Subject access requests: exemption for third party data

The Data Protection Act 1998 contains certain exemptions and provisos which affect the operation of the subject access regime.   One such proviso is that a data controller does not have to comply with a subject access request to the extent that it would mean disclosing information about another individual who can be identified from that information, unless:

  • the other individual has consented to the disclosure; or
  • it is reasonable in all the circumstances to comply with the request without that individual’s consent.

It’s essentially a balancing act - and not necessarily a simple one - between an individual’s right of access and the third party’s rights in respect of their own personal data. The Information Commissioner’s Office guidance approaches this by asking three questions:

  1. Can the Third Party information be separated out? The obligation on the data controller is to provide information rather than documents, so it can redact documents if the third party information does not form part of the requested information.
  1. Has the Third Party consented? In appropriate cases, the ICO considers it good practice for a data controller to seek consent for disclosure from the individuals whose personal data appears in the requested information.  However this is not an obligation in every case and the ICO notes that there are situations where seeking consent may not be appropriate, for example where the information concerned is already known to the requester.
  1. Is it reasonable to disclose the information without consent? This will includes an assessment based on all the circumstances of the matter, however the DPA provides that particular regard should be had to:
    1. any duty of confidentiality owed to the third party individual;
    2. any steps you have taken to try to get the third party individual’s consent;
    3. whether the third party individual is capable of giving consent; and
    4. any stated refusal of consent by the third party individual.

Next week our blog posts will examine some other aspects of privacy and data protection law.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.