The Information Commissioner has updated his Data Protection guidance in the wake of a House of Lords decision not to consider a landmark Court of Appeal ruling that effectively narrows the right of individuals to access "personal data".
That ruling, issued in December 2003, restricted both the definition of personal data and the circumstances under which structured manual files could be caught by the Data Protection Act 1988.
The Data Protection Act covers the use by ‘data controllers’ of ‘personal data’ held in manual files which are organised into a ‘relevant filing system’. Everything from employee files to customer lists may be covered by this law.
The Act also includes a right for individuals, subject to conditions, to receive a copy of "the information constituting the personal data of which that individual is the data subject".
The case in question concerned Michael Durant, who has been seeking access to certain information for many years. His dispute began when Barclays Bank claimed the repayment of a loan that Mr Durant maintains he never received. He believes he was the victim of a fraud but Barclays successfully sued him for the missing £120,000 in 1993.
Mr Durant has been seeking access to documents that would prove his claim ever since. However, the Financial Services Authority backed Barclays' refusal to give him access to an internal case file: it was confidential, they argued. And they maintain that Mr Durant has been given access to everything to which he is entitled within the limits of the Data Protection Act.
The Court of Appeal upheld that view, in a ruling that effectively narrowed the right of subject access available to individuals. Mr Durant sought leave to appeal, but his request was refused in December last year, allowing the Court of Appeal ruling to stand.
Mr Durant is expected to apply for a hearing before the European Court of Human Rights, where he will argue that he has suffered a breach of Article 8 of the European Convention on Human Rights, which provides that "everyone has the right to respect for his private and family life, his home and his correspondence." In the meantime, Data Protection watchdog the Information Commissioner has updated his guidance on how the case impacts on the Data Protection Act. The guidance focuses on two key issues considered by the Court:
What makes 'data' 'personal' within the meaning of personal data?
What is meant by a 'relevant filing system'?
If data is not 'personal', then it is not covered by the Act and therefore individuals have no automatic right to have access to it. The 1998 Act contains a definition of 'personal data', which forms a two-strand test:
A living individual must be able to be identified from the data in question. In the Durant case, the Court of Appeal did not focus on this element of the definition; and the data must 'relate to' the individual identified. It is this issue with which the Court was most concerned, explaining ‘relate to’ as “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”.
According to the Commissioner, “where it is not clear whether information relates to an individual you should take into account whether or not the information in question is capable of having an adverse impact on the individual.”
This includes an assessment of whether the information is significantly biographical and whether the information has the individual as its focus or focuses instead upon another person or event in which he might have been involved.
The guidance explains, giving examples:
“Where an individual’s name appears in information the name will only be ‘personal data’ where its inclusion in the information affects the named individual’s privacy. Simply because an individual’s name appears on a document, the information contained in that document will not necessarily be personal data about the named individual.
It is more likely that an individual’s name will be ‘personal data’ where the name appears together with other information about the named individual such as address, telephone number or information regarding his hobbies”.
'Relevant filing system'
To fall under the Act personal data held manually must be organised into a 'relevant filing system'. The Court of Appeal considered that manual files would only be held in 'a relevant filing system' if "they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system".
The guidance discusses the definition in some detail, but in general, to come under the scope of the Act, the manual files must be organised so that recipients of the request either:
“know that there is a system in place which will allow the retrieval of file/s in the name of an individual (if such file/s exists); and know that the file/s will contain the category of personal data requested (if such data exists);”
“know that there is a system in place which will allow the retrieval of file/s covering topics about individuals (e.g. personnel type topics such as leave, sick notes, contracts etc); and know that the file/s are indexed/structured to allow the retrieval of information about a specific individual (if such information exists)(e.g. the topic file is subdivided in alphabetical order of individuals’ names).”
To fall within the definition, says the guidance, the content of manual files must be either sub-divided so that the searcher can retrieve the information from the correct category without searching manually, or indexed to allow a searcher to directly find the relevant page.
According to the Commissioner, “personnel files and other manual files using individuals’ names or unique identifiers as the file names, which are sub-divided/indexed to allow retrieval of personal data without a manual search (such as, sickness, absence, contact details etc.), are likely to be held in a ‘relevant filing system’ for the purposes of the” Act.
But in his view the Durant judgment means that very few manual files will be covered by the Act, and information held by individuals on these files will largely fall outwith the data protection regime.