Written by Syan Bateman

You or your company just got a Data Subject Access Request (DSAR), but it contains the personal data of two or more parties. How do you balance the GDPR’s principle ‘right to access’ with ‘what to disclose’? How should you properly redact the data before disclosing it?

Under the Data Protection Act 2018 (DPA), personal data of the person requesting should be provided. However, under the UK General Data Protection Regulation 2018 (GDPR), an organisation is not legally required to disclose the third party’s information, unless they consent or if it’s reasonable to disclose without consent. It’s a complicated balancing exercise, and reconciling it is difficult.

Why should I disclose any data?

Either a Subject Access Request under the DPA, or information requests under the Freedom of Information Act (FOI) or Environmental Information Regulations (EIR) requires organisations to disclose personal data. Depending on the role your organisationhas, it could also happen in compliance with statutory duties (eg Court Orders), or in further scenarios.

Whatever the cause, you don’t have to, and you shouldn’t, provide more information thant required! Any personally identifiable information, other than what belongs to the person requesting, shouldn’t be included.

Imagine that an employee wants access to emails containing their personal data. However, these emails were also sent to a third party who then added comments about the employee’s poor performance. One method of dealing with this situation is to redact all relevant personal data of the third party. This way, you can disclose as much information about the employee as possible, without disclosing the third party’s identity. Similarly, a GP may decide to withhold information that may harm their patients’ (requestor) mental health even if the data relates to them.

How do I redact third party data?

Currently, under the DPA, there aren’t any specifics on how to redact third party or any other non-relevant personal data. Instead, make sure to justify your decisions about what to hide and what to keep, and keep a record of what information you do choose to disclose.

Legally, you must disclose as much of the requested information as possible. However, if a document becomes unreadable due to the amount it’s been redacted, it might be appropriate to strike off sections or pages of the document instead.

It’s also not sufficient to redact the third party’s name only, as the redaction calls for a removal of all identifiable personal information. This may be their job title, or references to their location, etc.

Make sure the censoring is done on a copy, so that the original text remains. However, it’s also very important to make sure that redactions are irreversible! This means that PDFs cannot just be covered by a black highlight, where the text is still scannable, or that hard copies are just redacted with a black marker, where the information can be read by holding the document in bright light.

In total, two copies of the disclosed information should be made – one is retained as evidence of the disclosure and one is for the requester. Any intermediate copies or proof-reading copies should be securely destroyed.

If you want advice on data redaction or more information on tackling DSAR’s, Bivika offers consultancy and other tailored data protection services to help you. Get in touch via info@bivika.com for more information.