In the second of our data subject access request (“DSAR”) mini-series, we look at how data should be properly redacted before being disclosed and, in particular, what to do when another person’s data is contained within the information to be provided.
Responding to a DSAR can be a challenging, costly and often time-consuming process. This is especially the case in an employment context, where data can go back over a number of years and may contain data which belongs to other individuals.
When a DSAR is submitted by an employee, an employer (who is typically a data controller within the employment context) should make an initial assessment of the request. This should include determining if it processes data concerning that employee, the scope of the request and the proposed approach in finding the data and its response. Data which has been requested by an employee may be subject to an exemption e.g. because it is not personal data. This may include data around financial performance. For information on what constitutes personal data, please see our previous article in this series on ‘Personal Data’.
Third party data
When reviewing the data requested by the employee, you may find there may it contains personal data belonging to another employee or a third party. As part of a request, an employer may identify emails containing the employee’s personal data which have been sent by third parties with comments about the employee’s poor performance. In this case, the emails would also contain personal data of the third party. An employer is not required to disclose such information unless the third party consents to the disclosure or if it is reasonable to disclose the data to the employee without such consent.
Under the Data Protection Act 2018 (“DPA”), as much of the personal data which has been requested should be provided to an employee without disclosing any third party data. When responding to a DSAR and there is third party data involved, a careful balancing exercise should be carried out by an employer as to the employee’s request and any third party competing rights.
In approaching this exercise, there are three main issues to consider:
1. Does the DSAR require disclosure of information that identifies another third party?
The first step is to identify if the DSAR requires disclosure of information that identifies a third party. An employer should consider not only the information itself, but any other information the employer reasonably believes an employee is likely to have.
2. If so, have they consented to this disclosure?
While there is no formal requirement, it is good practice, if possible, to see if the third party would consent to disclosure of their personal data. However, the ICO (the independent body which considers data protection issues in the UK) takes the view that in some cases it may be impracticable or inappropriate to do so.
3. Would it be reasonable to disclose without consent?
There may be some cases where it is reasonable to disclose without consent such as where the employee has already previously been provided with the third party information or if it is already in the public domain.
In deciding if it is reasonable to disclose information without consent, an employer should consider the following (as set out under the DPA):
- the type of information that would be disclosed;
- any duty of confidentiality;
- any steps taken by the employer with a view to seeking consent of the third party;
- where the third party is capable of giving consent; and
- any stated (express) refusal of consent by the third-party.
An employer should also consider the practicality and costs involved in obtaining consent and the third party’s level of seniority within the third party business. There may also be other exemptions available under the DPA. We will explore these in our next article within this series. If an exemption applies, then an employer should consider redacting relevant data.
Even if a decision is made not to disclose the third party data, an employer must respond to the DSAR and communicate as much of the personal data as possible without disclosing the third party’s identity. Responding to a DSAR without disclosing third party data can be achieved by redacting relevant documents. Under the DPA, there are no specific rules regarding the process of redacting third party data.
Once an employer has redacted data about the employee that identifies a third party, it should also consider redacting any information that is non-relevant personal data e.g. confidential business plans, or financial information.
It is important to ensure any redactions are made irreversible. If hard copies are being provided, it is sensible (in the absence of any redaction software), for all documents to be printed, and redacted with a black marker pen and then photocopied and sent to the employee. This would prevent the employee being able to read the redacted information e.g. by holding the document up to a light source. If an electronic copy is being provided, an employer should ensure that appropriate software is used to guarantee the redactions are permanent.
- The ICO expects employers to be able to justify and keep a record of their course of action and reasoning behind their decisions.It is therefore good practice to keep a record of any decision made e.g. note why you chose not to seek consent or why it was inappropriate to do so in the circumstances.
- The ICO Subject Access Code of Practice encourages employers to have a well-designed and up to date information management system to locate and extract data and redact third party data.
- Any third party consent should be obtained as soon as practically possible after receiving a DSAR.
- Always carry out the redaction on a copy of the original document, whether paper or electronic and never on the original itself. This ensures that while the redacted information is permanently removed from the copy itself, the original text remains.
- Redaction should be performed or overseen by staff that are knowledgeable about the records and can determine what material(s) are not available for disclosure.
- Removing only the third party’s name may not be sufficient as they may still be identifiable from the rest of the information.
Coming up next
Our next article in the DSAR mini-series will focus on what are the exemptions and when can they be used?