A Balancing Act: New Guidance from the DPC on How to Deal with Mixed Personal Data in Subject Access Requests

Understanding when an organisation is separately entitled or obliged to restrict access to personal data pursuant to a data access request continues to be one of the main areas of confusion for data controllers and data subjects. This is due in part to the broad definition of the types of information that will be considered personal data. The Data Protection Commission (“DPC”) has now issued further helpful guidance designed to assist organisations and individuals alike better understand their rights. In particular the guidance clarifies the circumstances when it may be appropriate for organisations to restrict an individual’s right of access to their own personal data, if that personal data is contained in a document which also contains personal data relating to “another person(s)”.

The Guidance

Article 15(3) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) imposes an obligation on organisations/data controllers, to provide individuals with a copy of their personal data. An individual’s right of access is not absolute however and, in this regard, the DPC’s guidance makes reference to Article 15(4) which provides that an individual’s right to access their own personal data must not adversely impact the rights of others.

The DPC uses the example of medical records or notes of a counselling session which could include information about the individual, as well as his/her spouse, former spouse, partner, children or other third parties. The DPC suggests that in this case, it may be appropriate under Article 15(4) of the GDPR for a data controller to refuse access to the personal data, if permitting access could adversely affect the other person(s) mentioned. The DPC guidance goes on to confirm that there is a general presumption that the right of access can be restricted where the disclosure of the information is highly likely to result in significant harms and risks to the other person(s).

What must an organisation do before restricting access

Organisations must carefully consider all documentation coming within the scope of an access request and identify whether, by releasing a copy of the documents concerned, information relating to another person may also be impacted. If a document does contain personal data relating to another person, the organisation must consider whether it is possible to redact that personal data in a manner that ensures the individual is no longer, directly or indirectly, identifiable. If that is possible, the redactions should be appropriately and securely applied before the documents concerned are release.

If a single piece of information within a document comes within the definition of personal data relating to two (or more) individuals i.e. where it contains an opinion made by one person relating to another or a decision that may impact a number of individuals, such that it may be regarded as the personal data of both individuals, organisations must consider:-

1. Whether is it possible to comply with the access request while at the same time ensuring the rights of the other person's personal data.
2. Whether the other person is entitled to have access to their personal data restricted. An example of when an organisation is not entitled to restrict access can be observed in the case study published by the DPC in their 2013 Report which considers the question of opinions provided in confidence. While this case study was decided under the Data Protection Acts of 1998 and 2003, it remains relevant today. Ultimately it stipulates that an organisation cannot rely on section 60(3) of the Data Protection Act 2018 to restrict an individual's right of access to opinions provided by supervisors, managers and in fact persons in a position of authority relating to staff on the basis that "it is an expected part of their role to give opinions on staff which they should be capable of standing over."

Where there is no impediment to restricting access, the DPC recommends that organisations carefully consider the right of the other parties, including their right to life and physical integrity and that they balance those rights against the rights of the data subject - to access their own personal data.

Undertaking a balancing assessment

The DPC recommends that this balancing test be undertaken on an evidential basis, with reference to the specific context of the case concerned. The European Data Protection Board (EDPB) has issued guidelines on the steps an organisation must take when undertaking this balancing assessment which can be summarised as follows:-

1. When it has been assessed that complying with an access request will have a negative effect on that other person’s rights, the interests of all participants must be weighed taking note of the specific circumstances of the case and in particular the likelihood and severity of the risks that arise in giving access to the information as against a decision to restrict access of the requester. The organisation should try to reconcile the conflicting rights in the first instance. This may be achieved by reducing the risk to the rights and freedoms of the other person by redacting any reference to them or part of the personal data concerned.
2. If it is not possible to find a solution by reconciling these rights, the organisation must access and decide which of the conflicting rights prevail.
3. It is only if the impact on the rights of the other person is greater than the impact on refusing the request on the requestor that an organisation is obliged to restrict access to the document. In that instance the organisation is required to properly document its reasoning for reaching the decision to restrict access.
   

What to expect in the event of a complaint

A data subject has the right to complain to the DPC if they are unhappy about the way that their subject access request has been handled. In that instance, the DPC has indicated that they will look for a copy of the balancing assessment records of the organisation to make sure that any restriction has been properly applied.

It is important to note that the DPC will deal with complaints on a case-by-case basis. If an organisation maintains detailed records to document its decision-making process, it will be better equipped to address any queries from the DPC that form part of the complaint process.

What will happen if you fail to observe your obligations

Organisations are obliged to restrict access to an individual’s personal data if complying with their request will impact the rights of others. If an organisation fails to do so, it will result in a breach of the GDPR and the data protection rights of those other person(s) leaving them open to risk of regulatory sanction and claims.