10 things that happened whilst I was on maternity leave (and two that didn’t)
Number 4: Subject access requests involving third party data are hot topics in the UK courts

On 28 June 2018¹, the Court of Appeal considered the balancing test between the rights of a SAR requestor and the rights of another individual when the data of the requestor includes third party data.

In this case, a patient had made a subject access request and the GMC had withheld a report containing personal data of both a doctor and the patient. A key factor was that it appeared that the primary motive behind the SAR was to use the data in litigation against the doctor. The High Court has originally ruled that this was a weighty factor and that the full report containing personal data of the doctor should not be disclosed, in order to protect the doctor’s rights. However, the Court of Appeal disagreed and considered that the interests of the patient overrode the interests of the doctor regardless of the patient’s motivation (in the facts of the case).

The judgment contains some useful points to consider when applying the balancing test for third party information.

On 10 April 2019, the High Court considered the extent to which the identity (and other personal data) of another individual (or organisation) involved in a matter constituted the personal data of the requesting individual under a SAR; in other words whether the identity of a third party ‘relates to’ the requesting individual. If it does not, then such identity can be excluded from the response; if it does, then the third party data balancing test would kick in.

It was another medical-related case. Dr. Rudd was a medical expert in asbestos exposure. Mr. Bridle had been involved in the manufacture and use of asbestos in cement products for 50 years, and advised and campaigned on asbestos medical issues. Records held by Mr. Bridle (and his associated company) included information about:

• people to whom allegations of fraud had been made about Dr. Rudd (primarily a complaint to the General Medical Council or GMC);
• people who had collaborated with Dr. Rudd in the alleged fraud;
• people whom he is alleged to have helped to attack others; and
• his alleged ‘victims.’

The Court ruled that the identities of such people were Dr. Rudd’s personal data; the information was focused on him and biographically significant. For those people who were individuals, the third party data balancing test was then necessary. This was not necessary where they were organisations (such as GMC).

However, the identities of third party recipients to whom Dr. Rudd’s personal data was communicated (such as by email) were not, in themselves, Dr. Rudd’s personal data. The information needed to relate to Dr. Rudd in order to be his personal data. The Court stated that it was "…easy to understand what is being written about Dr Rudd in the extracts provided, without knowing to whom it is being written."

Note that in coming to this conclusion the Court referred to the interpretation of the term ‘personal data’ in the leading case of Durant v Financial Services Authority ([2003] EWCA Civ 1746). Under the GDPR, the definition of personal data, whilst similar to previous law, needs to be re-examined and interpreted consistently with its interpretation across the EU. The ICO has produced new guidance on the meaning of these terms under the GDPR. In particular, the EU and UK guidance on interpretation of ‘relating to’ within the definition of ‘personal data’ captures a potentially wider scope of information than is apparent from a strict application of the ‘biographically significant’ test.

The Court in Rudd v Bridle referred to the right, as part of a subject access request, to be provided with "a description of…the recipients or classes of recipients to whom [personal data] are or may be disclosed". The Court confirmed that this did not require the identity of a recipient to be disclosed (and this is consistent with the ICO’s previous SAR Code of Practice, which indicated that names of recipients were not required). So, as raised above, it was instead necessary to consider whether the identity of the recipients constituted the personal data of the requesting individual (which was not the case unless they formed part of information relating to that individual).

Note, however, that under the GDPR, the wording of the equivalent requirement is slightly different and individuals are entitled to know, under Article 15, "the recipients or categories of recipient to whom the personal data have been or will be disclosed". The EU Article 29 Working Party (now the European Data Protection Board or EDPB) Guidelines on Transparency (WP260 rev.01) comment on the interpretation of the term ‘recipients or categories of recipients’ as follows².

"The actual (named) recipients of the personal data, or the categories of recipients, must be provided. In accordance with the principle of fairness, controllers must provide information on the recipients that is most meaningful for data subject. In practice, this will generally be the named recipients, so that the data subjects know exactly who has their data. If the controllers opt to provide the categories of recipients, the information should be as specific as possible…"

To summarise, under current law, in many cases naming specific recipients will assist to ensure fairness and transparency in relation to the disclosure (and in my view that was also the case under previous law even if the specific reference to recipients in the legislation was less prescriptive). Recipients who are controllers will also have their own obligations of transparency under data protection laws, which requires their identity to be given to data subjects.

The Court in Rudd v Bridle referred to the right, as part of a subject access request, to be provided with "any information available to the data controller as to the source of those data". This is worded differently to the requirement relating to recipients of data referred to above, and does not require just a description, but "any information available". So information held by the controller about sources of data needs to be disclosed in response to a SAR, although note that:

• the third party data rules described above should be applied if the source is another individual. Sources of data are not, however, always individuals and could include other organisations such as, in this case, solicitors’ firms involved; and
• as with recipients of data referred to above, sources of data would not in themselves constitute personal data of the requesting party.

Under Article 15 of the GDPR, there is a similar SAR requirement to provide "any available information" as to the source of personal data.

The Court in Rudd v Bridle discussed the application (or not) of exemptions to subject access relating to legal professional privilege, journalism and regulatory activity.

In relation to the latter (section 31 of the Data Protection Act 1998), the Court considered whether the processing of personal data by an informant or whistleblower who reports an individual to a regulator can fall within this exemption. The Court commented that the wording "personal data processed for the purpose of discharging functions…" in section 31 indicates that only the processing by the regulatory body itself is covered. However, it did not make a formal judgment on this point (as it did not need to in the context).

Schedule 2 of the Data Protection Act 2018 contains a similar exemption relating to "Functions designed to protect the public".