The Information Commissioner's Office recently published guidance about access to information held in complaint files. The guidance is relevant to both subject access requests under the Data Protection Act and requests for information under the Freedom of Information Act.
It is notoriously difficult for organisations to comply properly with personal data requests as decisions about what data are personal data and what information can be shared are not always straightforward. The guidance details various methods by which organisations may lessen the burden of such requests, and on first glance appears to indicate that organisations that use these methods do not have to provide all the information stored in complaint files in order to comply with a personal data request. Whilst, however, such methods may be appropriate for basic requests, a data controller must still comply with all legal requirements.
To view the article in full, please see below:
Full Article
The Information Commissioner's Office ("ICO") has issued new guidance which is designed to help all organisations that hold complaint files to deal with requests for access to personal information held in them. The guidance deals with the issues that arise when an individual makes a subject access request under the Data Protection Act ("DPA") for access to their own personal data. It also deals with the issues that arise when a third party makes a Freedom of Information Act ("FOIA") request to a public authority for access to data held in a complaint file.
The guidance is designed to help organisations: to decide whether information in a complaint file is personal data, and if so whose personal data it is; to decide who gets access to which data if a complaint file contains more than one person's personal data; and to decide how personal data held in a complaint file should be dealt with if a freedom of information request is made to a public authority.
The guidance also details three approaches which appear to make it easier for organisations to comply with such requests:
(1) Use the organisation's information management systems.
A high level approach may be possible, whereby each document is not separately considered, especially if organisations have good information management procedures in place. Reliable indexes, contents pages, descriptions of documents and metadata can make it easier for those dealing with requests to locate personal data, decide whose personal data it is, and to make a decision about its disclosure.
(2) Provide a mixture of information, not just the minimum amount required by law.
Organisations may not have to look at every document within a file to decide whether or not it contains personal data. Instead, if none of the information is particularly sensitive or contentious, it may be easier to give an applicant a mixture of all the personal data and other information relevant to the request.
There are advantages to providing a mixture of information. The guidance says that individuals will have no right to appeal to the ICO or the Information Tribunal in relation to information provided on a discretionary basis. The guidance also states that organisations should make it clear that such information is being provided on a discretionary basis, and that it is under no legal obligation to provide the information. Information provided on a discretionary basis does not become the applicant's personal data.
(3) Use cut-off points within files.
The guidance states that it is important to be able to detect cut-off points, at which information within a complaint file ceases to be personal data and becomes non-personal information. Although related, such information may not need to be disclosed at all.
Practical illustrations
The guidance goes on to give practical illustrations to the ICO's technical guidance note 'Determining what is personal data'. The guidance focuses on whether information is personal data, and if so, whether its disclosure to a third party would be reasonable in all the circumstances or would breach the data protection principles. It does not, however, address the exemptions that might be relevant when someone makes a request for access to the information contained in a complaint file.
The fact that not everything in a complaint file is the complainant's personal data is highlighted: the context in which information is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore whether it is the individual's personal data. Some information in a complaint file will never be personal data, regardless of the context it is held in and the way it is used – even if it is used in a way that affects an individual.
Whether somebody's opinions are personal data is a question which the ICO recognises as raising difficult issues. Answering this question calls for careful judgement based on the nature of the information, the context in which it is held and the purpose for which it is used. There is not always an obvious answer.
The guidance confirms that information can have more than one person as its subject. It also clarifies the mechanisms for dealing with situations where one individual makes a request but the personal data of another falls within its scope. The guidance states that, in reality, the effect of applying either the DPA or FOIA disclosure tests to third party personal data is likely to be the same but it is best to make sure that the correct statutory language is cited when dealing with a case.
What should you do?
The approaches detailed in the guidance are not without risk as they rely on an organisation's information management procedures being up-to-date and accurate, and on subjective decisions being made. Simply using these approaches could result in an organisation inadvertently providing more information than they intended to provide (including both third party personal data and commercial information), or it could find that it has not disclosed all the information it is required to disclose.
The ICO has indicated that although such approaches may lessen the impact on businesses, these approaches may only be relevant and appropriate for initial responses and/or basic requests, and may not be appropriate for more detailed requests.
To view an electronic version of the ICO guidance, please click here.
To view an electronic version of the ICO technical guidance note 'Determining what is personal data', please click here.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 19/10/2011.
