Important new guidance on handling requests for disclosure of ‘mixed data’

Important new guidance on handling requests for disclosure of ‘mixed data’

We’ve started to see requests coming through for individuals wanting to access their personal data under the new Data Protection Act 2018 and GDPR regime by making data subject access requests (DSARs), and are advising a number of clients on their obligations to provide data in those scenarios.

Where, as is commonly the case, a DSAR concerns ‘mixed data’, being data which relates to more than one individual, the data controller is placed in a difficult position of having to balance differing interests before reaching a conclusion on whether or not to disclose particular information and, if it does disclose, in what form.  When deciding whether or not to disclose mixed data, it is commonplace for the data controller to seek consent to the disclosure of the information from the relevant third party.  If the third party refused to provide consent, under previous court guidance in Durant, it was generally thought that the data controller could legitimately withhold the third party information.  The Court of Appeal has looked afresh at this area and determined, in the case of B v General Medical Council, that there is no presumption that mixed data should not be disclosed where one data subject refuses to provide consent.  Instead, data controllers should still apply the balancing of interests test.

The Court of Appeal were divided in their decision, and so this may not be the final word and we may, yet, see a reversal and return to the Durant presumption.  Until then, employers need to exercise care when considering whether to disclose mixed data in a response to a DSARs and not presume that just because a third party has refused to give consent to the disclosure of mixed data, that the information can be withheld.  The employer will still need to carry out a balancing exercise taking into account the fact that an individual has withheld consent and, in appropriate cases, using the refusal of consent as the ‘tie-breaker’ to keep the information back.

If your organisation is still to implement new policies and procedures which are GDPR compliant, please talk to Tiggy or Emma both of whom have a wealth of expertise in this area.

Leave a Reply