When responding to a SAR you must consider whether the information you hold includes the personal details of, or infers the involvement or actions of any other parties, the GDPR says that when responding to a SAR;
“The right to obtain a copy… …shall not adversely affect the rights and freedoms of others”.
and
“The right of access is not absolute – organisations can refuse or limit their response to SARs in some circumstances where exemptions may apply.”
These are two extremely important points that should not be overlooked.
A SAR is a request for a copy that individual’s personal data and their personal data alone, a response should not include anything that can identify another person, or imply any actions taken by another person (this second point is extremely important in relation to safeguarding and or legal action).
Some examples of what you would not include in a SAR response:
1. Any other person’s name, email address, telephone number, home or work address and so forth – i.e. anything that could identify another person. There are some occasions however, where sharing some data relating to another person is necessary, in which case you should seek that person’s express permission.
2. Another person’s image, voice recordings or biometric information. CCTV is a good example of this – any other persons appearing in a video, or stills, would have to be obscured (censored) before it can be shared, or released to the public, so that other persons are not identifiable.
3. Actions taken or information given that would identify others. For example, in a safeguarding situation if the other person is known to the individual (Data Subject) then you should not including descriptions of actions that the other person made. It is possible that the Data Subject may not have been previously aware of those actions, i.e. “…she then filed a complaint with the police”.
4. There are also reasons relating to national security, public safety, prevention or detection or investigation of crime and also if the Data Subject is a minor or legally incapacitated.
We have seperate post on this site which explains the specific, legal reasons that the GDPR allows a company to refuse a SAR request, or part thereof.