I'd appreciate any thoughts from all you experienced folk out there on this

Scenario is this.  Data subject (staff) makes subject access request.
Emails to and from the data subject deal with 3rd party disciplinary and
grievance issues sent to data subject in the course of work.  Some of the
stuff is sensitive data.  Question is - should the 3rd party data be
redacted out in responding to the SAR even though the data subject has seen
it and may even still have access to email copies?

I've taken the view that it is not appropriate or reasonable to leave this
type of 3rd party data unredacted in supplying copies under SAR even though
the data subject will have seen the material and indeed may have retained it
within a work context.

Is this the right approach to take in this particular circumstance?

Grateful for any views on this.

Ray Cooke

     All archives of messages are stored permanently and are
      available to the world wide web community at large at
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)