The Court of Appeal last week tightened up the definition of "personal data" for the purpose of requests under the Data Protection Act, prompting a review by the Information Commissioner of guidance to businesses.
The case, Michael John Durant v. Financial Services Authority concerned 'data subject access requests' (DSARs). Under Section 7 of the Data Protection Act 1998, an individual is entitled to obtain a copy of the information pertaining to all their personal data held by a data controller.
"The case has gone some way to trying to help business understand what personal data is revealable under a DSAR as opposed to mere information which doesn't have to be revealed," explained Robert Bond, a partner at Faegre Benson Hobson Audley. "Nonetheless, a business has to help itself and businesses must have internal procedures or guidelines to tell them what to do as and when an individual sends his request." As the solicitor pointed out, a disgruntled data subject can employ a DSAR for any number of reasons, and the recipient organisation has 40 days in which to comply with the request.
The Information Commissioner, Richard Thomas, said it was clear that the judgment had "implications for us in terms of the scope of data protection legislation". "To the extent that the judgment provides clarity on this issue, and reiterates the fundamental link between data protection and privacy rights, the Commissioner welcomes it," he added. His own review of the legislation in light of the ruling will take place in the New Year.
The Court of Appeal looked at whether data, held either in hard copy files or soft copy computer files within the meaning of "personal data" in Section 1(1) of the 1998 act, automatically entitled the named data subject to disclosure under a DSAR. According to Reem Shather, a trainee solicitor at Faegre Benson, the court held that "mere mention of a data subject in a document" did not render the data "personal data". "To determine the nature of the data, the court employed the measures of 'relevance and proximity'," she added.
The second issue for the court was to examine the meaning of "relevant filing system", and in particular whether the form in which the data was held affected the rights of the data subject. The court held that the legislation applied the "same standard of accessibility to personal data in manual filing systems as to computerised records". Shather added: "The legislation sought to protect 'data' as opposed to 'documents'."
The court also considered what the meaning of "reasonable in all circumstances" was (within Section 7(4) of the legislation) when considering disclosure of personal data containing information about a third party. In the absence of their consent, the court held that the "legitimate interests of third parties was highly relevant" to the disclosure of such personal data. However, the reasonableness of the decision is not influenced by the lack of such consent.
Shather said the case highlighted that the person who has made the request was "not guaranteed full and total disclosure of all documents by mere mention of the data subject's name. Personal data, accessible by virtue of DSAR, will only be disclosed on the basis that it reflects either the personal or professional aspects of the data subject's privacy and must not be employed as a weapon by a frustrated individual."