If a third-party to a case makes a Subject Access Request under the Data Protection Act, what should I do?

If the personal data in respect of a third party is being held by you as a data controller, but it comes under Legal Professional Privilege (LPP), it is exempt from being disclosed through a subject access request. Your client is able to waive their right to the professional privilege.

Paragraph 10 of Schedule 7 of the Data Protection Act (DPA) says; “Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege…could be maintained in legal proceedings.”

If the information does not fall under LPP, and falls within the DPA and is the type of information requested by the third party, which you would usually be expected to disclose, you should do so. You would not have to do so if it falls under one of the other exemptions in the Act. If in doubt you should seek assistance from the Information Commissioner’s Officer on 0303 123 1113, or seek independent legal advice.

If your question is not answered, contact us via our dedicated customer service enquiry form.