The Information Commissioner offers the following advice
“Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual.
The DPA 2018 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:
- the other individual has consented to the disclosure; or
- it is reasonable to comply with the request without that individual’s consent.
In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:
- the type of information that you would disclose;
- any duty of confidentiality you owe to the other individual;
- any steps you have taken to seek consent from the other individual;
- whether the other individual is capable of giving consent; and
- any express refusal of consent by the other individual.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.”