The DPC’s annual report is always a good read. It includes a variety of case studies, usually written in plain English, that allow us to learn from the mistakes of others.
One interesting case study in this year’s report (case study 9 on page 62 of the 2017 report) shows how an organisation got it right.
A father made a subject access request to his daughter’s local sports club.
A parent or legal guardian of a child is one of the few third parties allowed to submit a subject access request on behalf of someone else.
The sports club responded to the father’s request.
One item provided by the sports club was the membership form that had been completed for the child.
However, the sports club redacted some of the information on the form:
“namely the names of the persons who were submitted to the sports club as emergency contacts for the child, the signature of the person who consented to images of the child being used on digital media by the sports club and the address of the minor“
The sports club took the view that this information was the personal data of other individuals (not the child’s personal data) and these individuals did not consent to this information being released to the father.
A complaint was raised with the DPC and the DPC supported the sports club’s position.
“The complainant was advised that the address of their child could not be provided without also providing the personal data of a third party and therefore the complainant had no right of access to it.”
Data protection rights in the real world
The case study does not state why the father wanted this redacted information and I won’t even try to guess.
All I can say is well done to the sports club for considering the data protection rights of all the people whose personal data was included on the form.