We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Disclosures Compass POL Print Centre

Data protection and subject access requests (part two)

Continued from data protection and subject access requests (part one)

(c) Redacting information (please also see 'Some Basic Rules to Apply when Redacting' below)

Under the rules, an individual is entitled only to their own personal data and not to information relating to other people. Therefore, when disclosing personal data to subjects it is important not to inadvertently disclose personal data about third parties in the process ie you have be careful not to breach the data protection rights of those third parties, unless those third parties have expressly consented to their information being disclosed.

Please also remember to redact your own personal data. Please note, the subject could share the data as they choose or it may get misplaced once in their possession.

Thus, the papers/documents you send to the subjects will need to be checked very carefully for this and any personal data relating to third parties 'redacted' ie deleted/Crossed out - to the extent that it is not visible to the requester. We find that this is best done by using a white redaction tape (akin to Tippex - but not the liquid version which sometimes does not block the information properly).

You can also use a black marker but again ensuring that the information does not 'show through'. In any event, following the redaction you should photocopy the resultant documents and send the photocopies to the subject (and not the original redacted papers) as the photocopying process will ensure the redacted information remains obscured. Remember, to keep a copy of the original documents too.

It is important to note that you should not hold withhold whole documents just because they contain the details of third parties. In that instance, you will likely need to redact just the details of those third parties so as to ensure that they cannot be identified. However, where even after redaction, the identity of third parties is still ascertainable then you may be able to withhold the whole document but you will need to assess this very carefully. If in any doubt, you should check matters with the ICO.

Please also contact us if you need further assistance.

(d) What data can be withheld and how?

There are exemptions to disclosure but, in the main, these are very specific and tend to apply to particular cases eg confidentiality of police investigation or HR records. It is quite rare for exemptions to apply more generally and decisions must be made on a carefully considered discretionary basis, which can be justified. Also, when they do apply this does not necessarily mean that a whole document is exempt eg the exemption could apply to a part or parts of a document too. Please see the ICO website for further explanation and to see whether any of these may apply.

Some basic rules to apply when redacting

1. The information disclosed should relate to the data subject making the request - do not include irrelevant information.

2. Particular care should be taken when redacting to ensure that the personal data of other individuals is not released - that is any data which would allow you to identify the people from the data combined with other information held.

3. The following general rules should be applied – although there may be specific incidents when they would not:

a. redact all names other than that of the person making the request

b. redact job titles

c. redact e-mail addresses

d. redact addresses

e. redact phone numbers

f. redact references to an individual's gender if that would lead to them being identified

g. redact personal descriptions which may lead to a person being identified, so a description of someone as a brown haired man is unlikely to identify someone but a red haired man with a beard may

h. redact any other narrative data that would lead to an individual being identified

i. think about the combination of information sets that taken together would lead to an individual being identified

4. When taking out personal details from email headers, leave in the date and title line unless the title line conflicts with the above.

 

CEOP
© Copyright The Scout Association 2017. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW