Cabinet Office Homepage

Data Protection Act 1998: Guidance for Cabinet Office Staff

Standards and Best Practice Handbook for Government Departments

8. References to Other Individuals/Third Parties

Issue

Sections 7(4)-7(6) and 8(7) of the DPA cover the circumstances where complying with a subject access request will disclose information “relating to another individual”. It is notable that these provisions do not refer to a “third party”, which is defined in section 70 of the DPA to mean:

“any person other than

1. the data subject
2. the data controller, or
3. any data processor or other person authorised to process data for the data controller or processor”.

2. The provisions refer to the wider concept of “another individual”. Ministers and officials of a department are not therefore third parties of that department but are other individuals who themselves have certain rights to protect information which relates to them.

3. Under the right of access to personal data at section 7 of the DPA:

“… (4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from the information, he is not obliged to comply with the request unless –

1. the other individual has consented to the disclosure of the information to the person making the request, or
2. it is reasonable in all the circumstances to comply with the request without the consent of the individual.

(5) In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by omission of names or other identifying particulars or otherwise.

(6) In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had in, particular,
to -

1. any duty of confidentiality owed to the other individual,
2. any steps taken by the data controller with a view to seeking the consent of the other individual,
3. whether the other individual is capable of giving consent, and
4. any express refusal of consent by the other individual.”

4. In general the emphasis in these provisions is on compliance with a subject access request so far as possible (and sometimes even without the consent of the other person). It is also notable that redaction is expressly envisaged in the second part of section 7(5), but not as a routine exercise or necessarily one which will excuse the data controller from full communication. Section 8(7) of the DPA further defines the circumstances in which another individual would be held to be identifiable from disclosed information.

Standards

5. References to another individual should be disclosed only where he has given his explicit consent to that disclosure, or where it is clearly reasonable in all the circumstances to do so.

Recommended best practice

6. Where a data subject is entitled to receive personal data that includes information relating to another individual (whether it be a Minister, an official or a third party), the data controller should carry out a balancing exercise to decide whether the information relating to the other individual should be disclosed. This includes taking account of the circumstances of the particular case and where necessary, consulting the other individual. A blanket policy of non-disclosure of the names of Ministers and officials in every case is unlikely to be justified. Equally, the names of officials should not be routinely disclosed (except where those names have been previously disclosed). In each case regard must be had in particular to the factors set out in section 7(6) of the DPA, together with any other factors which are relevant to the balancing exercise. However, names may be blanked out where it is reasonable and the intelligibility of the data is not affected. In practice, it is rarely essential to the intelligibility for names to be disclosed.

7. The code of practice being prepared for archivists and records managers under section 51(4) of the DPA (see paragraph 7 of section 1 “Data Controllers”) gives further guidance on the “lawful” and “fairness” criteria to be adopted in determining whether to disclose references to third parties.

8. The reference in section 7(1)(b)(iii) of the DPA to “recipients or classes of recipients” should be taken as giving a data controller the choice as to whether to provide individual names or only a generic description of the classes of recipients.

Data Protection Handbook [PDF, 710KB]

[Top]