You have correctly identified a request for personal information and located what is being sought….you might have used our free Request Handling Chart to help…
Reviewing the personal information is the critical next step before you respond to the request.
The review process is critical.
For Subject Access Requests, your starting position is that the personal information should be disclosed to the requester. However, the review process enables you to consider whether there are any legitimate grounds for withholding (‘blanking out’ / ‘redacting’) some or all of the personal information from the requester.
- For example, you might need to withhold personal information where disclosing it would breach the confidentiality of someone else; cause serious harm to someone, or affect the conduct of an ongoing investigation
When handling requests from other organisations, your starting position is that you have to protect personal information. The review process enables you to establish a clear rationale for disclosing some or all of the personal information to the organisation.
- For example, you might decide it is proportionate to disclose personal information if it is required to assist an ongoing investigation and (i) you have clarified which specific personal information will help and (ii) weighed up the needs of the organisation making the request and the legitimate interests and expectations of the individual whose personal data is being sought.
(1) Third party personal information
The personal information of one person is often inseparable from the personal information of someone else – either because they are the source of the information, or because their information was recorded with or alongside that of someone else (e.g. for context or background detail).
The Data Protection Act (DPA) is clear that you do not have to disclose personal information to someone if it would require you to also disclose the personal information of someone else. However, it also says you must consider
(i) seeking consent of the other person, and
(ii) consider whether it is “reasonable in all the circumstances” to make the disclosure anyway.
Essentially it requires you to consider the competing interests – access to personal information by the requester, whilst maintaining legitimate expectations of confidentiality that other people might have.
The following are factors to consider when assessing the competing interests and reaching a judgment on “reasonable in all the circumstances:”
- The circumstances in which information was provided – e.g. during a private meeting or when the other individual was present.
- The sensitivity of the information.
- Whether the information was already known or is already common knowledge.
(2) Disclosure would cause harm – either to someone or to an investigation or activity that is in the public interest
The DPA recognises that there will be certain circumstances when disclosing personal information to the requester could cause harm.
Examples: disclosing personal information that confirms the police are investigating them; that reveals distressing details to someone already suffering from mental health issues; that would result in the release of information subject to legal professional privilege.
In these limited circumstances, you can withhold personal information from the requester where you satisfy yourself (or are advised by another body) that disclosure would cause the harm in question.
(3) The amount and quality of the personal information: adequate, relevant, not excessive and accurate in relation to the purpose it is seeking to meet and/or assist with.
When handling requests from organisations, you must always consider the amount of personal information you are being asked to disclose: what you disclose should be proportionate; it should meet the needs of the request and no more. For example, if the police are trying to verify the name and address of someone, it would be excessive to provide a copy of the person’s entire file.
Finally: always keep records of your decisions and what you disclose.