I have spoken with the ICO today, who have given me the following advice…
“The DPA 2018 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if (i) the other individual has consented to the disclosure; or (ii) it is reasonable to comply with the request without that individual’s consent.”
In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:
- the type of information that you would disclose;
- any duty of confidentiality you owe to the other individual;
- any steps you have taken to seek consent from the other individual;
- whether the other individual is capable of giving consent; and
- any express refusal of consent by the other individual.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.”
So, my advice would be that, if you consider it inappropriate to release this personal information about a member of staff, you would be entitled to refuse the request.
If the patient wishes to have reassurance that their data has not been accessed by anyone without appropriate permission – or that the Trust has appropriate policies in place to manage access to their information, you can provide this without having to give them individual staff members’ names.
Regards
The Data Protection Officer
