This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Back

Blog

| 4 minutes read

Subject access requests – when to weed out third-party data

There are things in life, like taxes and laundry, that we know are necessary for democracy and cleanliness respectively but are just a pain in the actioning.  

Data Subject Access Requests (DSARs) whilst a necessary part of ensuring transparency and accountability, must surely fit into that bracket. 

It can be a lengthy, costly, and complex process when dealing with a DSAR, not least because the data concerned may contain the identities of others. The case of Harrison v Cameron and Anor has given some key guidance on this latter point. 

Take away points

  • Individuals purchasing goods and services at home can still be caught by data protection principles if there is a business relationship.
  • Individuals can request data about themselves under a DSAR. This often requires the data controller to provide sufficient contextual information and sometimes specific information about third parties.
  • The data subject’s right to information about others is limited and can be refused in certain circumstances.

Case details

The case concerned a recording of two heated telephone conversations between Mr Harrison, a property developer, and Mr Cameron. The latter was a director of a company contracted to carry out some landscape gardening for Mr Harrison. A dispute arose and Mr Cameron recorded two telephone conversations with Mr Harrison (without his knowledge or consent) in which Mr Harrison became threatening and could be heard making threats of violence. 

Mr Cameron then shared the recordings with various employees of the company and with family and friends. These were further circulated into the wider business community in which Mr Harrison operated and led, he alleged, to the loss of business opportunities. As a result, Mr Harrison issued a DSAR requesting the identity of all the recipients of the recordings. The request was denied, and Mr Harrison brought a claim alleging a breach of his right to the information under Article 15 of the GDPR. 

Key points of judgement

The judgement is an important one not least because it is in the High Court and so will be followed by subsequent cases.  

The judge provided the following guidance:

  • Although Mr Cameron was contracted to carry out landscape gardening at Mr Harrison's home, the parties had a business relationship. Mr Cameron had conducted the calls in his capacity as a director of his property development company. Consequently, UK GDPR applied to the calls between the two individuals and Mr Cameron could not rely on the ‘purely personal/household activity exception’ to withhold the requested information.
  • Article 15(1)(c) of the UK GDPR requires a data controller to disclose the identities of the recipients of any data and not just the categories of those recipients. In this case, that would require naming the individual employees, friends and family members who had received the recording. The obligation to identify specific recipients applies equally whether they are ‘internal’ or ‘external’ recipients - the argument that Mr Harrison’s employees were merely doing their job and so should stay anonymous was rejected. 
  • However, data protection is nearly always about balancing the rights of individuals against the risk of harm to individuals. Mr Cameron was successful in showing that Mr Harrison and his solicitor had been aggressive and threatening to a range of people who were thought to have received the recordings. The judge allowed the property development company to rely on the ‘rights of others’ exemption in Article 15(4) UK GDPR and to withhold the identities of the recipients of the recordings.
  • It is notable that none of the recipients had consented to their names being disclosed. They were prepared to do so if Mr Harrison gave undertakings not to threaten or harass them, or to bring any claims against them other than data protection claims in the County Court, but no such undertakings have been given. As a result, it was reasonable for the property development company to refuse the request.

The case is a reminder that data protection cannot be used to excuse bad behaviour: it will reveal uncomfortable truths but should not expose individuals to a real risk of harm.

Learning points 

  • For those individuals who work from home and/or juggle multiple roles, it is important to remember that data protection legislation will apply depending on the nature of the data processing activity and not just the location. Communications that take place in a domestic setting and with personal contacts may still be subject to data protection legislation. 
  • In an employment context, both employers and employees need to be aware that individuals may be entitled to not just the contents of uncomfortable conversations, but also the identities of those engaged in the communications. It is important that disciplinary records are concise, concentrate on the evidence and keep focus on the decisions made. Consider whether a particularly sensitive discussion needs to be taken offline and had in person.
  • Data subjects only have a legal right of access only relates their own personal data: information which identifies and relates to them. Whilst this includes a right to know the recipients to whom the personal data have been or will be disclosed, data controllers must still take care to redact and withhold third-party personal data. We often describe this as the data subject’s right to know Jane Doe said ‘X’ about the data subject, but not the right to know Jane Doe’s career history, life story or how they were feeling that day.
  • If it is reasonable in the circumstances to disclose the third party’s personal data, this information does not need to be redacted. This often occurs where the data subject is already aware of the information as part of their employment history, or where the additional information provides important context. For example, the requester may already know that a particular manager or customer raised a complaint about their performance.
  • Whether it is reasonable to withhold and redact or to disclose third-party data (without their consent) will depend on all the circumstances and data controllers should not take a blanket approach when considering how to respond. For employers, this means being alive to issues raised in confidence and considering the practical impact of making such disclosures.
  • If in doubt, we recommend that data controllers keep good records of any decision to disclose information without consent or to withhold information in response to a DSAR. A properly reasoned justification for withholding personal data is far less likely to be criticised than excessive or accidental disclosure, and higher-risk disclosures should be treated with greater caution.

It is critical that individuals have the ability to understand how decisions have been made about their employment and oftentimes disclosure can help provide clarity, demonstrate good governance and avoid misunderstandings. 

If you are struggling with how to respond to DSARs as part of a disciplinary process, please contact our employment team or Emma Watt in our commercial team. 

 

The case is a reminder that data protection cannot be used to excuse bad behaviour: it will reveal uncomfortable truths but should not expose individuals to a real risk of harm.

Tags

dsar, data subject, gdpr, dpa, employment, charities, education, health and social care, housing, local government, social business