A £40,000 fine for a data breach at a GP surgery in Hertfordshire was the direct result of an organisation’s response to a subject access request (“SAR”) that had gone wrong.
In responding to a SAR the surgery revealed confidential details about a patient to their estranged ex-partner. This was despite express warnings from the patient that they should take care to protect her details. Having conducted their investigation, the Information Commissioner’s Office (“ICO”) concluded that there were insufficient systems in place at the surgery for staff to deal with SARs and, in particular, to prevent the unauthorised release of personal data to people who were not entitled to see it. The surgery was fined £40,000 as a result. However, the ICO highlighted that the amount of the fine was because the surgery’s partners would be individually liable, and that most organisations would expect to receive a much larger fine due to the serious nature of the breach.
Such a significant data breach could have been avoided had suitable internal measures been put in place. No matter the size of an organisation, if you hold personal data, you will likely receive, and hence have to respond, to a SAR at some point. It follows that having a procedure for responding to SAR should stand you in good stead.
Responding to SARs where the information contains third party data
As shown in this case, responding to a SAR may involve providing information that relates both to the requester and another individual. Under the Data Protection Act you do not have to comply with the SAR if to do so would mean disclosing information about another individual who can be identified from that information except where:
- the other individual has consented to the disclosure; or
- it is reasonable in all the circumstances to comply with the request without that individual’s consent.
You therefore need to balance the requester’s right of access against the other individual’s rights in respect of their own personal data. If the other individual consents to you disclosing the information about them to the requestor, then it would be unreasonable for you not to do so. However, if consent is not given, you will need decide whether to disclose the information anyway on the grounds that it is “reasonable in all the circumstances” to do so. Factors may include whether the individual has expressly refused consent, whether the information will already be known to the requester in any event, and the impact on the individual if their information is disclosed to the requester. You should make decisions about disclosing third party information on a case by case basis – do not simply apply a blanket policy of withholding it.
Furthermore, you should still attempt to respond to the SAR so far as you are able. Where possible, redact the information that would identify the third party in order that some information can be released without breaching the data protection principles, and in any event provide all other information relating to the requestor which does not identify any third party.
ICO figures show that 46% of all complaints made to the ICO last year were about SARs and the difficulties individuals face when trying to access their personal information. This is a substantial figure and highlights that – however inconvenient – SARs should not be taken lightly.