The Information Commissioner’s Office (“ICO”) has issued new guidance which is designed to help all organisations that hold complaint files to deal with requests for access to personal information held in them. The guidance deals with the issues that arise when an individual makes a subject access request under the Data Protection Act (“DPA”) for access to their own personal data. It also deals with the issues that arise when a third party makes a Freedom of Information Act (“FOIA”) request to a public authority for access to data held in a complaint file.
The guidance is designed to help organisations: to decide whether information in a complaint file is personal data, and if so whose personal data it is; to decide who gets access to which data if a complaint file contains more than one person’s personal data; and to decide how personal data held in a complaint file should be dealt with if a freedom of information request is made to a public authority.
The guidance also details three approaches which appear to make it easier for organisations to comply with such requests:
- Use the organisation’s information management systems.
A high level approach may be possible, whereby each document is not separately considered, especially if organisations have good information management procedures in place. Reliable indexes, contents pages, descriptions of documents and metadata can make it easier for those dealing with requests to locate personal data, decide whose personal data it is, and to make a decision about its disclosure.
- Provide a mixture of information, not just the minimum amount required by law.
Organisations may not have to look at every document within a file to decide whether or not it contains personal data. Instead, if none of the information is particularly sensitive or contentious, it may be easier to give an applicant a mixture of all the personal data and other information relevant to the request.
There are advantages to providing a mixture of information. The guidance says that individuals will have no right to appeal to the ICO or the Information Tribunal in relation to information provided on a discretionary basis. The guidance also states that organisations should make it clear that such information is being provided on a discretionary basis, and that it is under no legal obligation to provide the information. Information provided on a discretionary basis does not become the applicant’s personal data.
- Use cut-off points within files.
The guidance states that it is important to be able to detect cut-off points, at which information within a complaint file ceases to be personal data and becomes non-personal information. Although related, such information may not need to be disclosed at all.
The guidance goes on to give practical illustrations to the ICO’s technical guidance note ‘Determining what is personal data’. The guidance focuses on whether information is personal data, and if so, whether its disclosure to a third party would be reasonable in all the circumstances or would breach the data protection principles. It does not, however, address the exemptions that might be relevant when someone makes a request for access to the information contained in a complaint file.
The fact that not everything in a complaint file is the complainant’s personal data is highlighted: the context in which information is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore whether it is the individual’s personal data. Some information in a complaint file will never be personal data, regardless of the context it is held in and the way it is used – even if it is used in a way that affects an individual.
Whether somebody’s opinions are personal data is a question which the ICO recognises as raising difficult issues. Answering this question calls for careful judgement based on the nature of the information, the context in which it is held and the purpose for which it is used. There is not always an obvious answer.
The guidance confirms that information can have more than one person as its subject. It also clarifies the mechanisms for dealing with situations where one individual makes a request but the personal data of another falls within its scope. The guidance states that, in reality, the effect of applying either the DPA or FOIA disclosure tests to third party personal data is likely to be the same but it is best to make sure that the correct statutory language is cited when dealing with a case.
What should you do?
The approaches detailed in the guidance are not without risk as they rely on an organisation’s information management procedures being up-to-date and accurate, and on subjective decisions being made. Simply using these approaches could result in an organisation inadvertently providing more information than they intended to provide (including both third party personal data and commercial information), or it could find that it has not disclosed all the information it is required to disclose.
The ICO has indicated that although such approaches may lessen the impact on businesses, these approaches may only be relevant and appropriate for initial responses and/or basic requests, and may not be appropriate for more detailed requests.
To view an electronic version of the ICO guidance, please click here.
To view an electronic version of the ICO technical guidance note ‘Determining what is personal data’, please click here.