Data Protection Act 2018
The general rule is that the relevant GDPR provisions "do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information" (sch 2 para 16(1)).
That general rule does not apply where "(a) the other individual has consented to the disclosure of the information to the data subject, or (b) it is reasonable to disclose the information to the data subject without the consent of the other individual" (sch 2 para 16(2)).
In relation to the "reasonable to disclose" exception:
- In general, "the controller must have regard to all the relevant circumstances, including (a) the type of information that would be disclosed, (b) any duty of confidentiality owed to the other individual, (c) any steps taken by the controller with a view to seeking the consent of the other individual, (d) whether the other individual is capable of giving consent, and (e) any express refusal of consent by the other individual" (sch 2 para 16(3)).
- In relation to health records, "it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where ... the health data test is met" (sch 2 para 17(1)). This health data test is met if "(a) the information in question is contained in a health record, and (b) the other individual is a health professional who has compiled or contributed to the health record or who, in his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject" (sch 2 para 17(2)).
Further details including definitions of terms can be found in Schedule 2 of the Act.