The following information might help answer your question

You may have to disclose information relating to third party, but you need to decide whether it is appropriate to do so in each case.

Personal data can relate to more than one person. Therefore, responding to a SAR may involve providing information that relates to both the requester and another individual.

Example

An employee makes a request to her employer for a copy of her human resources file. The file contains information identifying managers and colleagues who have contributed to (or are discussed in) that file. This will require you to reconcile the requesting employee’s right of access with the third parties’ rights in respect of their own personal data.

There is an exemption in the Data Protection Act 2018 that says you do not have to comply with a SAR, if doing so means disclosing information which identifies another individual, except where:

the other individual has consented to the disclosure; or
it is reasonable to comply with the request without that individual’s consent.

So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision involves balancing the data subject’s right of access against the other individual’s rights relating to their own personal data. If the other person consents to you disclosing the information about them, it is unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.

To help you decide whether to disclose information relating to a third party, follow the three-step process and make sure you consider all the other factors set out in the guidance.

Find out more about what to do if the request involves information about other individuals.

Subject access request self serve

The following information might help answer your question