were largely unfounded. P put in a DSAR for access to the report. As the report contained the mixed data of both P and Dr B, the GMC sought Dr B’s consent to disclose the report, which was refused. The GMC considered the reasonableness test set out above and, in balancing the doctor’s rights against that of the patient, concluded that it should provide the report to P. Dr B applied for an injunction preventing disclosure.
The Supreme Court sided with the GMC and said:
- the data controller’s judgment is given a considerable margin of discretion, i.e. a court will not forensically analyse an employer’s rationale. The Judgment stated that “it is the data controller who is the primary decision-maker in assessing whether it is reasonable or not [to disclose]” and “data controllers generally have a wide discretion as to which particular factors to treat as relevant”;
- the motivation of the requester when submitting a DSAR is irrelevant when carrying out the balancing test. Whether the requester was simply on a ‘fishing expedition’, looking for something key to his litigation or just trying to be difficult is neither here nor there when it comes to this assessment; and
- there is no presumption at the start in favour of either the requester or the third party. The scales are even.
If, having carried out this balancing exercise, you decide that the information should not be disclosed, before taking any decision to withhold, you should consider whether it is practicable to provide it in redacted form, deleting all references to the third party (name, email address, etc.). It should be noted that the right of access is strictly a right to personal data and not a right to documents. So back to the example of John’s email, could you redact John’s name and email address and provide the data in that format, thereby protecting John’s privacy, while at the same time giving Mary access to her personal data? If the identity of the team member would still be obvious, you may then consider withholding the entire document.
Again we await further guidance, including the Information Commissioner’s updated Code of Practice on DSARs and case law interpreting the DPA18’s mixed data provisions. Our recommendation in the meantime is to assess the issue carefully and on a case-by-case basis. Provided that you carry out a fair and well-thought out balancing test (ignoring the motivation of the requester) ,document in detail the factors under consideration, provide redacted information where possible and justify for your decision, the risk that either athe ICO or a reviewing court would find fault appears to be rather low.
In the meantime, it is wise to seek specialist help should you be contending with an employee DSAR or preparing for one. DSAResolution offers a simple cost effective solution to help employers address employee DSARs, identify exemptions and navigate potential problem areas.