The UK Information Commissioner's Office publishes the most practical guidance available on redacting third-party data in DSAR responses. Whether you operate under UK GDPR or EU GDPR, the ICO's framework provides a clear, defensible methodology for the redaction decisions that make DSARs so challenging.
This page walks through the ICO's guidance in detail, analyses the key case law that shapes its application, and provides worked examples for common scenarios. For the broader DSAR redaction process, see our definitive DSAR redaction guide.
The statutory foundation
The right to third-party redaction comes from two sources. Article 15(4) of the UK GDPR states that the right to obtain a copy of personal data "shall not adversely affect the rights and freedoms of others." Section 45 of the Data Protection Act 2018 then provides that a controller is not obliged to disclose personal data to the extent that doing so would involve disclosing information relating to another identifiable individual — unless that individual has consented or it is reasonable to comply without consent.
The ICO's guidance translates these legal provisions into a practical three-step test that controllers should apply to every piece of third-party data in a DSAR response.
The three-part balancing test
Question 1: Can you comply without disclosing?
This is the starting point. Before considering anything else, ask whether the third-party information can be separated from the requester's data without making the response unintelligible. In many cases, redacting names, email addresses, and contact details allows you to disclose the substance of a document while protecting the third party.
Example: an email thread discussing the employee's performance review. You can redact the HR business partner's name and email address while preserving the content of the discussion that relates to the requester. The employee gets their personal data; the third party's identity is protected.
However, the ICO acknowledges that simple name redaction doesn't always work. If the requester had a single line manager, redacting the manager's name from a performance review is futile — the requester will obviously know who wrote it. In these situations, you move to Question 2.
Question 2: Has the third party consented?
If redaction alone doesn't solve the problem, consider whether you can obtain the third party's consent to disclosure. This is straightforward in some situations — a colleague might readily agree to their name appearing in a routine meeting note — and completely inappropriate in others.
The ICO emphasises that you are not obliged to seek consent. There are many legitimate reasons not to: it may be impractical (the third party is a former employee with no current contact details), it may be inappropriate (seeking consent would reveal that a DSAR has been submitted, which may be sensitive in a disciplinary context), or it may simply not be feasible within the response timeline.
Question 3: Is it reasonable to disclose without consent?
This is where the balancing exercise happens. The ICO identifies several factors to weigh:
The type of information involved. Routine business communications carry less sensitivity than health data, financial details, or confidential opinions about the requester.
Any duty of confidentiality owed to the third party. Information provided during a grievance investigation with an explicit promise of confidentiality carries more weight than a casual email between colleagues.
Whether the third party would expect disclosure. A manager conducting a formal appraisal might reasonably expect the employee to see the review. A colleague who provided anonymous feedback would not.
Whether the individual can be identified from the information. If the third party remains anonymous even after disclosure (e.g., "feedback from a peer" with no identifying details), disclosure may not engage the exemption at all.
Any steps taken to seek consent. If you attempted to obtain consent and failed, that weighs in favour of withholding. If seeking consent was impractical, document why.
Harrison v Cameron [2024]: The leading case
The High Court case of Harrison v Cameron and Anor [2024] EWHC 1377 (KB) is the most significant recent case on third-party data in DSAR responses. The facts are instructive for any organisation handling employee or business-relationship DSARs.
A property developer (Harrison) and a landscaping company director (Cameron) had a business relationship that deteriorated. Cameron recorded heated phone conversations and shared them with employees, family members, and business contacts. Harrison submitted a DSAR seeking the identity of everyone who received the recordings — information that was clearly personal data about the recipients.
The court confirmed three key principles. First, the controller (Cameron's company) was the "primary decision maker" when applying the third-party exemption and had a "wide margin of discretion." Courts will not second-guess reasonable decisions. Second, the absence of third-party consent was not determinative — the reasonableness test under Question 3 was the deciding factor. Third, the court found it was reasonable to withhold the recipients' identities because there was evidence that disclosure could expose them to threatening behaviour.
The practical takeaway: document your reasoning thoroughly. If you exercise the discretion reasonably, with reference to the ICO's factors, your decision is likely to withstand challenge.
Worked examples
Scenario 1: Performance review with named colleagues
A performance review for Employee A mentions three colleagues by name: "A worked closely with Sarah on the Q3 project, and feedback from James and Priya was positive." Employee A submits a DSAR.
Analysis: The feedback about Employee A is their personal data and must be disclosed. The colleagues' names are third-party data. Apply Question 1: can you redact the names without making the document unintelligible? Yes — replace with "[Colleague 1]", "[Colleague 2]", "[Colleague 3]." The substance of the review remains intact.
Scenario 2: Grievance investigation witness statement
Employee B filed a grievance. Employee C provided a witness statement with an expectation of confidentiality. Employee B submits a DSAR.
Analysis: Employee B is entitled to know what was said about them (their personal data), but the witness's identity was provided in confidence. Question 1: can you redact the witness's identity? Possibly — anonymise the statement. Question 3: would disclosure of the witness's identity be reasonable? Given the explicit confidentiality, likely not. Disclose the substance of the statement with the witness anonymised, and document that the confidential reference/information exemption was applied.
Scenario 3: Email thread about redundancy planning
An internal email between three managers discusses which roles to make redundant. Employee D, who was later made redundant, submits a DSAR.
Analysis: The discussion about Employee D's role is their personal data. However, the management forecasting exemption (DPA 2018, Schedule 2, Part 3, Para 22) may apply to strategic planning elements. Redact other employees' names and roles. If the redundancy process is concluded, the time-limited management forecasting exemption may no longer apply — disclose the portions relating to Employee D's selection, with third-party identifiers redacted.
Consistent, documented redaction is the foundation of defensible DSAR responses. SafeRedact's AI detects every piece of PII across your DSAR documents, and the review interface lets you make per-item keep/redact decisions that map directly to the ICO's balancing test. Try it free →
Practical tips for applying the ICO guidance
Default to redaction. When the balancing test is unclear, redact. A regulator is far more likely to criticise accidental disclosure of third-party data than over-redaction. You can always re-disclose if challenged; you cannot un-disclose.
Use consistent anonymisation. If you redact a name, use the same placeholder consistently across all documents ("[Person 1]" everywhere, not "the manager" in some places and "[REDACTED]" in others). Inconsistency makes your response harder to read and suggests a disorganised process.
Explain your redactions. The covering letter should state that third-party personal data has been redacted in accordance with Article 15(4) and Section 45 of the DPA 2018, and that specific exemptions have been applied where indicated. You don't need to justify each individual redaction in the letter, but your internal records should contain the detail.
Seek legal advice for complex cases. Employment-related DSARs with litigation potential, DSARs involving whistleblowing or safeguarding, and requests where the balancing test yields genuinely ambiguous results should be reviewed by someone with data protection law expertise.
Frequently asked questions
What is the ICO's balancing test for DSAR redaction?
A three-step sequential test: (1) can you comply without disclosing the third party's data? (2) has the third party consented? (3) is it reasonable to disclose without consent? Controllers should work through these questions for each piece of third-party data.
Is the ICO guidance legally binding?
No, but it carries significant persuasive weight. Courts and tribunals regularly reference ICO guidance, and departing from it without good reason weakens your position in any regulatory challenge.
What did Harrison v Cameron decide?
The High Court confirmed that the controller is the "primary decision maker" with a "wide margin of discretion" when applying the third-party exemption. The court upheld the decision to withhold identities where disclosure would create a risk of harm to the third parties.