Managing Subject Access Requests in Health and Care
- 21 hours ago
- 4 min read
Applying the 'third party confidential ' exemption

This article relates only to subject access requests (SARs) made under UK GDPR and the Data Protection Act 2018. It does not cover disclosures made under court orders, police investigations, safeguarding processes, litigation, insurance requests, statutory powers, or any other legal basis for sharing information. A SAR is a request by an individual, or someone legally authorised to act on their behalf, for access to the personal data an organisation already holds about them.
The Third Party Confidentiality Exemption
One of the most common misconceptions about subject access requests (SARs) is that all third-party information must be redacted. That isn't what the law says.
The ICO expects organisations to strike a balance between the requester's right of access and the rights and freedoms of other individuals. In many cases, some third-party information can be disclosed without difficulty. In others, it may need to be redacted or withheld.
Start by asking: Is it actually the requester's personal data?
Before considering whether third-party information should be redacted, ask a more fundamental question:
Is this information actually about the requester?
A document doesn't become someone's personal data simply because it mentions them.
Example
A parent submits a SAR on behalf of their child. The records include a police report describing a domestic disturbance between the child's parents. The report lists the child as one of the occupants of the property but contains no information about the child's actions, welfare, health or involvement beyond being present.
Although the report mentions the child, it isn't about the child. Its focus is the events involving the parents. In these circumstances, i would withhold the whole report because it falls outside the scope of the child's SAR, rather than attempting to redact large sections of it.
When can third-party information be disclosed?
If the information forms part of the requester's personal data, the next question is whether any third-party information can still be disclosed.
The ICO says disclosure may be appropriate where:
the third party has consented;
it is reasonable to disclose without consent; or
the information is already known to the requester.
The third party has consented
For example, a witness who provided a factual statement during a workplace investigation agrees that their statement can be disclosed to the requester.
It is reasonable to disclose without consent
This commonly applies to people acting in their professional role, such as healthcare professionals, teachers or colleagues. Their names and professional actions will not usually need to be redacted simply because they are third parties.
The information is already known to the requester
We rely on this principle frequently when advising customers.
Examples include:
joint safeguarding or multidisciplinary meetings attended by everyone involved;
emails or letters that the requester was copied into;
consultations attended by both the patient and their partner;
discussions involving both parents that were recorded by a professional.
The requester already knows what was said, so it may be reasonable to disclose the information without seeking consent.
Professionals usually have a lower expectation of privacy
The names of professionals acting in their professional capacity will not normally need to be redacted. The ICO generally considers that professionals carrying out their official duties have a lower expectation of privacy than private individuals.
For example:
Dr Patel reviewed the patient and prescribed antibiotics.
District Nurse Sarah Jones changed the patient's dressing.
A social worker attended a safeguarding meeting.
These entries are usually disclosed in full.
Children's records
Children's records often contain information about parents, siblings and other family members. That does not automatically mean those references must be removed.
The starting point is that the requester is exercising the child's right of access. The aim is therefore to disclose as much of the child's personal data as possible while protecting genuinely confidential information about others.
Example | Likely approach | Why |
"Mother brought the child to the appointment and reported a temperature of 39°C." | Usually disclose | The information is primarily about the child's healthcare. |
"Child lives primarily with mother." | Usually disclose | Relevant context about the child's circumstances rather than personal data about the mother. |
"Mother has recently been diagnosed with multiple sclerosis." | Usually redact | Confidential health information about the mother. |
"Father is under police investigation." | Usually redact | Personal information about the father that is separate from the child's care. |
Adult records
The same principles apply to adult records.
Example | Likely approach | Why |
"Patient attended with their spouse, who confirmed the patient had collapsed." | Usually disclose | The information primarily relates to the patient's health. |
"District Nurse Sarah Jones changed the dressing." | Usually disclose | Professional acting in an official capacity. |
"Neighbour reported concerns about the patient's welfare." | Usually disclose the concern but consider redacting the neighbour's identity | The information explains clinical action while protecting the neighbour where appropriate. |
"Patient said their manager has been bullying them." | Usually disclose | The record is about the patient's experience rather than the manager. |
Automatic redaction software
Many organisations use software to identify potential third-party information. These systems can save considerable time, particularly when reviewing large records.
However, they should be viewed as decision-support tools, not decision-makers.
Most systems identify names, dates of birth, addresses, NHS numbers and other identifiers. They cannot apply the legal balancing exercise required by UK GDPR.
As a result, some systems redact every reference to another individual, even where there is no legal reason to do so.
This can lead to unnecessary redaction of:
healthcare professionals acting in their professional capacity;
teachers or social workers carrying out their official duties;
parents providing information during consultations;
information that provides important context to the requester's own personal data.
Over-redaction may result in the requester receiving less information than they are entitled to by law, reduce transparency and increase complaints.
Our customers can find a Redaction Decision Tree to support their work on the myKafico platform.
In our experience, working through these questions produces far more proportionate SAR responses than relying on blanket redaction rules or automated software alone.
💡 Have a Data Protection Question?
Ask the experts through our low cost advice hub
🖱️ Interested in myKafico
One month free trial of our DPO Compliance platform




Comments