Protection of the rights of others: general
- Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third-country transfers), and Article 5 of the GDPR so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3), do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.
- Sub-paragraph (1) does not remove the controller’s obligation where—
- the other individual has consented to the disclosure of the information to the data subject, or
- it is reasonable to disclose the information to the data subject without the consent of the other individual.
- In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including—
- the type of information that would be disclosed,
- any duty of confidentiality owed to the other individual,
- any steps were taken by the controller with a view to seeking the consent of the other individual,
- whether the other individual is capable of giving consent, and
- any express refusal of consent by the other individual.
- For the purposes of this paragraph—
- “information relating to another individual” includes information identifying the other individual as the source of information;
- an individual can be identified from information to be provided to a data subject by a controller if the individual can be identified from—
- that information, or
- that information and any other information that the controller reasonably believes the data subject is likely to possess or obtain.
Assumption of reasonableness for health workers, social workers and education workers
- For the purposes of paragraph 16(2)(b), it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where—
- the health data test is met,
- the social work data test is met, or
- the education data test is met.
- The health data test is met if—
- the information in question is contained in a health record, and
- the other individual is a health professional who has compiled or contributed to the health record or who, in his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject.
- The social work data test is met if—
- the other individual is—
- a children’s court officer,
- a person who is or has been employed by a person or body referred to in paragraph 8 of Schedule 3 in connection with functions exercised in relation to the information, or
- a person who has provided for reward a service that is similar to a service provided in the exercise of any relevant social services functions, and
- the information relates to the other individual in an official capacity or the other individual supplied the information—
- in an official capacity, or
- in a case within paragraph (a)(iii), in connection with providing the service mentioned in paragraph (a)(iii).
- the other individual is—
- The education data test is met if—
- the other individual is an education-related worker, or
- the other individual is employed by an education authority (within the meaning of the Education (Scotland) Act 1980) in pursuance of its functions relating to education and—
- the information relates to the other individual in his or her capacity as such an employee, or
- the other individual supplied the information in his or her capacity as such an employee.
- In this paragraph—
“children’s court officer” means a person referred to in paragraph 8(1)(q), (r), (s), (t) or (u) of Schedule 3;
“education-related worker” means a person referred to in paragraph 14(4)(a) or (b) or 16(4)(a), (b) or (c) of Schedule 3 (educational records);
“relevant social services functions” means functions specified in paragraph 8(1)(a), (b), (c) or (d) of Schedule 3.